################################################################
# abuse.ch URLhaus IDS ruleset (Suricata only)                 #
# Last updated: 2026-04-27 19:34:12 (UTC)                      #
#                                                              #
# Terms Of Use: https://urlhaus.abuse.ch/api/                  #
# For questions please contact urlhaus [at] abuse.ch           #
################################################################
#
# url
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.236.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833197/; classtype:trojan-activity;sid:84696297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.107.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833195/; classtype:trojan-activity;sid:84696295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.70.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833194/; classtype:trojan-activity;sid:84696294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_72b6c8df23ab8d99.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833193/; classtype:trojan-activity;sid:84696293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.170.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833192/; classtype:trojan-activity;sid:84696292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833191/; classtype:trojan-activity;sid:84696291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.168.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833190/; classtype:trojan-activity;sid:84696290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.224.240.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833189/; classtype:trojan-activity;sid:84696289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.204.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833188/; classtype:trojan-activity;sid:84696288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833187/; classtype:trojan-activity;sid:84696287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.255.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833186/; classtype:trojan-activity;sid:84696286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.2.155"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833185/; classtype:trojan-activity;sid:84696285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.150.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833184/; classtype:trojan-activity;sid:84696284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.51.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833183/; classtype:trojan-activity;sid:84696283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.70.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833181/; classtype:trojan-activity;sid:84696281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.199.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833180/; classtype:trojan-activity;sid:84696280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.224.240.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833179/; classtype:trojan-activity;sid:84696279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.19.42"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833178/; classtype:trojan-activity;sid:84696278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.168.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833177/; classtype:trojan-activity;sid:84696277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.255.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833176/; classtype:trojan-activity;sid:84696276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_92eaaaef36c62c65.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833175/; classtype:trojan-activity;sid:84696275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.193.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833173/; classtype:trojan-activity;sid:84696273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.167.74.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833172/; classtype:trojan-activity;sid:84696272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-mond-1.vok7laren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833171/; classtype:trojan-activity;sid:84696271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.51.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833170/; classtype:trojan-activity;sid:84696270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-5.vok7laren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833169/; classtype:trojan-activity;sid:84696269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.192.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833168/; classtype:trojan-activity;sid:84696268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-berg-2.vok7laren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833167/; classtype:trojan-activity;sid:84696267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.255.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833166/; classtype:trojan-activity;sid:84696266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.168.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833165/; classtype:trojan-activity;sid:84696265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.193.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833164/; classtype:trojan-activity;sid:84696264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-9v.vok7laren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833163/; classtype:trojan-activity;sid:84696263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.78.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833162/; classtype:trojan-activity;sid:84696262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.100.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833161/; classtype:trojan-activity;sid:84696261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.172.137.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833160/; classtype:trojan-activity;sid:84696260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.227.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833159/; classtype:trojan-activity;sid:84696259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-7.tal4miren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833158/; classtype:trojan-activity;sid:84696258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833157/; classtype:trojan-activity;sid:84696257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.192.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833156/; classtype:trojan-activity;sid:84696256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-2k.tal4miren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833155/; classtype:trojan-activity;sid:84696255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.78.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833153/; classtype:trojan-activity;sid:84696253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.150.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833154/; classtype:trojan-activity;sid:84696254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.19.42"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833151/; classtype:trojan-activity;sid:84696251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.138.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833152/; classtype:trojan-activity;sid:84696252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.234.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833150/; classtype:trojan-activity;sid:84696250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.93.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833149/; classtype:trojan-activity;sid:84696249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.227.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833148/; classtype:trojan-activity;sid:84696248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-land-3.tal4miren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833147/; classtype:trojan-activity;sid:84696247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-8.tal4miren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833146/; classtype:trojan-activity;sid:84696246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-zeit-1.tal4miren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833145/; classtype:trojan-activity;sid:84696245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"c3da-glow.pax4moren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833144/; classtype:trojan-activity;sid:84696244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.231.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833143/; classtype:trojan-activity;sid:84696243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.255.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833142/; classtype:trojan-activity;sid:84696242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"stagesteril.pax4moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833141/; classtype:trojan-activity;sid:84696241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zentideen.pax4moren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833140/; classtype:trojan-activity;sid:84696240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.244.232.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833139/; classtype:trojan-activity;sid:84696239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.152.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833138/; classtype:trojan-activity;sid:84696238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"wwj2alum.pax4moren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833137/; classtype:trojan-activity;sid:84696237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.125.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833136/; classtype:trojan-activity;sid:84696236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.237.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833135/; classtype:trojan-activity;sid:84696235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hputcl37.pax4moren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833134/; classtype:trojan-activity;sid:84696234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833133/; classtype:trojan-activity;sid:84696233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"qncd.nol7sirex.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833132/; classtype:trojan-activity;sid:84696232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.152.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833131/; classtype:trojan-activity;sid:84696231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.237.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833128/; classtype:trojan-activity;sid:84696228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.48.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833125/; classtype:trojan-activity;sid:84696225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.198.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833120/; classtype:trojan-activity;sid:84696220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.239.221.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833119/; classtype:trojan-activity;sid:84696219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.23.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833117/; classtype:trojan-activity;sid:84696217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.77.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833116/; classtype:trojan-activity;sid:84696216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.48.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833115/; classtype:trojan-activity;sid:84696215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.239.221.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833109/; classtype:trojan-activity;sid:84696209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.146.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833106/; classtype:trojan-activity;sid:84696206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.183.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833105/; classtype:trojan-activity;sid:84696205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.42.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833104/; classtype:trojan-activity;sid:84696204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.183.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833101/; classtype:trojan-activity;sid:84696201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.26.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833100/; classtype:trojan-activity;sid:84696200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.42.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833097/; classtype:trojan-activity;sid:84696197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.118.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833093/; classtype:trojan-activity;sid:84696193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.185.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833091/; classtype:trojan-activity;sid:84696191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.76.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833090/; classtype:trojan-activity;sid:84696190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.255.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833089/; classtype:trojan-activity;sid:84696189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.246.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833087/; classtype:trojan-activity;sid:84696187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.45.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833084/; classtype:trojan-activity;sid:84696184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.93.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833082/; classtype:trojan-activity;sid:84696182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.76.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833081/; classtype:trojan-activity;sid:84696181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.246.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833080/; classtype:trojan-activity;sid:84696180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.203.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833078/; classtype:trojan-activity;sid:84696178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.242.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833075/; classtype:trojan-activity;sid:84696175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.70.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833073/; classtype:trojan-activity;sid:84696173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.254.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833072/; classtype:trojan-activity;sid:84696172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.214.101.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833070/; classtype:trojan-activity;sid:84696170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.203.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833066/; classtype:trojan-activity;sid:84696166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.214.101.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833061/; classtype:trojan-activity;sid:84696161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.203.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833060/; classtype:trojan-activity;sid:84696160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.235.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833059/; classtype:trojan-activity;sid:84696159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.164.253.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833056/; classtype:trojan-activity;sid:84696156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.66.99.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833048/; classtype:trojan-activity;sid:84696148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.231.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833047/; classtype:trojan-activity;sid:84696147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.108.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833044/; classtype:trojan-activity;sid:84696144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.243.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833043/; classtype:trojan-activity;sid:84696143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.243.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833036/; classtype:trojan-activity;sid:84696136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.66.99.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833037/; classtype:trojan-activity;sid:84696137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.231.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833032/; classtype:trojan-activity;sid:84696132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.137.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833030/; classtype:trojan-activity;sid:84696130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"73.163.164.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833028/; classtype:trojan-activity;sid:84696128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.2.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833027/; classtype:trojan-activity;sid:84696127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.192.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833026/; classtype:trojan-activity;sid:84696126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.59.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833022/; classtype:trojan-activity;sid:84696122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.219.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833019/; classtype:trojan-activity;sid:84696119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.147.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833018/; classtype:trojan-activity;sid:84696118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.112.234.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833017/; classtype:trojan-activity;sid:84696117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.252.98.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833013/; classtype:trojan-activity;sid:84696113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.137.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833012/; classtype:trojan-activity;sid:84696112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.2.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833011/; classtype:trojan-activity;sid:84696111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833010/; classtype:trojan-activity;sid:84696110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.39.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833008/; classtype:trojan-activity;sid:84696108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.192.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833006/; classtype:trojan-activity;sid:84696106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.219.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833004/; classtype:trojan-activity;sid:84696104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833003/; classtype:trojan-activity;sid:84696103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.68.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833001/; classtype:trojan-activity;sid:84696101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.55.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832992/; classtype:trojan-activity;sid:84696092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.55.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832990/; classtype:trojan-activity;sid:84696090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832989/; classtype:trojan-activity;sid:84696089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832985/; classtype:trojan-activity;sid:84696085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.49.203"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832983/; classtype:trojan-activity;sid:84696083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832966/; classtype:trojan-activity;sid:84696066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.39.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832964/; classtype:trojan-activity;sid:84696064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.123.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832963/; classtype:trojan-activity;sid:84696063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.83.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832962/; classtype:trojan-activity;sid:84696062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.232.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832959/; classtype:trojan-activity;sid:84696059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.83.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832956/; classtype:trojan-activity;sid:84696056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.123.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832954/; classtype:trojan-activity;sid:84696054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.3.183"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832952/; classtype:trojan-activity;sid:84696052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.124.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832948/; classtype:trojan-activity;sid:84696048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guruitddos/rpcsecurity.x86_64"; depth:30; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832946/; classtype:trojan-activity;sid:84696046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.86.84.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832944/; classtype:trojan-activity;sid:84696044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.23.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832943/; classtype:trojan-activity;sid:84696043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.198.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832941/; classtype:trojan-activity;sid:84696041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.14.213.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832935/; classtype:trojan-activity;sid:84696035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.86.84.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832934/; classtype:trojan-activity;sid:84696034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.14.213.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832931/; classtype:trojan-activity;sid:84696031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.154.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832929/; classtype:trojan-activity;sid:84696029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.248.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832926/; classtype:trojan-activity;sid:84696026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832925/; classtype:trojan-activity;sid:84696025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.248.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832918/; classtype:trojan-activity;sid:84696018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.83.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832907/; classtype:trojan-activity;sid:84696007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.177.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832905/; classtype:trojan-activity;sid:84696005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.9.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832903/; classtype:trojan-activity;sid:84696003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.127.235.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832901/; classtype:trojan-activity;sid:84696001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.189.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832900/; classtype:trojan-activity;sid:84696000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.115.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832899/; classtype:trojan-activity;sid:84695999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.177.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832896/; classtype:trojan-activity;sid:84695996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.70.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832897/; classtype:trojan-activity;sid:84695997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.23.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832892/; classtype:trojan-activity;sid:84695992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832890/; classtype:trojan-activity;sid:84695990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.163.209.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832889/; classtype:trojan-activity;sid:84695989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.226.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832888/; classtype:trojan-activity;sid:84695988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.226.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832880/; classtype:trojan-activity;sid:84695980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.163.209.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832878/; classtype:trojan-activity;sid:84695978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.247.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832872/; classtype:trojan-activity;sid:84695972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.131.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832871/; classtype:trojan-activity;sid:84695971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.193.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832866/; classtype:trojan-activity;sid:84695966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.109.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832863/; classtype:trojan-activity;sid:84695963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.184.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832862/; classtype:trojan-activity;sid:84695962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.94.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832861/; classtype:trojan-activity;sid:84695961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832858/; classtype:trojan-activity;sid:84695958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.109.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832857/; classtype:trojan-activity;sid:84695957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832854/; classtype:trojan-activity;sid:84695954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.139.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832853/; classtype:trojan-activity;sid:84695953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.14.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832850/; classtype:trojan-activity;sid:84695950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.103.116.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832848/; classtype:trojan-activity;sid:84695948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832847/; classtype:trojan-activity;sid:84695947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.107.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832845/; classtype:trojan-activity;sid:84695945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.84.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832843/; classtype:trojan-activity;sid:84695943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832842/; classtype:trojan-activity;sid:84695942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.114.139.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832840/; classtype:trojan-activity;sid:84695940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832839/; classtype:trojan-activity;sid:84695939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.116.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832836/; classtype:trojan-activity;sid:84695936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.94.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832832/; classtype:trojan-activity;sid:84695932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.14.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832830/; classtype:trojan-activity;sid:84695930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.160.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832829/; classtype:trojan-activity;sid:84695929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.84.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832827/; classtype:trojan-activity;sid:84695927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.106.241.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832826/; classtype:trojan-activity;sid:84695926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.241.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832824/; classtype:trojan-activity;sid:84695924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832821/; classtype:trojan-activity;sid:84695921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.26.103"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832820/; classtype:trojan-activity;sid:84695920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.32.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832818/; classtype:trojan-activity;sid:84695918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.160.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832813/; classtype:trojan-activity;sid:84695913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832811/; classtype:trojan-activity;sid:84695911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.39.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832810/; classtype:trojan-activity;sid:84695910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.226.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832809/; classtype:trojan-activity;sid:84695909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.32.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832807/; classtype:trojan-activity;sid:84695907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.8.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832806/; classtype:trojan-activity;sid:84695906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.39.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832798/; classtype:trojan-activity;sid:84695898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.226.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832797/; classtype:trojan-activity;sid:84695897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.8.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832795/; classtype:trojan-activity;sid:84695895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.78.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832794/; classtype:trojan-activity;sid:84695894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.117.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832785/; classtype:trojan-activity;sid:84695885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.43.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832784/; classtype:trojan-activity;sid:84695884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.30.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832766/; classtype:trojan-activity;sid:84695866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.194.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832763/; classtype:trojan-activity;sid:84695863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.176.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832755/; classtype:trojan-activity;sid:84695855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.194.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832753/; classtype:trojan-activity;sid:84695853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.125.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832752/; classtype:trojan-activity;sid:84695852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.81.102.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832751/; classtype:trojan-activity;sid:84695851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_c8e4af3ea647650f.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832745/; classtype:trojan-activity;sid:84695845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.127.235.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832743/; classtype:trojan-activity;sid:84695843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.88.191.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832742/; classtype:trojan-activity;sid:84695842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.81.102.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832738/; classtype:trojan-activity;sid:84695838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/xmrig.tar.gz"; depth:21; endswith; nocase; http.host; content:"31.57.109.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832733/; classtype:trojan-activity;sid:84695833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/watcher"; depth:16; endswith; nocase; http.host; content:"31.57.109.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832732/; classtype:trojan-activity;sid:84695832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.52.131.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832729/; classtype:trojan-activity;sid:84695829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.154.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832726/; classtype:trojan-activity;sid:84695826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.123.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832722/; classtype:trojan-activity;sid:84695822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.222.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832720/; classtype:trojan-activity;sid:84695820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.123.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832719/; classtype:trojan-activity;sid:84695819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832718/; classtype:trojan-activity;sid:84695818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832710/; classtype:trojan-activity;sid:84695810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832711/; classtype:trojan-activity;sid:84695811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832712/; classtype:trojan-activity;sid:84695812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832713/; classtype:trojan-activity;sid:84695813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832714/; classtype:trojan-activity;sid:84695814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832715/; classtype:trojan-activity;sid:84695815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832716/; classtype:trojan-activity;sid:84695816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832717/; classtype:trojan-activity;sid:84695817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832706/; classtype:trojan-activity;sid:84695806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832707/; classtype:trojan-activity;sid:84695807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832708/; classtype:trojan-activity;sid:84695808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832709/; classtype:trojan-activity;sid:84695809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.37.134"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832705/; classtype:trojan-activity;sid:84695805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_e1a96e130788ce89.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832704/; classtype:trojan-activity;sid:84695804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832703/; classtype:trojan-activity;sid:84695803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.spc"; depth:11; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832702/; classtype:trojan-activity;sid:84695802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.arm7"; depth:12; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832701/; classtype:trojan-activity;sid:84695801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.x86"; depth:11; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832699/; classtype:trojan-activity;sid:84695799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.sh4"; depth:11; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832700/; classtype:trojan-activity;sid:84695800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.arm"; depth:11; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832698/; classtype:trojan-activity;sid:84695798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.arm6"; depth:12; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832692/; classtype:trojan-activity;sid:84695792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.m68k"; depth:12; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832693/; classtype:trojan-activity;sid:84695793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.ppc"; depth:11; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832694/; classtype:trojan-activity;sid:84695794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.mpsl"; depth:12; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832695/; classtype:trojan-activity;sid:84695795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.mips"; depth:12; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832696/; classtype:trojan-activity;sid:84695796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yboats.arm5"; depth:12; endswith; nocase; http.host; content:"85.11.167.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832697/; classtype:trojan-activity;sid:84695797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.20.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832691/; classtype:trojan-activity;sid:84695791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.80.188.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832690/; classtype:trojan-activity;sid:84695790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.24.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832689/; classtype:trojan-activity;sid:84695789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hglj.nov2sirel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832688/; classtype:trojan-activity;sid:84695788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.232.9.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832687/; classtype:trojan-activity;sid:84695787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"7xekivp.nov2sirel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832686/; classtype:trojan-activity;sid:84695786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.212.184.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832685/; classtype:trojan-activity;sid:84695785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.85.168.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832684/; classtype:trojan-activity;sid:84695784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.153.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832683/; classtype:trojan-activity;sid:84695783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.177.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832682/; classtype:trojan-activity;sid:84695782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"m3rge-mark.nov2sirel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832681/; classtype:trojan-activity;sid:84695781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.20.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832679/; classtype:trojan-activity;sid:84695779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.12.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832680/; classtype:trojan-activity;sid:84695780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"4ppcd.nov2sirel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832678/; classtype:trojan-activity;sid:84695778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.x64.exe"; depth:14; endswith; nocase; http.host; content:"20.198.18.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832677/; classtype:trojan-activity;sid:84695777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_ppc"; depth:10; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832676/; classtype:trojan-activity;sid:84695776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_armv7"; depth:12; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832675/; classtype:trojan-activity;sid:84695775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.80.188.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832674/; classtype:trojan-activity;sid:84695774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_arm64"; depth:12; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832670/; classtype:trojan-activity;sid:84695770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_amd64"; depth:12; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832671/; classtype:trojan-activity;sid:84695771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_x86"; depth:10; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832672/; classtype:trojan-activity;sid:84695772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_armv6"; depth:12; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832673/; classtype:trojan-activity;sid:84695773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_mipsle"; depth:13; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832669/; classtype:trojan-activity;sid:84695769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_sh4"; depth:10; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832666/; classtype:trojan-activity;sid:84695766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_spc"; depth:10; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832667/; classtype:trojan-activity;sid:84695767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_mips"; depth:11; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832668/; classtype:trojan-activity;sid:84695768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_x86_64"; depth:13; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832665/; classtype:trojan-activity;sid:84695765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_mipsle"; depth:13; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832661/; classtype:trojan-activity;sid:84695761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_arm64"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832662/; classtype:trojan-activity;sid:84695762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_mips"; depth:11; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832663/; classtype:trojan-activity;sid:84695763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_amd64"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832664/; classtype:trojan-activity;sid:84695764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_armv6"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832658/; classtype:trojan-activity;sid:84695758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_armv7"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832659/; classtype:trojan-activity;sid:84695759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_x86"; depth:10; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832660/; classtype:trojan-activity;sid:84695760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_x86_64"; depth:13; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832653/; classtype:trojan-activity;sid:84695753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_spc"; depth:10; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832654/; classtype:trojan-activity;sid:84695754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_ppc"; depth:10; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832655/; classtype:trojan-activity;sid:84695755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_sh4"; depth:10; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832656/; classtype:trojan-activity;sid:84695756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.sh"; depth:11; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832657/; classtype:trojan-activity;sid:84695757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.sh"; depth:11; endswith; nocase; http.host; content:"aps.voltpanel.cloud"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832652/; classtype:trojan-activity;sid:84695752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"taldra2ex.nov2sirel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832651/; classtype:trojan-activity;sid:84695751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832649/; classtype:trojan-activity;sid:84695749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832650/; classtype:trojan-activity;sid:84695750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832644/; classtype:trojan-activity;sid:84695744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832645/; classtype:trojan-activity;sid:84695745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832646/; classtype:trojan-activity;sid:84695746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832647/; classtype:trojan-activity;sid:84695747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832648/; classtype:trojan-activity;sid:84695748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832643/; classtype:trojan-activity;sid:84695743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832639/; classtype:trojan-activity;sid:84695739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832640/; classtype:trojan-activity;sid:84695740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832641/; classtype:trojan-activity;sid:84695741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832642/; classtype:trojan-activity;sid:84695742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"105.158.193.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832637/; classtype:trojan-activity;sid:84695737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"14.1.107.44"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832638/; classtype:trojan-activity;sid:84695738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.252.114.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832636/; classtype:trojan-activity;sid:84695736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.123.73.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832634/; classtype:trojan-activity;sid:84695734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"139.135.60.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832635/; classtype:trojan-activity;sid:84695735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.37.44.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832631/; classtype:trojan-activity;sid:84695731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.70.139.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832632/; classtype:trojan-activity;sid:84695732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.224.2.129"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832633/; classtype:trojan-activity;sid:84695733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.224.7.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832630/; classtype:trojan-activity;sid:84695730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"neo-rnead.nov2sirel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832629/; classtype:trojan-activity;sid:84695729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.24.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832628/; classtype:trojan-activity;sid:84695728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.212.184.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832627/; classtype:trojan-activity;sid:84695727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lfixa2ax.kyl6varet.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832626/; classtype:trojan-activity;sid:84695726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.200.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832625/; classtype:trojan-activity;sid:84695725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832624/; classtype:trojan-activity;sid:84695724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"cl1e-panel.kyl6varet.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832622/; classtype:trojan-activity;sid:84695722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.99.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832623/; classtype:trojan-activity;sid:84695723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"5ynt46-node.kyl6varet.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832621/; classtype:trojan-activity;sid:84695721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.71.248.15"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832620/; classtype:trojan-activity;sid:84695720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"quorcresten1.kyl6varet.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832619/; classtype:trojan-activity;sid:84695719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.199.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832618/; classtype:trojan-activity;sid:84695718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.180.13.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832617/; classtype:trojan-activity;sid:84695717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"9hq5.kyl6varet.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832616/; classtype:trojan-activity;sid:84695716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vfge.kyl6varet.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832615/; classtype:trojan-activity;sid:84695715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.99.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832614/; classtype:trojan-activity;sid:84695714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hen1a.tov1maren.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832613/; classtype:trojan-activity;sid:84695713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ax2e.tov1maren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832612/; classtype:trojan-activity;sid:84695712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.181.235.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832611/; classtype:trojan-activity;sid:84695711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.24.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832610/; classtype:trojan-activity;sid:84695710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832609/; classtype:trojan-activity;sid:84695709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mernex1ar.tov1maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832608/; classtype:trojan-activity;sid:84695708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=eytxhtixrnubiddb"; depth:27; endswith; nocase; http.host; content:"9al62yq7.souf1atwindow.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832607/; classtype:trojan-activity;sid:84695707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.199.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832606/; classtype:trojan-activity;sid:84695706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.182.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832605/; classtype:trojan-activity;sid:84695705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"54lzq.tov1maren.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832604/; classtype:trojan-activity;sid:84695704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.181.235.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832603/; classtype:trojan-activity;sid:84695703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"quor-valeix.tov1maren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832602/; classtype:trojan-activity;sid:84695702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.11.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832601/; classtype:trojan-activity;sid:84695701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.166.42.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832600/; classtype:trojan-activity;sid:84695700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"harbquarr.tov1maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832599/; classtype:trojan-activity;sid:84695699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"uxmidt.syke8liron.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832598/; classtype:trojan-activity;sid:84695698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832597/; classtype:trojan-activity;sid:84695697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pixel9-layer.syke8liron.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832596/; classtype:trojan-activity;sid:84695696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.204.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832595/; classtype:trojan-activity;sid:84695695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vel-draex.syke8liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832594/; classtype:trojan-activity;sid:84695694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soundatom.syke8liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832593/; classtype:trojan-activity;sid:84695693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.166.42.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832592/; classtype:trojan-activity;sid:84695692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"10ya0-dock.syke8liron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832591/; classtype:trojan-activity;sid:84695691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.68.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832590/; classtype:trojan-activity;sid:84695690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"networkhub.syke8liron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832588/; classtype:trojan-activity;sid:84695688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.133.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832587/; classtype:trojan-activity;sid:84695687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.43.166.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832586/; classtype:trojan-activity;sid:84695686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"warmcon.rax3vomen.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832585/; classtype:trojan-activity;sid:84695685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.109.203.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832584/; classtype:trojan-activity;sid:84695684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"resolvercultur.rax3vomen.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832583/; classtype:trojan-activity;sid:84695683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kellithis.rax3vomen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832582/; classtype:trojan-activity;sid:84695682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"84.54.33.214"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832580/; classtype:trojan-activity;sid:84695680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"84.54.33.77"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832581/; classtype:trojan-activity;sid:84695681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"84.54.33.214"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832579/; classtype:trojan-activity;sid:84695679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"84.54.33.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832578/; classtype:trojan-activity;sid:84695678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"84.54.33.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832577/; classtype:trojan-activity;sid:84695677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"84.54.33.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832576/; classtype:trojan-activity;sid:84695676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"84.54.33.77"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832574/; classtype:trojan-activity;sid:84695674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"84.54.33.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832575/; classtype:trojan-activity;sid:84695675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.43.166.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832573/; classtype:trojan-activity;sid:84695673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.68.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832572/; classtype:trojan-activity;sid:84695672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"stead5-switch.rax3vomen.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832571/; classtype:trojan-activity;sid:84695671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.47.110.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832570/; classtype:trojan-activity;sid:84695670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.71.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832569/; classtype:trojan-activity;sid:84695669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.spc"; depth:12; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832559/; classtype:trojan-activity;sid:84695659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_32"; depth:15; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832560/; classtype:trojan-activity;sid:84695660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm7"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832561/; classtype:trojan-activity;sid:84695661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.sh4"; depth:23; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832562/; classtype:trojan-activity;sid:84695662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_64"; depth:15; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832563/; classtype:trojan-activity;sid:84695663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mips"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832564/; classtype:trojan-activity;sid:84695664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm5"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832565/; classtype:trojan-activity;sid:84695665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i686"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832566/; classtype:trojan-activity;sid:84695666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm6"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832567/; classtype:trojan-activity;sid:84695667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm"; depth:23; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832568/; classtype:trojan-activity;sid:84695668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mpsl"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832552/; classtype:trojan-activity;sid:84695652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/debug"; depth:19; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832553/; classtype:trojan-activity;sid:84695653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc"; depth:12; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832554/; classtype:trojan-activity;sid:84695654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.spc"; depth:23; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832555/; classtype:trojan-activity;sid:84695655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832556/; classtype:trojan-activity;sid:84695656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86"; depth:23; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832557/; classtype:trojan-activity;sid:84695657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arc"; depth:23; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832558/; classtype:trojan-activity;sid:84695658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86_64"; depth:26; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832548/; classtype:trojan-activity;sid:84695648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.sh4"; depth:12; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832549/; classtype:trojan-activity;sid:84695649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.ppc"; depth:23; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832550/; classtype:trojan-activity;sid:84695650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.m68k"; depth:24; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832551/; classtype:trojan-activity;sid:84695651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc440"; depth:15; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832547/; classtype:trojan-activity;sid:84695647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm7"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832546/; classtype:trojan-activity;sid:84695646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm6"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832533/; classtype:trojan-activity;sid:84695633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832534/; classtype:trojan-activity;sid:84695634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i486"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832535/; classtype:trojan-activity;sid:84695635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm5"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832536/; classtype:trojan-activity;sid:84695636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832537/; classtype:trojan-activity;sid:84695637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832538/; classtype:trojan-activity;sid:84695638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832539/; classtype:trojan-activity;sid:84695639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832540/; classtype:trojan-activity;sid:84695640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arc"; depth:12; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832541/; classtype:trojan-activity;sid:84695641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mipsl"; depth:14; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832542/; classtype:trojan-activity;sid:84695642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mips"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832543/; classtype:trojan-activity;sid:84695643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832544/; classtype:trojan-activity;sid:84695644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832545/; classtype:trojan-activity;sid:84695645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832520/; classtype:trojan-activity;sid:84695620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832521/; classtype:trojan-activity;sid:84695621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832522/; classtype:trojan-activity;sid:84695622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832523/; classtype:trojan-activity;sid:84695623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm"; depth:12; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832524/; classtype:trojan-activity;sid:84695624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832525/; classtype:trojan-activity;sid:84695625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.m68k"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832526/; classtype:trojan-activity;sid:84695626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832527/; classtype:trojan-activity;sid:84695627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832528/; classtype:trojan-activity;sid:84695628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i686"; depth:13; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832529/; classtype:trojan-activity;sid:84695629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832530/; classtype:trojan-activity;sid:84695630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832531/; classtype:trojan-activity;sid:84695631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.159.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832532/; classtype:trojan-activity;sid:84695632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"48oni.rax3vomen.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832519/; classtype:trojan-activity;sid:84695619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"creehid.rax3vomen.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832518/; classtype:trojan-activity;sid:84695618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.88.186.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832517/; classtype:trojan-activity;sid:84695617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.x86_64"; depth:27; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832516/; classtype:trojan-activity;sid:84695616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm6"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832514/; classtype:trojan-activity;sid:84695614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832515/; classtype:trojan-activity;sid:84695615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832512/; classtype:trojan-activity;sid:84695612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832513/; classtype:trojan-activity;sid:84695613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.mpsl"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832508/; classtype:trojan-activity;sid:84695608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.ppc"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832509/; classtype:trojan-activity;sid:84695609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm7"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832510/; classtype:trojan-activity;sid:84695610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm5"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832511/; classtype:trojan-activity;sid:84695611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.mips"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832502/; classtype:trojan-activity;sid:84695602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832503/; classtype:trojan-activity;sid:84695603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.x86"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832504/; classtype:trojan-activity;sid:84695604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.sh4"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832505/; classtype:trojan-activity;sid:84695605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.spc"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832506/; classtype:trojan-activity;sid:84695606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arc"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832507/; classtype:trojan-activity;sid:84695607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.i686"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832500/; classtype:trojan-activity;sid:84695600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.m68k"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832501/; classtype:trojan-activity;sid:84695601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.i468"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832499/; classtype:trojan-activity;sid:84695599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832498/; classtype:trojan-activity;sid:84695598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dibzyqjy.zun5larek.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832497/; classtype:trojan-activity;sid:84695597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"trinexa.zun5larek.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832496/; classtype:trojan-activity;sid:84695596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.88.186.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832495/; classtype:trojan-activity;sid:84695595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.88.186.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832492/; classtype:trojan-activity;sid:84695592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.47.110.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832493/; classtype:trojan-activity;sid:84695593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.88.186.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832494/; classtype:trojan-activity;sid:84695594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.92.1.43"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832490/; classtype:trojan-activity;sid:84695590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.244.233.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832491/; classtype:trojan-activity;sid:84695591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832485/; classtype:trojan-activity;sid:84695585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832486/; classtype:trojan-activity;sid:84695586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832487/; classtype:trojan-activity;sid:84695587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832488/; classtype:trojan-activity;sid:84695588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832480/; classtype:trojan-activity;sid:84695580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832481/; classtype:trojan-activity;sid:84695581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832482/; classtype:trojan-activity;sid:84695582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832483/; classtype:trojan-activity;sid:84695583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832484/; classtype:trojan-activity;sid:84695584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832471/; classtype:trojan-activity;sid:84695571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832472/; classtype:trojan-activity;sid:84695572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832473/; classtype:trojan-activity;sid:84695573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832474/; classtype:trojan-activity;sid:84695574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832475/; classtype:trojan-activity;sid:84695575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/debug"; depth:16; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832476/; classtype:trojan-activity;sid:84695576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832477/; classtype:trojan-activity;sid:84695577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832478/; classtype:trojan-activity;sid:84695578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832479/; classtype:trojan-activity;sid:84695579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/debug"; depth:16; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832464/; classtype:trojan-activity;sid:84695564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832465/; classtype:trojan-activity;sid:84695565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832466/; classtype:trojan-activity;sid:84695566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832467/; classtype:trojan-activity;sid:84695567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832468/; classtype:trojan-activity;sid:84695568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"vmi3229260.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832469/; classtype:trojan-activity;sid:84695569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"luxzzc2servers.my.id"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832470/; classtype:trojan-activity;sid:84695570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.109.203.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832463/; classtype:trojan-activity;sid:84695563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"clustchoru.zun5larek.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832462/; classtype:trojan-activity;sid:84695562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.159.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832461/; classtype:trojan-activity;sid:84695561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.80.158.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832460/; classtype:trojan-activity;sid:84695560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.138.16.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832456/; classtype:trojan-activity;sid:84695556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"203.159.90.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832457/; classtype:trojan-activity;sid:84695557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.154.98.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832458/; classtype:trojan-activity;sid:84695558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"203.159.90.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832459/; classtype:trojan-activity;sid:84695559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.26.115.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832455/; classtype:trojan-activity;sid:84695555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.138.16.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832454/; classtype:trojan-activity;sid:84695554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"railspark.zun5larek.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832453/; classtype:trojan-activity;sid:84695553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"124.198.131.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832452/; classtype:trojan-activity;sid:84695552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"185.241.208.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832451/; classtype:trojan-activity;sid:84695551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ark-valeen.zun5larek.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832450/; classtype:trojan-activity;sid:84695550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.mpsl"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832445/; classtype:trojan-activity;sid:84695545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.sh4"; depth:24; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832446/; classtype:trojan-activity;sid:84695546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arc"; depth:24; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832447/; classtype:trojan-activity;sid:84695547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.x86_64"; depth:27; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832448/; classtype:trojan-activity;sid:84695548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm7"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832449/; classtype:trojan-activity;sid:84695549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.m68k"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832439/; classtype:trojan-activity;sid:84695539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.spc"; depth:24; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832440/; classtype:trojan-activity;sid:84695540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.mips"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832441/; classtype:trojan-activity;sid:84695541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm6"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832442/; classtype:trojan-activity;sid:84695542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.x86"; depth:24; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832443/; classtype:trojan-activity;sid:84695543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm5"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832444/; classtype:trojan-activity;sid:84695544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.i686"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832435/; classtype:trojan-activity;sid:84695535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.i468"; depth:25; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832436/; classtype:trojan-activity;sid:84695536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm"; depth:24; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832437/; classtype:trojan-activity;sid:84695537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.ppc"; depth:24; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832438/; classtype:trojan-activity;sid:84695538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832426/; classtype:trojan-activity;sid:84695526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832427/; classtype:trojan-activity;sid:84695527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832428/; classtype:trojan-activity;sid:84695528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832429/; classtype:trojan-activity;sid:84695529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832430/; classtype:trojan-activity;sid:84695530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/debug"; depth:16; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832431/; classtype:trojan-activity;sid:84695531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832432/; classtype:trojan-activity;sid:84695532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832433/; classtype:trojan-activity;sid:84695533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832434/; classtype:trojan-activity;sid:84695534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832422/; classtype:trojan-activity;sid:84695522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832423/; classtype:trojan-activity;sid:84695523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832424/; classtype:trojan-activity;sid:84695524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832425/; classtype:trojan-activity;sid:84695525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832421/; classtype:trojan-activity;sid:84695521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.244.233.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832420/; classtype:trojan-activity;sid:84695520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.x86"; depth:11; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832419/; classtype:trojan-activity;sid:84695519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ve1ve-loop.zun5larek.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832418/; classtype:trojan-activity;sid:84695518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.121.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832417/; classtype:trojan-activity;sid:84695517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tfoq2qdi.qor9mital.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832416/; classtype:trojan-activity;sid:84695516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.i486"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832402/; classtype:trojan-activity;sid:84695502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.arm7"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832403/; classtype:trojan-activity;sid:84695503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cometome"; depth:9; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832404/; classtype:trojan-activity;sid:84695504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.sh"; depth:10; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832405/; classtype:trojan-activity;sid:84695505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.arm5"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832406/; classtype:trojan-activity;sid:84695506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache"; depth:6; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832407/; classtype:trojan-activity;sid:84695507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.arm6"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832408/; classtype:trojan-activity;sid:84695508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.mipsel"; depth:14; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832409/; classtype:trojan-activity;sid:84695509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.i586"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832410/; classtype:trojan-activity;sid:84695510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.arm4"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832411/; classtype:trojan-activity;sid:84695511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.m68k"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832412/; classtype:trojan-activity;sid:84695512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.sparc"; depth:13; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832413/; classtype:trojan-activity;sid:84695513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.sh4"; depth:11; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832414/; classtype:trojan-activity;sid:84695514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.mips"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832415/; classtype:trojan-activity;sid:84695515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/60w9rf0up01o2256sej7q/userenv.txt|3f|rlkey=jvvjl998pgu4aqx8w8l5bf7ek|7c|26|7c|st=k4tk7s0w|7c|26|7c|raw=1"; depth:112; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832401/; classtype:trojan-activity;sid:84695501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.i686"; depth:12; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832400/; classtype:trojan-activity;sid:84695500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shabak.ppc"; depth:11; endswith; nocase; http.host; content:"83.168.95.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832399/; classtype:trojan-activity;sid:84695499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"brigh-gold.qor9mital.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832398/; classtype:trojan-activity;sid:84695498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"royapuls.qor9mital.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832397/; classtype:trojan-activity;sid:84695497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.222.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832396/; classtype:trojan-activity;sid:84695496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.spc"; depth:11; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832395/; classtype:trojan-activity;sid:84695495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.mpsl"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832393/; classtype:trojan-activity;sid:84695493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.i686"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832394/; classtype:trojan-activity;sid:84695494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.sh4"; depth:11; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832389/; classtype:trojan-activity;sid:84695489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.ppc4"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832390/; classtype:trojan-activity;sid:84695490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.mips"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832391/; classtype:trojan-activity;sid:84695491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm6"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832392/; classtype:trojan-activity;sid:84695492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.x64"; depth:11; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832388/; classtype:trojan-activity;sid:84695488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.ppc"; depth:11; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832387/; classtype:trojan-activity;sid:84695487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm4"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832386/; classtype:trojan-activity;sid:84695486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm5"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832382/; classtype:trojan-activity;sid:84695482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm7"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832383/; classtype:trojan-activity;sid:84695483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.x86"; depth:11; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832384/; classtype:trojan-activity;sid:84695484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.m68k"; depth:12; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832385/; classtype:trojan-activity;sid:84695485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"boos-gri.qor9mital.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832381/; classtype:trojan-activity;sid:84695481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.49.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832380/; classtype:trojan-activity;sid:84695480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"warm-senso.qor9mital.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832379/; classtype:trojan-activity;sid:84695479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.93.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832378/; classtype:trojan-activity;sid:84695478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832377/; classtype:trojan-activity;sid:84695477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mer-lithor.qor9mital.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832376/; classtype:trojan-activity;sid:84695476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"wo0hv.sivla2ken.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832375/; classtype:trojan-activity;sid:84695475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.122.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832374/; classtype:trojan-activity;sid:84695474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.10.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832373/; classtype:trojan-activity;sid:84695473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"xzgik.sivla2ken.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832372/; classtype:trojan-activity;sid:84695472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=ford|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:163; endswith; nocase; http.host; content:"darcymotors2.screenconnect.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832371/; classtype:trojan-activity;sid:84695471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.49.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832370/; classtype:trojan-activity;sid:84695470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"l1chen-hold.sivla2ken.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832369/; classtype:trojan-activity;sid:84695469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.166.51.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832368/; classtype:trojan-activity;sid:84695468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.206.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832367/; classtype:trojan-activity;sid:84695467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.124.100.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832366/; classtype:trojan-activity;sid:84695466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"wildsai.sivla2ken.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832365/; classtype:trojan-activity;sid:84695465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.60.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832364/; classtype:trojan-activity;sid:84695464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.235.223.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832363/; classtype:trojan-activity;sid:84695463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fldenmd.sivla2ken.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832362/; classtype:trojan-activity;sid:84695462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/lumen.zip"; depth:18; endswith; nocase; http.host; content:"lumennix.live"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832361/; classtype:trojan-activity;sid:84695461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/raw/main/api.exe"; depth:31; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832360/; classtype:trojan-activity;sid:84695460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php|3f|a=dl|7c|26|7c|token=d0a5e3b511c293206448ac44451b87f717fbdfa0c2f97242082bd2f29748a486|7c|26|7c|src=uranuseng.com|7c|26|7c|mode=cloudflare"; depth:154; endswith; nocase; http.host; content:"etomoidomen.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832359/; classtype:trojan-activity;sid:84695459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adeladel32951/solaris-crack/raw/refs/heads/main/bootstrappernew.exe"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832358/; classtype:trojan-activity;sid:84695458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adeladel32951/solaris-crack/raw/refs/heads/main/reevloader.exe"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832356/; classtype:trojan-activity;sid:84695456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adeladel32951/solaris-crack/raw/refs/heads/main/stub.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832357/; classtype:trojan-activity;sid:84695457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/blob/main/s8d70ipcznaa.exe"; depth:41; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832352/; classtype:trojan-activity;sid:84695452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerd1337-afk/1337/raw/refs/heads/main/abe_decrypt.dll"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832353/; classtype:trojan-activity;sid:84695453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/blob/main/l7xh7ur9695u.exe"; depth:41; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832354/; classtype:trojan-activity;sid:84695454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/raw/main/mega_joiner.exe"; depth:39; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832355/; classtype:trojan-activity;sid:84695455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adeladel32951/solaris-crack/raw/refs/heads/main/solara.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832351/; classtype:trojan-activity;sid:84695451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/blob/main/mega_joiner.exe"; depth:40; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832349/; classtype:trojan-activity;sid:84695449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/blob/main/api.exe"; depth:32; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832350/; classtype:trojan-activity;sid:84695450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys_arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832346/; classtype:trojan-activity;sid:84695446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832347/; classtype:trojan-activity;sid:84695447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wawan.sh"; depth:9; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832348/; classtype:trojan-activity;sid:84695448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"edit8-grid.sivla2ken.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832345/; classtype:trojan-activity;sid:84695445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.124.100.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832344/; classtype:trojan-activity;sid:84695444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"snovv8-mesh.vel7ramon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832343/; classtype:trojan-activity;sid:84695443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.206.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832342/; classtype:trojan-activity;sid:84695442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.235.223.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832341/; classtype:trojan-activity;sid:84695441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"8ltu2.vel7ramon.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832340/; classtype:trojan-activity;sid:84695440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832339/; classtype:trojan-activity;sid:84695439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.71.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832338/; classtype:trojan-activity;sid:84695438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ofdqgn.vel7ramon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832337/; classtype:trojan-activity;sid:84695437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ughckpku.vel7ramon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832336/; classtype:trojan-activity;sid:84695436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.14.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832335/; classtype:trojan-activity;sid:84695435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"minorclosed.vel7ramon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832334/; classtype:trojan-activity;sid:84695434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.232.9.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832333/; classtype:trojan-activity;sid:84695433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fembiq.vel7ramon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832332/; classtype:trojan-activity;sid:84695432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"203.159.90.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832331/; classtype:trojan-activity;sid:84695431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"okqgg.tor4nexil.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832330/; classtype:trojan-activity;sid:84695430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sand-tar.tor4nexil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832329/; classtype:trojan-activity;sid:84695429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.60.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832328/; classtype:trojan-activity;sid:84695428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"marshform.tor4nexil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832327/; classtype:trojan-activity;sid:84695427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gl0ss-vault.tor4nexil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832326/; classtype:trojan-activity;sid:84695426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.26.115.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832324/; classtype:trojan-activity;sid:84695424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832325/; classtype:trojan-activity;sid:84695425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832323/; classtype:trojan-activity;sid:84695423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832319/; classtype:trojan-activity;sid:84695419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.132.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832320/; classtype:trojan-activity;sid:84695420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.132.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832321/; classtype:trojan-activity;sid:84695421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.132.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832322/; classtype:trojan-activity;sid:84695422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vqq7jll.tor4nexil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832318/; classtype:trojan-activity;sid:84695418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.x86"; depth:21; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832316/; classtype:trojan-activity;sid:84695416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.arm4"; depth:22; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832317/; classtype:trojan-activity;sid:84695417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"124.198.131.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832315/; classtype:trojan-activity;sid:84695415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.131.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832314/; classtype:trojan-activity;sid:84695414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.sparc"; depth:23; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832311/; classtype:trojan-activity;sid:84695411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.arm6"; depth:22; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832312/; classtype:trojan-activity;sid:84695412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.arm7"; depth:22; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832313/; classtype:trojan-activity;sid:84695413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.ppc"; depth:21; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832306/; classtype:trojan-activity;sid:84695406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.mpsl"; depth:22; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832307/; classtype:trojan-activity;sid:84695407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.sh"; depth:20; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832308/; classtype:trojan-activity;sid:84695408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.arm5"; depth:22; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832309/; classtype:trojan-activity;sid:84695409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckjewishpeople.mips"; depth:22; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832310/; classtype:trojan-activity;sid:84695410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.232.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832305/; classtype:trojan-activity;sid:84695405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"thor-hinge.tor4nexil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832304/; classtype:trojan-activity;sid:84695404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"temmodul.vex4moral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832303/; classtype:trojan-activity;sid:84695403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zazsvrye.vex4moral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832302/; classtype:trojan-activity;sid:84695402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sermarken.vex4moral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832301/; classtype:trojan-activity;sid:84695401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.191.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832300/; classtype:trojan-activity;sid:84695400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.91.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832299/; classtype:trojan-activity;sid:84695399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"geo-ca5t.vex4moral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832298/; classtype:trojan-activity;sid:84695398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.131.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832297/; classtype:trojan-activity;sid:84695397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"aa5sf.vex4moral.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832296/; classtype:trojan-activity;sid:84695396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"188.209.129.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832292/; classtype:trojan-activity;sid:84695392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"188.209.129.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832293/; classtype:trojan-activity;sid:84695393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"188.209.129.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832294/; classtype:trojan-activity;sid:84695394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"188.209.129.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832295/; classtype:trojan-activity;sid:84695395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"188.209.129.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832291/; classtype:trojan-activity;sid:84695391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink.sh"; depth:10; endswith; nocase; http.host; content:"188.209.129.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832289/; classtype:trojan-activity;sid:84695389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.161.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832290/; classtype:trojan-activity;sid:84695390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.101.187.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832288/; classtype:trojan-activity;sid:84695388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.191.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832287/; classtype:trojan-activity;sid:84695387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"foplq.vex4moral.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832286/; classtype:trojan-activity;sid:84695386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.86.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832285/; classtype:trojan-activity;sid:84695385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"137.184.57.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832284/; classtype:trojan-activity;sid:84695384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.13.232.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832283/; classtype:trojan-activity;sid:84695383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"norcorear3.pav7lorex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832282/; classtype:trojan-activity;sid:84695382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.165.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832281/; classtype:trojan-activity;sid:84695381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.166.51.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832280/; classtype:trojan-activity;sid:84695380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.6.91.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832279/; classtype:trojan-activity;sid:84695379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.131.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832278/; classtype:trojan-activity;sid:84695378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"alt-rnetr.pav7lorex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832277/; classtype:trojan-activity;sid:84695377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.148.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832276/; classtype:trojan-activity;sid:84695376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rklpwx.pav7lorex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832275/; classtype:trojan-activity;sid:84695375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.33.105"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832274/; classtype:trojan-activity;sid:84695374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"medi4-spark.pav7lorex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832273/; classtype:trojan-activity;sid:84695373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.188.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832272/; classtype:trojan-activity;sid:84695372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"insivisual.pav7lorex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832271/; classtype:trojan-activity;sid:84695371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.101.187.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832270/; classtype:trojan-activity;sid:84695370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"exposerv.pav7lorex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832269/; classtype:trojan-activity;sid:84695369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lightinn.to6varon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832268/; classtype:trojan-activity;sid:84695368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832267/; classtype:trojan-activity;sid:84695367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"3eums.to6varon.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832266/; classtype:trojan-activity;sid:84695366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"uy2qx.to6varon.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832265/; classtype:trojan-activity;sid:84695365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"runt11-drive.to6varon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832264/; classtype:trojan-activity;sid:84695364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832263/; classtype:trojan-activity;sid:84695363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.ppc"; depth:18; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832262/; classtype:trojan-activity;sid:84695362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.mips"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832261/; classtype:trojan-activity;sid:84695361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.arm4"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832260/; classtype:trojan-activity;sid:84695360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.188.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832259/; classtype:trojan-activity;sid:84695359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.x86"; depth:18; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832255/; classtype:trojan-activity;sid:84695355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.sh4"; depth:18; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832256/; classtype:trojan-activity;sid:84695356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.mpsl"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832257/; classtype:trojan-activity;sid:84695357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.arm5"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832258/; classtype:trojan-activity;sid:84695358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.arm7"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832253/; classtype:trojan-activity;sid:84695353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.arm6"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832254/; classtype:trojan-activity;sid:84695354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.x64"; depth:18; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832250/; classtype:trojan-activity;sid:84695350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.i686"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832251/; classtype:trojan-activity;sid:84695351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/assets/xdf.m68k"; depth:19; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832252/; classtype:trojan-activity;sid:84695352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.68.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832249/; classtype:trojan-activity;sid:84695349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.247.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832248/; classtype:trojan-activity;sid:84695348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"quarrytrav.to6varon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832247/; classtype:trojan-activity;sid:84695347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xx.sh"; depth:6; endswith; nocase; http.host; content:"204.76.203.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832246/; classtype:trojan-activity;sid:84695346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.exe"; depth:8; endswith; nocase; http.host; content:"192.109.200.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832245/; classtype:trojan-activity;sid:84695345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bj"; depth:3; endswith; nocase; http.host; content:"204.76.203.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832244/; classtype:trojan-activity;sid:84695344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"204.76.203.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832243/; classtype:trojan-activity;sid:84695343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.158.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832242/; classtype:trojan-activity;sid:84695342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832241/; classtype:trojan-activity;sid:84695341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sandbhar.to6varon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832240/; classtype:trojan-activity;sid:84695340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.236.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832239/; classtype:trojan-activity;sid:84695339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ridgegentle.sylo1mer.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832238/; classtype:trojan-activity;sid:84695338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.109.200.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832236/; classtype:trojan-activity;sid:84695336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.109.200.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832237/; classtype:trojan-activity;sid:84695337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832235/; classtype:trojan-activity;sid:84695335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.58.190.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832234/; classtype:trojan-activity;sid:84695334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.170.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832233/; classtype:trojan-activity;sid:84695333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"qkkrhea.sylo1mer.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832232/; classtype:trojan-activity;sid:84695332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.170.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832231/; classtype:trojan-activity;sid:84695331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.247.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832230/; classtype:trojan-activity;sid:84695330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"r4vxeem.sylo1mer.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832229/; classtype:trojan-activity;sid:84695329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.96.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832228/; classtype:trojan-activity;sid:84695328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.92.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832227/; classtype:trojan-activity;sid:84695327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.224.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832222/; classtype:trojan-activity;sid:84695322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.49.34.147"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832223/; classtype:trojan-activity;sid:84695323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.175.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832224/; classtype:trojan-activity;sid:84695324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.57.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832225/; classtype:trojan-activity;sid:84695325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.231.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832226/; classtype:trojan-activity;sid:84695326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.106.241.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832219/; classtype:trojan-activity;sid:84695319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.126.86.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832220/; classtype:trojan-activity;sid:84695320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832221/; classtype:trojan-activity;sid:84695321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.20.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832217/; classtype:trojan-activity;sid:84695317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.68.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832218/; classtype:trojan-activity;sid:84695318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.95.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832205/; classtype:trojan-activity;sid:84695305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.81.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832206/; classtype:trojan-activity;sid:84695306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.157.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832207/; classtype:trojan-activity;sid:84695307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.93.95.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832208/; classtype:trojan-activity;sid:84695308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.228.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832209/; classtype:trojan-activity;sid:84695309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.88.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832210/; classtype:trojan-activity;sid:84695310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.196.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832211/; classtype:trojan-activity;sid:84695311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.92.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832212/; classtype:trojan-activity;sid:84695312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.11.143.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832213/; classtype:trojan-activity;sid:84695313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.116.148.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832214/; classtype:trojan-activity;sid:84695314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.28.223"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832215/; classtype:trojan-activity;sid:84695315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.11.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832216/; classtype:trojan-activity;sid:84695316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832203/; classtype:trojan-activity;sid:84695303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.163.187.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832204/; classtype:trojan-activity;sid:84695304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"loose-bun.sylo1mer.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832202/; classtype:trojan-activity;sid:84695302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.14.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832199/; classtype:trojan-activity;sid:84695299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.83.18"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832200/; classtype:trojan-activity;sid:84695300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.81.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832201/; classtype:trojan-activity;sid:84695301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.216.182.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832185/; classtype:trojan-activity;sid:84695285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.78.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832186/; classtype:trojan-activity;sid:84695286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.79.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832187/; classtype:trojan-activity;sid:84695287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.6.91.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832188/; classtype:trojan-activity;sid:84695288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832189/; classtype:trojan-activity;sid:84695289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832190/; classtype:trojan-activity;sid:84695290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.27.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832191/; classtype:trojan-activity;sid:84695291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.198.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832192/; classtype:trojan-activity;sid:84695292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.167.107.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832193/; classtype:trojan-activity;sid:84695293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.224.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832194/; classtype:trojan-activity;sid:84695294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.49.34.147"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832195/; classtype:trojan-activity;sid:84695295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.167.107.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832196/; classtype:trojan-activity;sid:84695296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.83.18"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832197/; classtype:trojan-activity;sid:84695297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.164.253.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832198/; classtype:trojan-activity;sid:84695298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.126.86.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832184/; classtype:trojan-activity;sid:84695284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.3.23.156"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832183/; classtype:trojan-activity;sid:84695283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.98.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832182/; classtype:trojan-activity;sid:84695282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.69.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832181/; classtype:trojan-activity;sid:84695281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.90.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832178/; classtype:trojan-activity;sid:84695278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.90.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832179/; classtype:trojan-activity;sid:84695279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.69.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832180/; classtype:trojan-activity;sid:84695280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.32.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832164/; classtype:trojan-activity;sid:84695264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.229.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832165/; classtype:trojan-activity;sid:84695265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.145.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832166/; classtype:trojan-activity;sid:84695266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.1.57"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832167/; classtype:trojan-activity;sid:84695267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.175.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832168/; classtype:trojan-activity;sid:84695268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832169/; classtype:trojan-activity;sid:84695269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.189.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832170/; classtype:trojan-activity;sid:84695270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832171/; classtype:trojan-activity;sid:84695271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.213.140.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832172/; classtype:trojan-activity;sid:84695272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.199.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832173/; classtype:trojan-activity;sid:84695273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.81.6.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832174/; classtype:trojan-activity;sid:84695274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.185.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832175/; classtype:trojan-activity;sid:84695275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.246.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832176/; classtype:trojan-activity;sid:84695276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.100.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832177/; classtype:trojan-activity;sid:84695277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.183.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832163/; classtype:trojan-activity;sid:84695263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.27.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832154/; classtype:trojan-activity;sid:84695254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.78.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832155/; classtype:trojan-activity;sid:84695255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832156/; classtype:trojan-activity;sid:84695256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.157.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832157/; classtype:trojan-activity;sid:84695257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.11.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832158/; classtype:trojan-activity;sid:84695258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.229.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832159/; classtype:trojan-activity;sid:84695259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.32.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832160/; classtype:trojan-activity;sid:84695260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.216.182.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832161/; classtype:trojan-activity;sid:84695261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.30.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832162/; classtype:trojan-activity;sid:84695262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.71.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832144/; classtype:trojan-activity;sid:84695244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.173.89.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832145/; classtype:trojan-activity;sid:84695245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.136.98.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832146/; classtype:trojan-activity;sid:84695246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.189.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832147/; classtype:trojan-activity;sid:84695247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.80.82.101"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832148/; classtype:trojan-activity;sid:84695248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.196.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832149/; classtype:trojan-activity;sid:84695249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832150/; classtype:trojan-activity;sid:84695250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.84.219.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832151/; classtype:trojan-activity;sid:84695251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.49.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832152/; classtype:trojan-activity;sid:84695252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.105.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832153/; classtype:trojan-activity;sid:84695253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"static-host119-30-117-248.link.net.pk"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832143/; classtype:trojan-activity;sid:84695243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"206.135.172.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832141/; classtype:trojan-activity;sid:84695241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"119.30.117.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832142/; classtype:trojan-activity;sid:84695242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.95.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832140/; classtype:trojan-activity;sid:84695240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.108.190.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832139/; classtype:trojan-activity;sid:84695239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.33.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832135/; classtype:trojan-activity;sid:84695235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832136/; classtype:trojan-activity;sid:84695236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.45.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832137/; classtype:trojan-activity;sid:84695237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.198.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832138/; classtype:trojan-activity;sid:84695238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.233.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832129/; classtype:trojan-activity;sid:84695229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.195.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832130/; classtype:trojan-activity;sid:84695230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832131/; classtype:trojan-activity;sid:84695231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.214.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832132/; classtype:trojan-activity;sid:84695232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.228.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832133/; classtype:trojan-activity;sid:84695233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.80.82.101"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832134/; classtype:trojan-activity;sid:84695234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyxel.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832128/; classtype:trojan-activity;sid:84695228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832127/; classtype:trojan-activity;sid:84695227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zentideor.sylo1mer.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832126/; classtype:trojan-activity;sid:84695226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.110.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832125/; classtype:trojan-activity;sid:84695225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"peak7-frame.sylo1mer.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832124/; classtype:trojan-activity;sid:84695224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.137.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832123/; classtype:trojan-activity;sid:84695223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ion-cra.rax8pavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832122/; classtype:trojan-activity;sid:84695222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.231.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832121/; classtype:trojan-activity;sid:84695221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zenmeshix1.rax8pavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832120/; classtype:trojan-activity;sid:84695220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.236.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832119/; classtype:trojan-activity;sid:84695219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.208.145.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832118/; classtype:trojan-activity;sid:84695218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tigmjuy.rax8pavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832117/; classtype:trojan-activity;sid:84695217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.137.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832116/; classtype:trojan-activity;sid:84695216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.89.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832115/; classtype:trojan-activity;sid:84695215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.96.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832114/; classtype:trojan-activity;sid:84695214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.224.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832113/; classtype:trojan-activity;sid:84695213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-initd"; depth:17; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832108/; classtype:trojan-activity;sid:84695208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-conteinerd-shim"; depth:27; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832109/; classtype:trojan-activity;sid:84695209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-sbomd"; depth:17; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832110/; classtype:trojan-activity;sid:84695210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-daemon"; depth:18; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832111/; classtype:trojan-activity;sid:84695211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-conteinerd"; depth:22; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832112/; classtype:trojan-activity;sid:84695212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"glolab.rax8pavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832107/; classtype:trojan-activity;sid:84695207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-proxyd"; depth:18; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832102/; classtype:trojan-activity;sid:84695202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-buildxd"; depth:19; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832103/; classtype:trojan-activity;sid:84695203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-scand"; depth:17; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832104/; classtype:trojan-activity;sid:84695204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-daemon"; depth:13; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832105/; classtype:trojan-activity;sid:84695205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-runcd"; depth:17; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832106/; classtype:trojan-activity;sid:84695206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/init.sh"; depth:8; endswith; nocase; http.host; content:"176.65.148.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832101/; classtype:trojan-activity;sid:84695201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.224.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832100/; classtype:trojan-activity;sid:84695200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.62.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832099/; classtype:trojan-activity;sid:84695199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"cargoquery.rax8pavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832098/; classtype:trojan-activity;sid:84695198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832097/; classtype:trojan-activity;sid:84695197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832096/; classtype:trojan-activity;sid:84695196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832094/; classtype:trojan-activity;sid:84695194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832095/; classtype:trojan-activity;sid:84695195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832092/; classtype:trojan-activity;sid:84695192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832093/; classtype:trojan-activity;sid:84695193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832091/; classtype:trojan-activity;sid:84695191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832089/; classtype:trojan-activity;sid:84695189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832090/; classtype:trojan-activity;sid:84695190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832087/; classtype:trojan-activity;sid:84695187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832088/; classtype:trojan-activity;sid:84695188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832086/; classtype:trojan-activity;sid:84695186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832084/; classtype:trojan-activity;sid:84695184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832085/; classtype:trojan-activity;sid:84695185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832083/; classtype:trojan-activity;sid:84695183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832082/; classtype:trojan-activity;sid:84695182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"176.65.132.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832081/; classtype:trojan-activity;sid:84695181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"arkmesh7al.rax8pavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832080/; classtype:trojan-activity;sid:84695180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gr1m-index.zex2liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832079/; classtype:trojan-activity;sid:84695179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"176.65.132.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832078/; classtype:trojan-activity;sid:84695178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.118.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832077/; classtype:trojan-activity;sid:84695177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vocalatomic.zex2liron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832076/; classtype:trojan-activity;sid:84695176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iciv36xx0z"; depth:11; endswith; nocase; http.host; content:"194.26.192.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832075/; classtype:trojan-activity;sid:84695175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.62.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832074/; classtype:trojan-activity;sid:84695174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.24.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832073/; classtype:trojan-activity;sid:84695173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"3vnp4.zex2liron.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832072/; classtype:trojan-activity;sid:84695172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.24.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832071/; classtype:trojan-activity;sid:84695171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"studi-fores.zex2liron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832070/; classtype:trojan-activity;sid:84695170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"alphsummer.zex2liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832069/; classtype:trojan-activity;sid:84695169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.106.231.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832068/; classtype:trojan-activity;sid:84695168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tvt"; depth:4; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832067/; classtype:trojan-activity;sid:84695167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lum-lineon.zex2liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832066/; classtype:trojan-activity;sid:84695166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.216.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832065/; classtype:trojan-activity;sid:84695165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832064/; classtype:trojan-activity;sid:84695164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zenmesh9en.qiv7moren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832063/; classtype:trojan-activity;sid:84695163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.151.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832062/; classtype:trojan-activity;sid:84695162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"5ob0.qiv7moren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832061/; classtype:trojan-activity;sid:84695161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.188.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832060/; classtype:trojan-activity;sid:84695160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.113.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832059/; classtype:trojan-activity;sid:84695159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sthj.qiv7moren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832058/; classtype:trojan-activity;sid:84695158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.170.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832057/; classtype:trojan-activity;sid:84695157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"39hwegfg.qiv7moren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832056/; classtype:trojan-activity;sid:84695156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.58.190.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832055/; classtype:trojan-activity;sid:84695155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.197.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832054/; classtype:trojan-activity;sid:84695154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"compressout.qiv7moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832053/; classtype:trojan-activity;sid:84695153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.219.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832052/; classtype:trojan-activity;sid:84695152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.30.145.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832051/; classtype:trojan-activity;sid:84695151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"5pruc7-mount.qiv7moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832050/; classtype:trojan-activity;sid:84695150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.236.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832049/; classtype:trojan-activity;sid:84695149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"beautiful-roentgen.176-65-139-130.plesk.page"; depth:44; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832048/; classtype:trojan-activity;sid:84695148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; endswith; nocase; http.host; content:"www.176-65-139-130.plesk.page"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832046/; classtype:trojan-activity;sid:84695146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"www.176-65-139-130.plesk.page"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832047/; classtype:trojan-activity;sid:84695147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; endswith; nocase; http.host; content:"beautiful-roentgen.176-65-139-130.plesk.page"; depth:44; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832045/; classtype:trojan-activity;sid:84695145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.170.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832044/; classtype:trojan-activity;sid:84695144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.119.166.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832043/; classtype:trojan-activity;sid:84695143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vorline5is.bexla3rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832042/; classtype:trojan-activity;sid:84695142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.114.227.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832041/; classtype:trojan-activity;sid:84695141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.58.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832040/; classtype:trojan-activity;sid:84695140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/cred64.dll"; depth:30; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832039/; classtype:trojan-activity;sid:84695139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/cred.dll"; depth:28; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832038/; classtype:trojan-activity;sid:84695138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.114.227.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832037/; classtype:trojan-activity;sid:84695137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"calm-spool.bexla3rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832036/; classtype:trojan-activity;sid:84695136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.236.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832035/; classtype:trojan-activity;sid:84695135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.135.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832034/; classtype:trojan-activity;sid:84695134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"echogate.bexla3rin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832033/; classtype:trojan-activity;sid:84695133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.198.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832032/; classtype:trojan-activity;sid:84695132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sub-h11l.bexla3rin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832031/; classtype:trojan-activity;sid:84695131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.119.166.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832030/; classtype:trojan-activity;sid:84695130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.132.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832029/; classtype:trojan-activity;sid:84695129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lilin.sh"; depth:9; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832028/; classtype:trojan-activity;sid:84695128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_sh4"; depth:19; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832026/; classtype:trojan-activity;sid:84695126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.79.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832027/; classtype:trojan-activity;sid:84695127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832025/; classtype:trojan-activity;sid:84695125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.136.98.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832023/; classtype:trojan-activity;sid:84695123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.58.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832024/; classtype:trojan-activity;sid:84695124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832020/; classtype:trojan-activity;sid:84695120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.232.75.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832021/; classtype:trojan-activity;sid:84695121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.55.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832022/; classtype:trojan-activity;sid:84695122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"solflux6ix.bexla3rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832019/; classtype:trojan-activity;sid:84695119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"parcelquick.bexla3rin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832018/; classtype:trojan-activity;sid:84695118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.43.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832017/; classtype:trojan-activity;sid:84695117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm5"; depth:20; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832016/; classtype:trojan-activity;sid:84695116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_x86_64"; depth:22; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832007/; classtype:trojan-activity;sid:84695107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm6"; depth:20; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832008/; classtype:trojan-activity;sid:84695108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_mpsl"; depth:20; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832009/; classtype:trojan-activity;sid:84695109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_spc"; depth:19; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832010/; classtype:trojan-activity;sid:84695110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_ppc"; depth:19; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832011/; classtype:trojan-activity;sid:84695111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm7"; depth:20; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832012/; classtype:trojan-activity;sid:84695112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm"; depth:19; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832013/; classtype:trojan-activity;sid:84695113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_x86"; depth:19; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832014/; classtype:trojan-activity;sid:84695114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_m68k"; depth:20; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832015/; classtype:trojan-activity;sid:84695115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_mips"; depth:20; endswith; nocase; http.host; content:"gamecheap.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832006/; classtype:trojan-activity;sid:84695106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.220.135.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832005/; classtype:trojan-activity;sid:84695105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"talnexos5.dex4lavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832004/; classtype:trojan-activity;sid:84695104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.220.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832002/; classtype:trojan-activity;sid:84695102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.1.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832003/; classtype:trojan-activity;sid:84695103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vaultink.dex4lavel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832001/; classtype:trojan-activity;sid:84695101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832000/; classtype:trojan-activity;sid:84695100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831993/; classtype:trojan-activity;sid:84695093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831994/; classtype:trojan-activity;sid:84695094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831995/; classtype:trojan-activity;sid:84695095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831996/; classtype:trojan-activity;sid:84695096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831997/; classtype:trojan-activity;sid:84695097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831998/; classtype:trojan-activity;sid:84695098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831999/; classtype:trojan-activity;sid:84695099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831992/; classtype:trojan-activity;sid:84695092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/earnify-client-x86_64-linux-android"; depth:36; endswith; nocase; http.host; content:"empty-violet-63e1.maskify.workers.dev"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831990/; classtype:trojan-activity;sid:84695090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/earnify-client-aarch64-linux-android"; depth:37; endswith; nocase; http.host; content:"empty-violet-63e1.maskify.workers.dev"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831991/; classtype:trojan-activity;sid:84695091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/earnify-client-armv7-linux-androideabi"; depth:39; endswith; nocase; http.host; content:"empty-violet-63e1.maskify.workers.dev"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831989/; classtype:trojan-activity;sid:84695089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.43.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831988/; classtype:trojan-activity;sid:84695088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.220.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831987/; classtype:trojan-activity;sid:84695087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831978/; classtype:trojan-activity;sid:84695078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831979/; classtype:trojan-activity;sid:84695079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831980/; classtype:trojan-activity;sid:84695080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831981/; classtype:trojan-activity;sid:84695081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831982/; classtype:trojan-activity;sid:84695082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831983/; classtype:trojan-activity;sid:84695083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831984/; classtype:trojan-activity;sid:84695084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831985/; classtype:trojan-activity;sid:84695085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831986/; classtype:trojan-activity;sid:84695086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bajbvqgz.dex4lavel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831977/; classtype:trojan-activity;sid:84695077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831975/; classtype:trojan-activity;sid:84695075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831976/; classtype:trojan-activity;sid:84695076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831974/; classtype:trojan-activity;sid:84695074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831972/; classtype:trojan-activity;sid:84695072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831973/; classtype:trojan-activity;sid:84695073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.51.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831970/; classtype:trojan-activity;sid:84695070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.188.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831971/; classtype:trojan-activity;sid:84695071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831968/; classtype:trojan-activity;sid:84695068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831969/; classtype:trojan-activity;sid:84695069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"loadtin.dex4lavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831966/; classtype:trojan-activity;sid:84695066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.232.75.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831967/; classtype:trojan-activity;sid:84695067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.218.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831965/; classtype:trojan-activity;sid:84695065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys_x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831964/; classtype:trojan-activity;sid:84695064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lilin.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831963/; classtype:trojan-activity;sid:84695063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm7"; depth:20; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831953/; classtype:trojan-activity;sid:84695053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_x86"; depth:19; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831954/; classtype:trojan-activity;sid:84695054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm5"; depth:20; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831955/; classtype:trojan-activity;sid:84695055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_spc"; depth:19; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831956/; classtype:trojan-activity;sid:84695056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_mpsl"; depth:20; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831957/; classtype:trojan-activity;sid:84695057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm6"; depth:20; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831958/; classtype:trojan-activity;sid:84695058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_mips"; depth:20; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831959/; classtype:trojan-activity;sid:84695059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_m68k"; depth:20; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831960/; classtype:trojan-activity;sid:84695060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm"; depth:19; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831961/; classtype:trojan-activity;sid:84695061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_sh4"; depth:19; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831962/; classtype:trojan-activity;sid:84695062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_ppc"; depth:19; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831951/; classtype:trojan-activity;sid:84695051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_x86_64"; depth:22; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831952/; classtype:trojan-activity;sid:84695052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.55.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831950/; classtype:trojan-activity;sid:84695050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"jloj7ws.dex4lavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831949/; classtype:trojan-activity;sid:84695049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.219.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831948/; classtype:trojan-activity;sid:84695048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"st4ge-pulse.dex4lavel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831947/; classtype:trojan-activity;sid:84695047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.79.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831946/; classtype:trojan-activity;sid:84695046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bin4ry-trail.miv9soren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831945/; classtype:trojan-activity;sid:84695045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.143.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831944/; classtype:trojan-activity;sid:84695044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.55.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831943/; classtype:trojan-activity;sid:84695043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.220.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831942/; classtype:trojan-activity;sid:84695042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fre5h-logic.miv9soren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831941/; classtype:trojan-activity;sid:84695041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.231.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831940/; classtype:trojan-activity;sid:84695040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"g4th-sheet.miv9soren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831939/; classtype:trojan-activity;sid:84695039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"otter0-field.miv9soren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831938/; classtype:trojan-activity;sid:84695038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.220.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831937/; classtype:trojan-activity;sid:84695037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.55.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831936/; classtype:trojan-activity;sid:84695036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.184.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831935/; classtype:trojan-activity;sid:84695035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"40l627.miv9soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831934/; classtype:trojan-activity;sid:84695034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.183.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831933/; classtype:trojan-activity;sid:84695033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.14.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831932/; classtype:trojan-activity;sid:84695032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.44.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831931/; classtype:trojan-activity;sid:84695031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.240.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831930/; classtype:trojan-activity;sid:84695030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.12.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831929/; classtype:trojan-activity;sid:84695029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.231.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831928/; classtype:trojan-activity;sid:84695028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.184.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831927/; classtype:trojan-activity;sid:84695027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.55.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831926/; classtype:trojan-activity;sid:84695026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.111.18.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831924/; classtype:trojan-activity;sid:84695024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.44.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831925/; classtype:trojan-activity;sid:84695025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.88.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831923/; classtype:trojan-activity;sid:84695023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.53.121.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831922/; classtype:trojan-activity;sid:84695022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.34.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831921/; classtype:trojan-activity;sid:84695021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.55.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831920/; classtype:trojan-activity;sid:84695020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.1.57"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831919/; classtype:trojan-activity;sid:84695019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831918/; classtype:trojan-activity;sid:84695018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.88.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831917/; classtype:trojan-activity;sid:84695017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.148.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831916/; classtype:trojan-activity;sid:84695016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.81.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831915/; classtype:trojan-activity;sid:84695015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.111.18.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831914/; classtype:trojan-activity;sid:84695014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831913/; classtype:trojan-activity;sid:84695013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.14.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831912/; classtype:trojan-activity;sid:84695012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.236.44.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831911/; classtype:trojan-activity;sid:84695011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.108.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831910/; classtype:trojan-activity;sid:84695010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.25.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831908/; classtype:trojan-activity;sid:84695008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.16.164.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831909/; classtype:trojan-activity;sid:84695009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.99.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831907/; classtype:trojan-activity;sid:84695007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.44.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831906/; classtype:trojan-activity;sid:84695006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831905/; classtype:trojan-activity;sid:84695005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.128.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831904/; classtype:trojan-activity;sid:84695004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.14.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831903/; classtype:trojan-activity;sid:84695003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.126.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831901/; classtype:trojan-activity;sid:84695001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.162.179.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831902/; classtype:trojan-activity;sid:84695002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.99.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831900/; classtype:trojan-activity;sid:84695000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"66.167.169.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831899/; classtype:trojan-activity;sid:84694999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.250.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831898/; classtype:trojan-activity;sid:84694998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831897/; classtype:trojan-activity;sid:84694997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.44.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831896/; classtype:trojan-activity;sid:84694996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.122.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831895/; classtype:trojan-activity;sid:84694995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.126.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831894/; classtype:trojan-activity;sid:84694994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.158.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831893/; classtype:trojan-activity;sid:84694993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.92.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831892/; classtype:trojan-activity;sid:84694992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.7.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831891/; classtype:trojan-activity;sid:84694991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.99.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831890/; classtype:trojan-activity;sid:84694990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.162.179.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831889/; classtype:trojan-activity;sid:84694989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.68.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831888/; classtype:trojan-activity;sid:84694988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.133.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831887/; classtype:trojan-activity;sid:84694987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831886/; classtype:trojan-activity;sid:84694986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.63.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831885/; classtype:trojan-activity;sid:84694985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.7.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831884/; classtype:trojan-activity;sid:84694984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dynline6os.miv6soren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831883/; classtype:trojan-activity;sid:84694983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.161.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831882/; classtype:trojan-activity;sid:84694982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"primeshore.miv6soren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831881/; classtype:trojan-activity;sid:84694981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.133.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831880/; classtype:trojan-activity;sid:84694980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ultra-enzyrn.miv6soren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831879/; classtype:trojan-activity;sid:84694979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.50.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831878/; classtype:trojan-activity;sid:84694978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.38.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831877/; classtype:trojan-activity;sid:84694977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.161.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831876/; classtype:trojan-activity;sid:84694976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"neroc5j.dexor-host.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831875/; classtype:trojan-activity;sid:84694975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.244.232.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831874/; classtype:trojan-activity;sid:84694974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"voit-wjw.dexor-host.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831873/; classtype:trojan-activity;sid:84694973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.79.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831872/; classtype:trojan-activity;sid:84694972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mund4c.dexor-host.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831871/; classtype:trojan-activity;sid:84694971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.199.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831870/; classtype:trojan-activity;sid:84694970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.35.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831869/; classtype:trojan-activity;sid:84694969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"breagc.dexor-host.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831868/; classtype:trojan-activity;sid:84694968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.38.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831867/; classtype:trojan-activity;sid:84694967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831866/; classtype:trojan-activity;sid:84694966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.79.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831865/; classtype:trojan-activity;sid:84694965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.10.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831864/; classtype:trojan-activity;sid:84694964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fami-wp.dexor-host.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831863/; classtype:trojan-activity;sid:84694963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sunhq.dexor-host.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831862/; classtype:trojan-activity;sid:84694962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.79.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831861/; classtype:trojan-activity;sid:84694961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.35.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831860/; classtype:trojan-activity;sid:84694960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"voxx1.mivon-hub.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831859/; classtype:trojan-activity;sid:84694959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"cuer-e30q.mivon-hub.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831858/; classtype:trojan-activity;sid:84694958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.219.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831857/; classtype:trojan-activity;sid:84694957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"casa-zw9e.mivon-hub.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831856/; classtype:trojan-activity;sid:84694956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.44.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831855/; classtype:trojan-activity;sid:84694955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"homm6uc.mivon-hub.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831854/; classtype:trojan-activity;sid:84694954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"alph-qhj.mivon-hub.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831853/; classtype:trojan-activity;sid:84694953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.60.6"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831852/; classtype:trojan-activity;sid:84694952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.163.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831851/; classtype:trojan-activity;sid:84694951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"proc-256.mivon-hub.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831850/; classtype:trojan-activity;sid:84694950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.33.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831848/; classtype:trojan-activity;sid:84694948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.51.200"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831849/; classtype:trojan-activity;sid:84694949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"eart-l4.noven-sys.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831847/; classtype:trojan-activity;sid:84694947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.218.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831846/; classtype:trojan-activity;sid:84694946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"homo-ph.noven-sys.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831845/; classtype:trojan-activity;sid:84694945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mar-jlk.noven-sys.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831844/; classtype:trojan-activity;sid:84694944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lebe6wwf.noven-sys.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831843/; classtype:trojan-activity;sid:84694943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.10.39.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831842/; classtype:trojan-activity;sid:84694942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.51.200"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831841/; classtype:trojan-activity;sid:84694941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.7.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831840/; classtype:trojan-activity;sid:84694940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"landem.noven-sys.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831839/; classtype:trojan-activity;sid:84694939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.89.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831838/; classtype:trojan-activity;sid:84694938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.89.163.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831837/; classtype:trojan-activity;sid:84694937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"stra-j2.noven-sys.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831836/; classtype:trojan-activity;sid:84694936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.212.28.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831835/; classtype:trojan-activity;sid:84694935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.160.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831834/; classtype:trojan-activity;sid:84694934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.140.190.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831833/; classtype:trojan-activity;sid:84694933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"paniwcfh.sylonix-web.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831832/; classtype:trojan-activity;sid:84694932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"amic-po1.sylonix-web.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831831/; classtype:trojan-activity;sid:84694931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.7.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831830/; classtype:trojan-activity;sid:84694930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.140.190.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831829/; classtype:trojan-activity;sid:84694929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.182.253.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831828/; classtype:trojan-activity;sid:84694928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"meer-in.sylonix-web.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831827/; classtype:trojan-activity;sid:84694927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"aguarw2y.sylonix-web.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831826/; classtype:trojan-activity;sid:84694926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.220.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831825/; classtype:trojan-activity;sid:84694925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"etab-0d.sylonix-web.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831824/; classtype:trojan-activity;sid:84694924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"spia-vo.sylonix-web.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831823/; classtype:trojan-activity;sid:84694923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.220.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831822/; classtype:trojan-activity;sid:84694922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ocul-xq7.raxen-tech.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831821/; classtype:trojan-activity;sid:84694921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mati-ns3w.raxen-tech.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831820/; classtype:trojan-activity;sid:84694920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.11.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831819/; classtype:trojan-activity;sid:84694919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.11.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831818/; classtype:trojan-activity;sid:84694918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"homb-1h.raxen-tech.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831817/; classtype:trojan-activity;sid:84694917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pes-ghj0.raxen-tech.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831816/; classtype:trojan-activity;sid:84694916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.108.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831815/; classtype:trojan-activity;sid:84694915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.244.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831814/; classtype:trojan-activity;sid:84694914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"freur6r.raxen-tech.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831813/; classtype:trojan-activity;sid:84694913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831812/; classtype:trojan-activity;sid:84694912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fire-02k6.raxen-tech.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831811/; classtype:trojan-activity;sid:84694911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.9.170"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831810/; classtype:trojan-activity;sid:84694910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.11.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831809/; classtype:trojan-activity;sid:84694909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.11.143.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831808/; classtype:trojan-activity;sid:84694908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.242.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831807/; classtype:trojan-activity;sid:84694907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"acti-cmf.zexon-plus.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831806/; classtype:trojan-activity;sid:84694906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.1.26.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831805/; classtype:trojan-activity;sid:84694905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ocche0o.zexon-plus.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831804/; classtype:trojan-activity;sid:84694904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.244.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831803/; classtype:trojan-activity;sid:84694903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.171.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831802/; classtype:trojan-activity;sid:84694902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"piedmg3.zexon-plus.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831801/; classtype:trojan-activity;sid:84694901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.108.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831800/; classtype:trojan-activity;sid:84694900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.1.26.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831799/; classtype:trojan-activity;sid:84694899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"travb7.zexon-plus.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831798/; classtype:trojan-activity;sid:84694898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fuss-kx01.zexon-plus.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831797/; classtype:trojan-activity;sid:84694897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.175.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831796/; classtype:trojan-activity;sid:84694896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.115.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831795/; classtype:trojan-activity;sid:84694895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soci-84i6.zexon-plus.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831794/; classtype:trojan-activity;sid:84694894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"filo-8ao.qivon-store.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831793/; classtype:trojan-activity;sid:84694893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"etoi-fbll.qivon-store.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831792/; classtype:trojan-activity;sid:84694892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.95.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831789/; classtype:trojan-activity;sid:84694889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.156.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831790/; classtype:trojan-activity;sid:84694890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.156.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831791/; classtype:trojan-activity;sid:84694891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.45.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831788/; classtype:trojan-activity;sid:84694888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kopf-wkeu.qivon-store.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831787/; classtype:trojan-activity;sid:84694887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.229.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831786/; classtype:trojan-activity;sid:84694886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ami-mfs.qivon-store.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831785/; classtype:trojan-activity;sid:84694885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.214.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831784/; classtype:trojan-activity;sid:84694884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.49.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831783/; classtype:trojan-activity;sid:84694883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"koerhl.qivon-store.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831782/; classtype:trojan-activity;sid:84694882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.248.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831781/; classtype:trojan-activity;sid:84694881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"trab-7t.qivon-store.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831780/; classtype:trojan-activity;sid:84694880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.84.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831779/; classtype:trojan-activity;sid:84694879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pieqt.bexlor-net.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831778/; classtype:trojan-activity;sid:84694878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fine7t.bexlor-net.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831777/; classtype:trojan-activity;sid:84694877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.229.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831776/; classtype:trojan-activity;sid:84694876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.225.49.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831775/; classtype:trojan-activity;sid:84694875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"treexw.bexlor-net.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831774/; classtype:trojan-activity;sid:84694874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.84.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831773/; classtype:trojan-activity;sid:84694873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.234.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831772/; classtype:trojan-activity;sid:84694872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.0.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831771/; classtype:trojan-activity;sid:84694871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"day-g6qh.bexlor-net.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831770/; classtype:trojan-activity;sid:84694870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"plag59o.bexlor-net.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831769/; classtype:trojan-activity;sid:84694869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.248.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831768/; classtype:trojan-activity;sid:84694868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.35.126.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831767/; classtype:trojan-activity;sid:84694867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"terr-53p.bexlor-net.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831766/; classtype:trojan-activity;sid:84694866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lichxz.dexon-node.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831765/; classtype:trojan-activity;sid:84694865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"estrqmi.dexon-node.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831764/; classtype:trojan-activity;sid:84694864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"146.103.41.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831763/; classtype:trojan-activity;sid:84694863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"poditt0j.dexon-node.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831762/; classtype:trojan-activity;sid:84694862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.234.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831761/; classtype:trojan-activity;sid:84694861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.35.126.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831760/; classtype:trojan-activity;sid:84694860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831757/; classtype:trojan-activity;sid:84694857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831758/; classtype:trojan-activity;sid:84694858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831759/; classtype:trojan-activity;sid:84694859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831756/; classtype:trojan-activity;sid:84694856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831755/; classtype:trojan-activity;sid:84694855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.161.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831754/; classtype:trojan-activity;sid:84694854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831753/; classtype:trojan-activity;sid:84694853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fore-k6mz.dexon-node.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831752/; classtype:trojan-activity;sid:84694852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mens-tu.dexon-node.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831751/; classtype:trojan-activity;sid:84694851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.25.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831750/; classtype:trojan-activity;sid:84694850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fleuytfp.dexon-node.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831749/; classtype:trojan-activity;sid:84694849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.248.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831748/; classtype:trojan-activity;sid:84694848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.37.132"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831747/; classtype:trojan-activity;sid:84694847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.92.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831746/; classtype:trojan-activity;sid:84694846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"manngua.mivonex-serv.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831745/; classtype:trojan-activity;sid:84694845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"etaknqgp.mivonex-serv.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831744/; classtype:trojan-activity;sid:84694844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.92.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831743/; classtype:trojan-activity;sid:84694843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.231.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831742/; classtype:trojan-activity;sid:84694842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"enfa1p13.mivonex-serv.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831741/; classtype:trojan-activity;sid:84694841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.47.105.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831740/; classtype:trojan-activity;sid:84694840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aiermass/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831738/; classtype:trojan-activity;sid:84694838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.48.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831739/; classtype:trojan-activity;sid:84694839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/raw/main/s8d70ipcznaa.exe"; depth:40; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831737/; classtype:trojan-activity;sid:84694837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.248.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831736/; classtype:trojan-activity;sid:84694836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-mp.mivonex-serv.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831735/; classtype:trojan-activity;sid:84694835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"onli6sp.mivonex-serv.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831734/; classtype:trojan-activity;sid:84694834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.83.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831733/; classtype:trojan-activity;sid:84694833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.95.54.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831732/; classtype:trojan-activity;sid:84694832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.83.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831731/; classtype:trojan-activity;sid:84694831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"comp-os4d.mivonex-serv.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831730/; classtype:trojan-activity;sid:84694830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.144.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831729/; classtype:trojan-activity;sid:84694829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.48.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831728/; classtype:trojan-activity;sid:84694828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.144.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831727/; classtype:trojan-activity;sid:84694827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-2.dex1lavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831726/; classtype:trojan-activity;sid:84694826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.206.197.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831725/; classtype:trojan-activity;sid:84694825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-berg-6p.dex1lavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831724/; classtype:trojan-activity;sid:84694824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.106.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831723/; classtype:trojan-activity;sid:84694823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-9.dex1lavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831722/; classtype:trojan-activity;sid:84694822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"24.95.54.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831721/; classtype:trojan-activity;sid:84694821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-fire-1.dex1lavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831720/; classtype:trojan-activity;sid:84694820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.204.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831719/; classtype:trojan-activity;sid:84694819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bleu-4.dex1lavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831718/; classtype:trojan-activity;sid:84694818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-land-7b.dex1lavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831717/; classtype:trojan-activity;sid:84694817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.181.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831716/; classtype:trojan-activity;sid:84694816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-3.miv8soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831715/; classtype:trojan-activity;sid:84694815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-baum-5k.miv8soren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831714/; classtype:trojan-activity;sid:84694814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.204.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831713/; classtype:trojan-activity;sid:84694813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.25.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831712/; classtype:trojan-activity;sid:84694812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-1.miv8soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831711/; classtype:trojan-activity;sid:84694811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.103.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831710/; classtype:trojan-activity;sid:84694810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.93.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831709/; classtype:trojan-activity;sid:84694809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-mond-8.miv8soren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831708/; classtype:trojan-activity;sid:84694808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.86.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831707/; classtype:trojan-activity;sid:84694807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-6.miv8soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831706/; classtype:trojan-activity;sid:84694806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.181.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831705/; classtype:trojan-activity;sid:84694805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-star-2x.miv8soren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831704/; classtype:trojan-activity;sid:84694804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-9.nov2liren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831703/; classtype:trojan-activity;sid:84694803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.45.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831702/; classtype:trojan-activity;sid:84694802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-berg-4n.nov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831701/; classtype:trojan-activity;sid:84694801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.89.44"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831700/; classtype:trojan-activity;sid:84694800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.65.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831699/; classtype:trojan-activity;sid:84694799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-5.nov2liren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831698/; classtype:trojan-activity;sid:84694798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.133.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831697/; classtype:trojan-activity;sid:84694797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.224.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831696/; classtype:trojan-activity;sid:84694796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-land-1.nov2liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831695/; classtype:trojan-activity;sid:84694795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.220.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831694/; classtype:trojan-activity;sid:84694794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.95.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831693/; classtype:trojan-activity;sid:84694793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-3.nov2liren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831692/; classtype:trojan-activity;sid:84694792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.89.44"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831691/; classtype:trojan-activity;sid:84694791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.46.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831690/; classtype:trojan-activity;sid:84694790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-1.sylo3mer.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831689/; classtype:trojan-activity;sid:84694789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm4"; depth:15; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831688/; classtype:trojan-activity;sid:84694788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewx86"; depth:14; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831687/; classtype:trojan-activity;sid:84694787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm5"; depth:15; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831686/; classtype:trojan-activity;sid:84694786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm7"; depth:15; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831684/; classtype:trojan-activity;sid:84694784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm6"; depth:15; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831685/; classtype:trojan-activity;sid:84694785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewmips"; depth:15; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831681/; classtype:trojan-activity;sid:84694781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewx8664"; depth:16; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831682/; classtype:trojan-activity;sid:84694782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewmpsl"; depth:15; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831683/; classtype:trojan-activity;sid:84694783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.224.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831680/; classtype:trojan-activity;sid:84694780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-wald-5v.sylo3mer.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831679/; classtype:trojan-activity;sid:84694779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.173.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831678/; classtype:trojan-activity;sid:84694778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bleu-2.sylo3mer.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831677/; classtype:trojan-activity;sid:84694777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.227.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831675/; classtype:trojan-activity;sid:84694775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.46.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831676/; classtype:trojan-activity;sid:84694776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-berg-9.sylo3mer.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831674/; classtype:trojan-activity;sid:84694774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.212.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831673/; classtype:trojan-activity;sid:84694773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-4.sylo3mer.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831672/; classtype:trojan-activity;sid:84694772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831671/; classtype:trojan-activity;sid:84694771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-star-6z.sylo3mer.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831670/; classtype:trojan-activity;sid:84694770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-8.rax7pavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831669/; classtype:trojan-activity;sid:84694769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-land-3m.rax7pavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831668/; classtype:trojan-activity;sid:84694768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.0.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831667/; classtype:trojan-activity;sid:84694767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.67.213.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831666/; classtype:trojan-activity;sid:84694766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-1.rax7pavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831665/; classtype:trojan-activity;sid:84694765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-fire-5.rax7pavel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831664/; classtype:trojan-activity;sid:84694764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/lterouter"; depth:13; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831663/; classtype:trojan-activity;sid:84694763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-2.rax7pavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831662/; classtype:trojan-activity;sid:84694762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips"; depth:8; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831660/; classtype:trojan-activity;sid:84694760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mpsl"; depth:8; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831661/; classtype:trojan-activity;sid:84694761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"blue-mond-9k.rax7pavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831659/; classtype:trojan-activity;sid:84694759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-5.zex1liron.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831658/; classtype:trojan-activity;sid:84694758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-berg-2c.zex1liron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831657/; classtype:trojan-activity;sid:84694757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-7.zex1liron.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831656/; classtype:trojan-activity;sid:84694756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-wald-4.zex1liron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831655/; classtype:trojan-activity;sid:84694755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.84.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831654/; classtype:trojan-activity;sid:84694754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831652/; classtype:trojan-activity;sid:84694752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831653/; classtype:trojan-activity;sid:84694753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-6.zex1liron.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831651/; classtype:trojan-activity;sid:84694751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831641/; classtype:trojan-activity;sid:84694741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831642/; classtype:trojan-activity;sid:84694742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831643/; classtype:trojan-activity;sid:84694743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831644/; classtype:trojan-activity;sid:84694744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831645/; classtype:trojan-activity;sid:84694745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831646/; classtype:trojan-activity;sid:84694746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831647/; classtype:trojan-activity;sid:84694747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831648/; classtype:trojan-activity;sid:84694748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831649/; classtype:trojan-activity;sid:84694749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831650/; classtype:trojan-activity;sid:84694750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831640/; classtype:trojan-activity;sid:84694740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831639/; classtype:trojan-activity;sid:84694739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"iron-land-1q.zex1liron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831638/; classtype:trojan-activity;sid:84694738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-3.qiv5moren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831637/; classtype:trojan-activity;sid:84694737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-zeit-8.qiv5moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831636/; classtype:trojan-activity;sid:84694736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-5x.qiv5moren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831635/; classtype:trojan-activity;sid:84694735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.31.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831634/; classtype:trojan-activity;sid:84694734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.70.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831633/; classtype:trojan-activity;sid:84694733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.254.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831632/; classtype:trojan-activity;sid:84694732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.239.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831631/; classtype:trojan-activity;sid:84694731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-berg-2.qiv5moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831630/; classtype:trojan-activity;sid:84694730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.35.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831629/; classtype:trojan-activity;sid:84694729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.84.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831628/; classtype:trojan-activity;sid:84694728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-9.qiv5moren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831627/; classtype:trojan-activity;sid:84694727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.10.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831626/; classtype:trojan-activity;sid:84694726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.246.10.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831625/; classtype:trojan-activity;sid:84694725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-star-4s.qiv5moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831624/; classtype:trojan-activity;sid:84694724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-1.bexla8rin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831623/; classtype:trojan-activity;sid:84694723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.35.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831622/; classtype:trojan-activity;sid:84694722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"wald-baum-7.bexla8rin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831621/; classtype:trojan-activity;sid:84694721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysupdate.sh"; depth:13; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831620/; classtype:trojan-activity;sid:84694720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bleu-2k.bexla8rin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831619/; classtype:trojan-activity;sid:84694719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.226.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831618/; classtype:trojan-activity;sid:84694718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-land-5.bexla8rin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831617/; classtype:trojan-activity;sid:84694717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.246.10.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831616/; classtype:trojan-activity;sid:84694716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.226.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831615/; classtype:trojan-activity;sid:84694715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-3.bexla8rin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831614/; classtype:trojan-activity;sid:84694714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.125.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831613/; classtype:trojan-activity;sid:84694713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.9.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831612/; classtype:trojan-activity;sid:84694712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.106.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831611/; classtype:trojan-activity;sid:84694711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"blue-fire-9w.bexla8rin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831610/; classtype:trojan-activity;sid:84694710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"iron-8.dex2lavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831609/; classtype:trojan-activity;sid:84694709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.158.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831608/; classtype:trojan-activity;sid:84694708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.9.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831607/; classtype:trojan-activity;sid:84694707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.119.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831606/; classtype:trojan-activity;sid:84694706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-mond-6.dex2lavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831605/; classtype:trojan-activity;sid:84694705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-4.dex2lavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831604/; classtype:trojan-activity;sid:84694704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.89.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831603/; classtype:trojan-activity;sid:84694703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-berg-1m.dex2lavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831602/; classtype:trojan-activity;sid:84694702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.17.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831601/; classtype:trojan-activity;sid:84694701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-7.dex2lavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831600/; classtype:trojan-activity;sid:84694700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-star-2v.dex2lavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831599/; classtype:trojan-activity;sid:84694699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.237.17.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831598/; classtype:trojan-activity;sid:84694698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-9.miv6soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831597/; classtype:trojan-activity;sid:84694697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.119.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831596/; classtype:trojan-activity;sid:84694696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.237.17.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831595/; classtype:trojan-activity;sid:84694695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.38.79.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831594/; classtype:trojan-activity;sid:84694694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.93.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831593/; classtype:trojan-activity;sid:84694693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.17.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831592/; classtype:trojan-activity;sid:84694692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.29.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831591/; classtype:trojan-activity;sid:84694691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-baum-3.miv6soren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831590/; classtype:trojan-activity;sid:84694690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.239.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831589/; classtype:trojan-activity;sid:84694689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-5.miv6soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831588/; classtype:trojan-activity;sid:84694688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.217.184.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831587/; classtype:trojan-activity;sid:84694687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-1.miv6soren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831586/; classtype:trojan-activity;sid:84694686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.44.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831585/; classtype:trojan-activity;sid:84694685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.217.184.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831584/; classtype:trojan-activity;sid:84694684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.220.29.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831583/; classtype:trojan-activity;sid:84694683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.195.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831582/; classtype:trojan-activity;sid:84694682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.116.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831581/; classtype:trojan-activity;sid:84694681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.233.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831580/; classtype:trojan-activity;sid:84694680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.23.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831579/; classtype:trojan-activity;sid:84694679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.116.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831578/; classtype:trojan-activity;sid:84694678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.217.23.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831577/; classtype:trojan-activity;sid:84694677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831576/; classtype:trojan-activity;sid:84694676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/oajtohvn.exe"; depth:32; endswith; nocase; http.host; content:"www.italiaregina.it"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831575/; classtype:trojan-activity;sid:84694675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bundle-sheet.nov7liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831574/; classtype:trojan-activity;sid:84694674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.195.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831573/; classtype:trojan-activity;sid:84694673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pl4sm-flow.nov7liren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831572/; classtype:trojan-activity;sid:84694672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.209.163.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831571/; classtype:trojan-activity;sid:84694671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zencorear1.nov7liren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831570/; classtype:trojan-activity;sid:84694670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/text/diff/engine/decred.exe"; depth:40; endswith; nocase; http.host; content:"dcdivas.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831569/; classtype:trojan-activity;sid:84694669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cl-ncl-following"; depth:17; endswith; nocase; http.host; content:"79.124.59.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831568/; classtype:trojan-activity;sid:84694668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hf89cj2.nov7liren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831567/; classtype:trojan-activity;sid:84694667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.67.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831566/; classtype:trojan-activity;sid:84694666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rx64iv.nov7liren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831565/; classtype:trojan-activity;sid:84694665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831563/; classtype:trojan-activity;sid:84694663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831564/; classtype:trojan-activity;sid:84694664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831559/; classtype:trojan-activity;sid:84694659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831560/; classtype:trojan-activity;sid:84694660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831561/; classtype:trojan-activity;sid:84694661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831562/; classtype:trojan-activity;sid:84694662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.227.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831558/; classtype:trojan-activity;sid:84694658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"3fgrll.nov7liren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831557/; classtype:trojan-activity;sid:84694657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831556/; classtype:trojan-activity;sid:84694656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"x1ov.to2varon.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831555/; classtype:trojan-activity;sid:84694655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.81.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831554/; classtype:trojan-activity;sid:84694654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down.php/bae7aa2acb876b53690a9e627f8ffdef.zip"; depth:46; endswith; nocase; http.host; content:"qhsd8888.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831553/; classtype:trojan-activity;sid:84694653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dustfix.to2varon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831552/; classtype:trojan-activity;sid:84694652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"glos-rep.to2varon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831551/; classtype:trojan-activity;sid:84694651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"n0rt-crest.to2varon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831550/; classtype:trojan-activity;sid:84694650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ernbe-leaf.to2varon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831549/; classtype:trojan-activity;sid:84694649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"162.249.125.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831548/; classtype:trojan-activity;sid:84694648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"wfamakg.to2varon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831547/; classtype:trojan-activity;sid:84694647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0x83911d24fx.sh"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831546/; classtype:trojan-activity;sid:84694646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831545/; classtype:trojan-activity;sid:84694645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831544/; classtype:trojan-activity;sid:84694644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831543/; classtype:trojan-activity;sid:84694643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831539/; classtype:trojan-activity;sid:84694639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831540/; classtype:trojan-activity;sid:84694640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831541/; classtype:trojan-activity;sid:84694641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831542/; classtype:trojan-activity;sid:84694642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831537/; classtype:trojan-activity;sid:84694637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831538/; classtype:trojan-activity;sid:84694638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.arc"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831532/; classtype:trojan-activity;sid:84694632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug"; depth:6; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831533/; classtype:trojan-activity;sid:84694633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.mips64"; depth:17; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831534/; classtype:trojan-activity;sid:84694634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.i686"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831535/; classtype:trojan-activity;sid:84694635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.sparc"; depth:16; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831536/; classtype:trojan-activity;sid:84694636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mermiler.tar.gz"; depth:16; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831531/; classtype:trojan-activity;sid:84694631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setup_signed.exe"; depth:17; endswith; nocase; http.host; content:"enotpidarmot.pw"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831530/; classtype:trojan-activity;sid:84694630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm64"; depth:10; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831526/; classtype:trojan-activity;sid:84694626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i686"; depth:9; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831527/; classtype:trojan-activity;sid:84694627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i586"; depth:9; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831528/; classtype:trojan-activity;sid:84694628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831529/; classtype:trojan-activity;sid:84694629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831523/; classtype:trojan-activity;sid:84694623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831524/; classtype:trojan-activity;sid:84694624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc-440fp"; depth:18; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831525/; classtype:trojan-activity;sid:84694625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dropper.sh"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831522/; classtype:trojan-activity;sid:84694622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831520/; classtype:trojan-activity;sid:84694620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831521/; classtype:trojan-activity;sid:84694621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831516/; classtype:trojan-activity;sid:84694616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.147.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831517/; classtype:trojan-activity;sid:84694617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831518/; classtype:trojan-activity;sid:84694618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831519/; classtype:trojan-activity;sid:84694619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips64"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831515/; classtype:trojan-activity;sid:84694615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arc_gnu_2017.09_prebuilt_uclibc_le_arc700_linux_install"; depth:60; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831514/; classtype:trojan-activity;sid:84694614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831510/; classtype:trojan-activity;sid:84694610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831511/; classtype:trojan-activity;sid:84694611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831512/; classtype:trojan-activity;sid:84694612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831513/; classtype:trojan-activity;sid:84694613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.ppc"; depth:8; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831509/; classtype:trojan-activity;sid:84694609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vitalpur.sylo8mer.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831508/; classtype:trojan-activity;sid:84694608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.129.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831507/; classtype:trojan-activity;sid:84694607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc"; depth:3; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831506/; classtype:trojan-activity;sid:84694606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kamd"; depth:5; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831505/; classtype:trojan-activity;sid:84694605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vca"; depth:4; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831504/; classtype:trojan-activity;sid:84694604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vca1"; depth:5; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831501/; classtype:trojan-activity;sid:84694601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc1"; depth:4; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831502/; classtype:trojan-activity;sid:84694602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karm"; depth:5; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831503/; classtype:trojan-activity;sid:84694603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ba5ic0-spark.sylo8mer.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831500/; classtype:trojan-activity;sid:84694600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"theorypin.sylo8mer.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831499/; classtype:trojan-activity;sid:84694599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.80.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831498/; classtype:trojan-activity;sid:84694598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"80njj90.sylo8mer.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831497/; classtype:trojan-activity;sid:84694597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/d"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831496/; classtype:trojan-activity;sid:84694596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831495/; classtype:trojan-activity;sid:84694595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831493/; classtype:trojan-activity;sid:84694593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831494/; classtype:trojan-activity;sid:84694594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labieds/splitwriter/raw/refs/heads/main/public/splitwriter-v2.8.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831490/; classtype:trojan-activity;sid:84694590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jamesnaismit/cv-screener/raw/refs/heads/main/web/hooks/cv-screener-3.4.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831491/; classtype:trojan-activity;sid:84694591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sahius1/socialvideoutility/main/screenshots/video-social-utility-v2.2.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831492/; classtype:trojan-activity;sid:84694592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123affano1/claudetrack/raw/refs/heads/main/client/src/pages/software_v1.6.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831479/; classtype:trojan-activity;sid:84694579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/douniajammali31/grammarfixer/raw/refs/heads/main/images/grammarfixer-2.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831480/; classtype:trojan-activity;sid:84694580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chamara1989/prismos-ai/main/docs/screenshots/prismos_ai_2.6.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831481/; classtype:trojan-activity;sid:84694581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/commutertrafficfarsi309/qclaw-old/raw/refs/heads/main/fasciolidae/qclaw_old_v1.2.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831482/; classtype:trojan-activity;sid:84694582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iamsujalarora/githubmeter/raw/refs/heads/main/src/styles/github_meter_v2.5.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831483/; classtype:trojan-activity;sid:84694583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arockiakoilpillai/temp-email-api/raw/refs/heads/master/images/temp-email-api-v1.4.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831484/; classtype:trojan-activity;sid:84694584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggshcgdh/localtranslateapp/raw/refs/heads/main/kittly/translate_app_local_3.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831485/; classtype:trojan-activity;sid:84694585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arockiakoilpillai/temp-email-api/raw/refs/heads/master/images/temp-email-api_v3.7.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831486/; classtype:trojan-activity;sid:84694586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jamesnaismit/cv-screener/raw/refs/heads/main/api/postman/screener_cv_v2.8-alpha.2.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831487/; classtype:trojan-activity;sid:84694587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/douniajammali31/grammarfixer/raw/refs/heads/main/grammarfixer/resources/fixer-grammar-1.6.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831488/; classtype:trojan-activity;sid:84694588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reency/blox-fruits/raw/refs/heads/main/regardance/fruits_blox_v1.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831489/; classtype:trojan-activity;sid:84694589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lapk0m/n01d-overwatch/main/shared/overwatch-n-d-2.9.zip"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831478/; classtype:trojan-activity;sid:84694578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nytroze/ant-design-wpf/raw/refs/heads/master/src/antdesign.wpf/wpf-ant-design-v3.7-beta.3.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831476/; classtype:trojan-activity;sid:84694576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikey143-kun/agentchattr/main/session_templates/software-3.8.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831477/; classtype:trojan-activity;sid:84694577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayubalishah/mac-recorder/raw/refs/heads/main/dist/macrecorder-0.2.0.pkg"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831472/; classtype:trojan-activity;sid:84694572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwamwaaaa/opentypeless/main/src/hooks/software-v1.3.zip"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831473/; classtype:trojan-activity;sid:84694573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayubalishah/mac-recorder/main/macrecorder/resources/assets.xcassets/recorder-mac-2.6.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831474/; classtype:trojan-activity;sid:84694574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nightmanvr/modernnav/raw/refs/heads/main/src/hooks/modern_nav_1.5.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831475/; classtype:trojan-activity;sid:84694575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.spc"; depth:51; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831466/; classtype:trojan-activity;sid:84694566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nightmanvr/modernnav/raw/refs/heads/main/public/fonts/modern-nav-v3.5.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831467/; classtype:trojan-activity;sid:84694567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/commutertrafficfarsi309/qclaw-old"; depth:34; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831468/; classtype:trojan-activity;sid:84694568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.mpsl"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831469/; classtype:trojan-activity;sid:84694569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.arm7"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831470/; classtype:trojan-activity;sid:84694570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labieds/splitwriter/main/src/windows%20-%20old/boards/text-engine/_old/software-v2.8-beta.5.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831471/; classtype:trojan-activity;sid:84694571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/k"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831460/; classtype:trojan-activity;sid:84694560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831461/; classtype:trojan-activity;sid:84694561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/twelve-today822/juai/main/assets/ai_ju_riverwards.zip"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831462/; classtype:trojan-activity;sid:84694562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/g"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831463/; classtype:trojan-activity;sid:84694563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831464/; classtype:trojan-activity;sid:84694564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/h"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831465/; classtype:trojan-activity;sid:84694565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohsitsvegawellrip.sh"; depth:21; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831459/; classtype:trojan-activity;sid:84694559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/l"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831458/; classtype:trojan-activity;sid:84694558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntpd"; depth:5; endswith; nocase; http.host; content:"151.243.109.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831456/; classtype:trojan-activity;sid:84694556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"150.241.94.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831457/; classtype:trojan-activity;sid:84694557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/content/bins.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831454/; classtype:trojan-activity;sid:84694554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader.sh"; depth:15; endswith; nocase; http.host; content:"77.239.112.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831455/; classtype:trojan-activity;sid:84694555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wildcraftsmanfilter/ai-voice-changer-real-time-desktop/releases/download/new/ai-voice-changer.v5.2.4-x64.rar"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831452/; classtype:trojan-activity;sid:84694552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yashsoni443/ai-image-generator-web/master/functions/web_generator_image_ai_v2.3.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831450/; classtype:trojan-activity;sid:84694550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/memet-jo/trading/raw/refs/heads/main/sylphlike/trading-3.1.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831451/; classtype:trojan-activity;sid:84694551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unaccustomed-godspeed86/appbun/main/src/lib/software-2.5.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831446/; classtype:trojan-activity;sid:84694546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yashsoni443/ai-image-generator-web/raw/refs/heads/master/functions/ai-image-generator-web_v3.0.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831447/; classtype:trojan-activity;sid:84694547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lacquerwarepernyimoth791/crosshair-x-custom-crosshair-overlay-for-every-game/raw/refs/heads/main/1.24.2/for_game_custom_overlay_every_crosshair_3.2-alpha.2.zip"; depth:160; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831448/; classtype:trojan-activity;sid:84694548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yuhejdjdi2828264/ediktefinder-analyzer/raw/refs/heads/main/feminality/analyzer-edikte-finder-3.2.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831449/; classtype:trojan-activity;sid:84694549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/almondleaveswillowlorenzodressing280/opguia/main/opguia/pages/connection/software-v1.2-alpha.2.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831441/; classtype:trojan-activity;sid:84694541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yousefmohamed54701/pygenpass/main/intertangle/gen-py-pass-v3.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831442/; classtype:trojan-activity;sid:84694542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrfrank-07/ipa-edit/raw/refs/heads/main/modules/edit_i_p_v1.7.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831443/; classtype:trojan-activity;sid:84694543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"reagentcore.sylo8mer.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831444/; classtype:trojan-activity;sid:84694544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bragii044/securekey-vault/main/context/secure_vault_key_v2.5.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831445/; classtype:trojan-activity;sid:84694545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ajobka/teams-alive/raw/refs/heads/main/childe/teams-alive-1.1.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831436/; classtype:trojan-activity;sid:84694536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booking/"; depth:9; endswith; nocase; http.host; content:"185.107.74.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831437/; classtype:trojan-activity;sid:84694537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/holasisisi23/telegram-media-downloader/raw/refs/heads/main/unnoticed/media-telegram-downloader-unhatched.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831438/; classtype:trojan-activity;sid:84694538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astriefaw/animo-app/raw/refs/heads/master/gradle/wrapper/animo-app_v2.0.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831439/; classtype:trojan-activity;sid:84694539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flystudiostech/haydee-ai-outfit-generator-gui/main/tests/ai_outfit_generator_haydee_gui_1.4.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831440/; classtype:trojan-activity;sid:84694540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pitthawat7/openclaw-win/raw/refs/heads/main/src/win_openclaw_2.7-alpha.2.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831432/; classtype:trojan-activity;sid:84694532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/funeralvalue508/crossdevicetracker.desktop/main/unheretical/cross_tracker_desktop_device_v1.8.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831433/; classtype:trojan-activity;sid:84694533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astriefaw/animo-app/blob/master/gradle/wrapper/animo-app_v2.0.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831434/; classtype:trojan-activity;sid:84694534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ke029121/energized-time-tracker/raw/refs/heads/main/phlebopexy/energized-time-tracker-1.7.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831435/; classtype:trojan-activity;sid:84694535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparoecanthusfultoni104/exphora_db/raw/refs/heads/main/ui/src/components/settings/exphora-db-v3.4-beta.1.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831429/; classtype:trojan-activity;sid:84694529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anandhupeepi/kafkalet/raw/refs/heads/main/frontend/node_modules/tailwindcss/lib/cli/software-cowardy.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831430/; classtype:trojan-activity;sid:84694530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tempterimperforatehymen434/sonos-controller"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831431/; classtype:trojan-activity;sid:84694531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/loader.sh"; depth:13; endswith; nocase; http.host; content:"axodoyin.alwaysdata.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831424/; classtype:trojan-activity;sid:84694524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hundred-praisworthiness384/domainos/main/scripts/os-domain-1.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831425/; classtype:trojan-activity;sid:84694525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booking/"; depth:9; endswith; nocase; http.host; content:"132.243.225.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831426/; classtype:trojan-activity;sid:84694526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acting-correlationalanalysis567/twin-bridge-v1/main/frontend/src/bridge_twin_1.1.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831427/; classtype:trojan-activity;sid:84694527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"162.249.125.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831428/; classtype:trojan-activity;sid:84694528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssh_config_upd.sh"; depth:18; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831421/; classtype:trojan-activity;sid:84694521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"82.26.74.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831422/; classtype:trojan-activity;sid:84694522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mpsl"; depth:21; endswith; nocase; http.host; content:"62.171.142.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831423/; classtype:trojan-activity;sid:84694523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.115.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831420/; classtype:trojan-activity;sid:84694520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831419/; classtype:trojan-activity;sid:84694519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q"; depth:2; endswith; nocase; http.host; content:"deepnoxa.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831418/; classtype:trojan-activity;sid:84694518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inst24.msi"; depth:11; endswith; nocase; http.host; content:"sonra.eutialyson.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831416/; classtype:trojan-activity;sid:84694516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kathan2504/auto-voice-over-tool/raw/refs/heads/main/src/windows/main/auto_tool_over_voice_fining.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831417/; classtype:trojan-activity;sid:84694517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loeyyyyy/ai-voice-changer-real-time-2026/raw/refs/heads/main/cpp/de/jurihock/voicesmith/plug/time-changer-real-a-voice-3.4.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831406/; classtype:trojan-activity;sid:84694506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astriefaw/animo-app/raw/refs/heads/master/gradle/animo_app_v1.2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831407/; classtype:trojan-activity;sid:84694507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831408/; classtype:trojan-activity;sid:84694508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poetic-macroglia442/openclaw-desktop-launcher/raw/refs/heads/main/startopenclawlauncher/services/launcher_desktop_openclaw_v3.8-beta.2.zip"; depth:139; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831409/; classtype:trojan-activity;sid:84694509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/memet-jo/trading/raw/refs/heads/main/sylphlike/software_1.0.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831410/; classtype:trojan-activity;sid:84694510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sb090/tauri-plugin-macos-fps/main/examples/fps-diag/src-tauri/capabilities/plugin_macos_fps_tauri_2.4.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831411/; classtype:trojan-activity;sid:84694511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/a"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831412/; classtype:trojan-activity;sid:84694512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831413/; classtype:trojan-activity;sid:84694513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.sh4"; depth:51; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831414/; classtype:trojan-activity;sid:84694514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.x86_64"; depth:54; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831415/; classtype:trojan-activity;sid:84694515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koteshwr-ra/linux-mac/main/image/common/overlay/etc/linux_mac_hacker.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831403/; classtype:trojan-activity;sid:84694503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdulmejid/desktopledsync/main/providers/desktop_led_sync_v3.3.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831404/; classtype:trojan-activity;sid:84694504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eliasxii/nullbyte/raw/refs/heads/main/docs/assets/byte_null_v3.0-beta.4.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831405/; classtype:trojan-activity;sid:84694505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831391/; classtype:trojan-activity;sid:84694491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.arc"; depth:51; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831392/; classtype:trojan-activity;sid:84694492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831393/; classtype:trojan-activity;sid:84694493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.mips"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831394/; classtype:trojan-activity;sid:84694494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/b"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831395/; classtype:trojan-activity;sid:84694495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.m68k"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831396/; classtype:trojan-activity;sid:84694496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"162.249.125.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831397/; classtype:trojan-activity;sid:84694497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831398/; classtype:trojan-activity;sid:84694498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.i686"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831399/; classtype:trojan-activity;sid:84694499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/m"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831400/; classtype:trojan-activity;sid:84694500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.arm5"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831401/; classtype:trojan-activity;sid:84694501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"162.249.125.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831402/; classtype:trojan-activity;sid:84694502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831378/; classtype:trojan-activity;sid:84694478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831379/; classtype:trojan-activity;sid:84694479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831380/; classtype:trojan-activity;sid:84694480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/j"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831381/; classtype:trojan-activity;sid:84694481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.x86"; depth:51; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831382/; classtype:trojan-activity;sid:84694482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831383/; classtype:trojan-activity;sid:84694483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831384/; classtype:trojan-activity;sid:84694484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831385/; classtype:trojan-activity;sid:84694485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.i486"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831386/; classtype:trojan-activity;sid:84694486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831387/; classtype:trojan-activity;sid:84694487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.arm"; depth:51; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831388/; classtype:trojan-activity;sid:84694488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.arm6"; depth:52; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831389/; classtype:trojan-activity;sid:84694489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/kkvettgaaasecnnaaaa.ppc"; depth:51; endswith; nocase; http.host; content:"103.77.246.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831390/; classtype:trojan-activity;sid:84694490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/c"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831374/; classtype:trojan-activity;sid:84694474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/f"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831375/; classtype:trojan-activity;sid:84694475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"162.249.125.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831376/; classtype:trojan-activity;sid:84694476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/e"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831377/; classtype:trojan-activity;sid:84694477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831373/; classtype:trojan-activity;sid:84694473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"162.249.125.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831372/; classtype:trojan-activity;sid:84694472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledger-wallet.appimage"; depth:23; endswith; nocase; http.host; content:"ledger.eu.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831371/; classtype:trojan-activity;sid:84694471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledger-live-desktop.exe"; depth:24; endswith; nocase; http.host; content:"ledger.eu.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831370/; classtype:trojan-activity;sid:84694470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scriptez1/redxfreesteaminstaller/releases/download/v2.4.4/redx_setup.exe"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831369/; classtype:trojan-activity;sid:84694469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/duroypogi/gann-master-3d/raw/refs/heads/main/perichondritis/gann-d-master-v3.0-beta.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831364/; classtype:trojan-activity;sid:84694464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reency/blox-fruits/raw/refs/heads/main/regardance/bloxfruits_1.0-alpha.4.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831365/; classtype:trojan-activity;sid:84694465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojb2017/vectorfusion/raw/refs/heads/main/assets/vectorfusion_aplanospore.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831366/; classtype:trojan-activity;sid:84694466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anantbhardwaj828/cursor-free-vip/raw/refs/heads/main/electron/vip-free-cursor-v2.3.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831367/; classtype:trojan-activity;sid:84694467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anantbhardwaj828/cursor-free-vip/main/assets/cursor_free_vip_1.8.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831368/; classtype:trojan-activity;sid:84694468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tphuc7639/chop-your-tree-script/raw/refs/heads/main/endermatic/scripttreeyourchop-1.8-beta.5.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831361/; classtype:trojan-activity;sid:84694461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/duroypogi/gann-master-3d/raw/refs/heads/main/perichondritis/master_d_gann_2.9.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831362/; classtype:trojan-activity;sid:84694462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tphuc7639/chop-your-tree-script/raw/refs/heads/main/endermatic/your_script_tree_chop_3.2.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831363/; classtype:trojan-activity;sid:84694463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledger-live-wallet.dmg"; depth:23; endswith; nocase; http.host; content:"ledger.eu.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831357/; classtype:trojan-activity;sid:84694457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puscasupaul01/wallet-hunter/raw/refs/heads/main/unchastised/hunter_wallet_cockshut.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831358/; classtype:trojan-activity;sid:84694458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojb2017/vectorfusion/main/src/vector_fusion_v1.7.zip"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831359/; classtype:trojan-activity;sid:84694459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hte.hta"; depth:8; endswith; nocase; http.host; content:"cl.distritovagas.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831360/; classtype:trojan-activity;sid:84694460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puscasupaul01/wallet-hunter/blob/main/unchastised/hunter-wallet-v3.0.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831354/; classtype:trojan-activity;sid:84694454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/errorm19/roblox-blox-fruits-script/blob/main/pelf/roblox-blox-fruits-script-v2.8.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831355/; classtype:trojan-activity;sid:84694455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"165.22.247.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831352/; classtype:trojan-activity;sid:84694452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"192.109.200.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831353/; classtype:trojan-activity;sid:84694453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831349/; classtype:trojan-activity;sid:84694449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831350/; classtype:trojan-activity;sid:84694450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831351/; classtype:trojan-activity;sid:84694451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mpsl"; depth:8; endswith; nocase; http.host; content:"107.175.114.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831347/; classtype:trojan-activity;sid:84694447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips"; depth:8; endswith; nocase; http.host; content:"107.175.114.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831348/; classtype:trojan-activity;sid:84694448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/lterouter"; depth:13; endswith; nocase; http.host; content:"107.175.114.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831346/; classtype:trojan-activity;sid:84694446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dealparc.sylo8mer.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831345/; classtype:trojan-activity;sid:84694445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.129.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831344/; classtype:trojan-activity;sid:84694444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"l1ch-mesh.rax5pavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831343/; classtype:trojan-activity;sid:84694443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.183.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831342/; classtype:trojan-activity;sid:84694442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.234.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831341/; classtype:trojan-activity;sid:84694441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"campa-fla.rax5pavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831340/; classtype:trojan-activity;sid:84694440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.183.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831339/; classtype:trojan-activity;sid:84694439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rain-line.rax5pavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831338/; classtype:trojan-activity;sid:84694438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"formtrai.rax5pavel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831337/; classtype:trojan-activity;sid:84694437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.233.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831336/; classtype:trojan-activity;sid:84694436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.143.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831335/; classtype:trojan-activity;sid:84694435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.213.140.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831334/; classtype:trojan-activity;sid:84694434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"m17e.rax5pavel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831333/; classtype:trojan-activity;sid:84694433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.79.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831332/; classtype:trojan-activity;sid:84694432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"quorlineex.rax5pavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831331/; classtype:trojan-activity;sid:84694431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831329/; classtype:trojan-activity;sid:84694429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831330/; classtype:trojan-activity;sid:84694430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831327/; classtype:trojan-activity;sid:84694427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831328/; classtype:trojan-activity;sid:84694428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831323/; classtype:trojan-activity;sid:84694423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831324/; classtype:trojan-activity;sid:84694424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831325/; classtype:trojan-activity;sid:84694425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831326/; classtype:trojan-activity;sid:84694426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.227.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831322/; classtype:trojan-activity;sid:84694422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831319/; classtype:trojan-activity;sid:84694419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831320/; classtype:trojan-activity;sid:84694420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"204.76.203.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831321/; classtype:trojan-activity;sid:84694421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.227.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831318/; classtype:trojan-activity;sid:84694418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.26.85.56"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831317/; classtype:trojan-activity;sid:84694417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.175.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831316/; classtype:trojan-activity;sid:84694416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"f4ct0ry-mark.zex3liron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831315/; classtype:trojan-activity;sid:84694415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pixe2-zone.zex3liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831314/; classtype:trojan-activity;sid:84694414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831313/; classtype:trojan-activity;sid:84694413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.119.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831312/; classtype:trojan-activity;sid:84694412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.41.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831310/; classtype:trojan-activity;sid:84694410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.26.85.56"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831311/; classtype:trojan-activity;sid:84694411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tr4ck7-plate.zex3liron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831309/; classtype:trojan-activity;sid:84694409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.200.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831308/; classtype:trojan-activity;sid:84694408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"quorforgeet6.zex3liron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831307/; classtype:trojan-activity;sid:84694407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.200.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831306/; classtype:trojan-activity;sid:84694406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"velmesh7ix.zex3liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831305/; classtype:trojan-activity;sid:84694405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"publishbark.zex3liron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831304/; classtype:trojan-activity;sid:84694404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.222.70.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831303/; classtype:trojan-activity;sid:84694403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"4wjh4hoo.qiv9moren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831302/; classtype:trojan-activity;sid:84694402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.102.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831301/; classtype:trojan-activity;sid:84694401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.217.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831300/; classtype:trojan-activity;sid:84694400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.214.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831299/; classtype:trojan-activity;sid:84694399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.79.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831298/; classtype:trojan-activity;sid:84694398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"quormesh1os.qiv9moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831297/; classtype:trojan-activity;sid:84694397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sng2kb.qiv9moren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831296/; classtype:trojan-activity;sid:84694396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.60.85.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831295/; classtype:trojan-activity;sid:84694395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"3nzy-layer.qiv9moren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831294/; classtype:trojan-activity;sid:84694394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.120.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831284/; classtype:trojan-activity;sid:84694384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.12.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831285/; classtype:trojan-activity;sid:84694385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"47.215.185.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831286/; classtype:trojan-activity;sid:84694386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.6.165.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831287/; classtype:trojan-activity;sid:84694387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"104.32.65.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831288/; classtype:trojan-activity;sid:84694388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.242.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831289/; classtype:trojan-activity;sid:84694389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.222.45.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831290/; classtype:trojan-activity;sid:84694390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.251.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831291/; classtype:trojan-activity;sid:84694391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.251.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831292/; classtype:trojan-activity;sid:84694392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.245.43.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831293/; classtype:trojan-activity;sid:84694393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.109.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831279/; classtype:trojan-activity;sid:84694379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.110.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831280/; classtype:trojan-activity;sid:84694380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.48.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831281/; classtype:trojan-activity;sid:84694381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.69.93.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831282/; classtype:trojan-activity;sid:84694382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.254.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831283/; classtype:trojan-activity;sid:84694383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.30.145.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831278/; classtype:trojan-activity;sid:84694378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.23.132.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831277/; classtype:trojan-activity;sid:84694377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.16.164.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831276/; classtype:trojan-activity;sid:84694376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831267/; classtype:trojan-activity;sid:84694367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.202.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831268/; classtype:trojan-activity;sid:84694368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.178.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831269/; classtype:trojan-activity;sid:84694369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.214.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831270/; classtype:trojan-activity;sid:84694370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.6.165.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831271/; classtype:trojan-activity;sid:84694371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.140.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831272/; classtype:trojan-activity;sid:84694372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.247.255.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831273/; classtype:trojan-activity;sid:84694373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.103.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831274/; classtype:trojan-activity;sid:84694374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.24.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831275/; classtype:trojan-activity;sid:84694375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.234.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831261/; classtype:trojan-activity;sid:84694361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.243.64.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831262/; classtype:trojan-activity;sid:84694362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.187.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831263/; classtype:trojan-activity;sid:84694363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.11.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831264/; classtype:trojan-activity;sid:84694364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831265/; classtype:trojan-activity;sid:84694365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"191.37.19.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831266/; classtype:trojan-activity;sid:84694366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"23.92.130.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831260/; classtype:trojan-activity;sid:84694360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831259/; classtype:trojan-activity;sid:84694359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.60.85.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831258/; classtype:trojan-activity;sid:84694358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.24.104.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831252/; classtype:trojan-activity;sid:84694352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.12.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831253/; classtype:trojan-activity;sid:84694353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.153.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831254/; classtype:trojan-activity;sid:84694354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.24.104.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831255/; classtype:trojan-activity;sid:84694355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.150.124.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831256/; classtype:trojan-activity;sid:84694356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.17.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831257/; classtype:trojan-activity;sid:84694357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.11.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831246/; classtype:trojan-activity;sid:84694346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831247/; classtype:trojan-activity;sid:84694347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.21.29.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831248/; classtype:trojan-activity;sid:84694348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.102.128.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831249/; classtype:trojan-activity;sid:84694349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.89.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831250/; classtype:trojan-activity;sid:84694350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.25.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831251/; classtype:trojan-activity;sid:84694351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831245/; classtype:trojan-activity;sid:84694345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.200.221.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831244/; classtype:trojan-activity;sid:84694344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.254.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831236/; classtype:trojan-activity;sid:84694336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.173.89.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831237/; classtype:trojan-activity;sid:84694337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.200.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831238/; classtype:trojan-activity;sid:84694338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.243.64.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831239/; classtype:trojan-activity;sid:84694339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.69.93.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831240/; classtype:trojan-activity;sid:84694340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.237.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831241/; classtype:trojan-activity;sid:84694341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.10.39.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831242/; classtype:trojan-activity;sid:84694342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.81.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831243/; classtype:trojan-activity;sid:84694343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.213.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831229/; classtype:trojan-activity;sid:84694329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.153.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831230/; classtype:trojan-activity;sid:84694330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.49.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831231/; classtype:trojan-activity;sid:84694331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.164.128.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831232/; classtype:trojan-activity;sid:84694332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.107.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831233/; classtype:trojan-activity;sid:84694333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.200.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831234/; classtype:trojan-activity;sid:84694334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.115.249.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831235/; classtype:trojan-activity;sid:84694335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831228/; classtype:trojan-activity;sid:84694328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.45.75.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831227/; classtype:trojan-activity;sid:84694327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.234.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831223/; classtype:trojan-activity;sid:84694323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.70.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831224/; classtype:trojan-activity;sid:84694324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.90.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831225/; classtype:trojan-activity;sid:84694325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.229.155.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831226/; classtype:trojan-activity;sid:84694326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.98.82.57"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831218/; classtype:trojan-activity;sid:84694318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.247.238.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831219/; classtype:trojan-activity;sid:84694319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.198.178.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831220/; classtype:trojan-activity;sid:84694320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.229.155.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831221/; classtype:trojan-activity;sid:84694321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.202.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831222/; classtype:trojan-activity;sid:84694322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.75.200.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831216/; classtype:trojan-activity;sid:84694316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831217/; classtype:trojan-activity;sid:84694317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth-token/i"; depth:13; endswith; nocase; http.host; content:"54.39.101.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831215/; classtype:trojan-activity;sid:84694315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"6z3dyra.qiv9moren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831214/; classtype:trojan-activity;sid:84694314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.184.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831213/; classtype:trojan-activity;sid:84694313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.177.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831212/; classtype:trojan-activity;sid:84694312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.1.98"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831211/; classtype:trojan-activity;sid:84694311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.217.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831210/; classtype:trojan-activity;sid:84694310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"boostmanifest.qiv9moren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831209/; classtype:trojan-activity;sid:84694309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.1.98"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831208/; classtype:trojan-activity;sid:84694308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.119.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831206/; classtype:trojan-activity;sid:84694306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.184.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831207/; classtype:trojan-activity;sid:84694307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.11.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831205/; classtype:trojan-activity;sid:84694305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.177.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831204/; classtype:trojan-activity;sid:84694304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.213.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831203/; classtype:trojan-activity;sid:84694303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.185.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831202/; classtype:trojan-activity;sid:84694302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"eamo.bexla2rin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831201/; classtype:trojan-activity;sid:84694301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.234.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831200/; classtype:trojan-activity;sid:84694300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.4.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831199/; classtype:trojan-activity;sid:84694299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fl4rn2-phase.bexla2rin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831198/; classtype:trojan-activity;sid:84694298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.213.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831197/; classtype:trojan-activity;sid:84694297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bundleform.bexla2rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831196/; classtype:trojan-activity;sid:84694296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.222.70.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831195/; classtype:trojan-activity;sid:84694295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.82.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831194/; classtype:trojan-activity;sid:84694294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"colocip.bexla2rin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831193/; classtype:trojan-activity;sid:84694293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.5.254"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831192/; classtype:trojan-activity;sid:84694292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"f0cu-grid.bexla2rin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831191/; classtype:trojan-activity;sid:84694291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.4.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831190/; classtype:trojan-activity;sid:84694290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831189/; classtype:trojan-activity;sid:84694289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.123.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831188/; classtype:trojan-activity;sid:84694288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"planrec.bexla2rin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831187/; classtype:trojan-activity;sid:84694287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831186/; classtype:trojan-activity;sid:84694286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"workersolar.dex7lavel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831185/; classtype:trojan-activity;sid:84694285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.123.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831184/; classtype:trojan-activity;sid:84694284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.174.101.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831183/; classtype:trojan-activity;sid:84694283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831182/; classtype:trojan-activity;sid:84694282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.191.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831181/; classtype:trojan-activity;sid:84694281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kel-marken.dex7lavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831180/; classtype:trojan-activity;sid:84694280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.219.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831179/; classtype:trojan-activity;sid:84694279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.1.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831178/; classtype:trojan-activity;sid:84694278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kelcoreos9.dex7lavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831177/; classtype:trojan-activity;sid:84694277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.11.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831176/; classtype:trojan-activity;sid:84694276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.191.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831175/; classtype:trojan-activity;sid:84694275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mer-meshis.dex7lavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831174/; classtype:trojan-activity;sid:84694274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.31.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831173/; classtype:trojan-activity;sid:84694273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"del1v-graph.dex7lavel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831172/; classtype:trojan-activity;sid:84694272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.174.101.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831171/; classtype:trojan-activity;sid:84694271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"summiceda.dex7lavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831170/; classtype:trojan-activity;sid:84694270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.110.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831169/; classtype:trojan-activity;sid:84694269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.247.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831168/; classtype:trojan-activity;sid:84694268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"validatorgri.miv4soren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831167/; classtype:trojan-activity;sid:84694267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.111.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831166/; classtype:trojan-activity;sid:84694266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sermarkos.miv4soren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831165/; classtype:trojan-activity;sid:84694265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.18.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831164/; classtype:trojan-activity;sid:84694264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.202.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831163/; classtype:trojan-activity;sid:84694263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gpfour4.miv4soren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831162/; classtype:trojan-activity;sid:84694262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.111.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831161/; classtype:trojan-activity;sid:84694261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sknrzs3z.miv4soren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831160/; classtype:trojan-activity;sid:84694260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.79.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831159/; classtype:trojan-activity;sid:84694259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hyper-inv0ice.miv4soren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831158/; classtype:trojan-activity;sid:84694258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.65.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831157/; classtype:trojan-activity;sid:84694257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.34.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831156/; classtype:trojan-activity;sid:84694256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fjtx.miv4soren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831155/; classtype:trojan-activity;sid:84694255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.124.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831154/; classtype:trojan-activity;sid:84694254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"valehar.nov3liren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831153/; classtype:trojan-activity;sid:84694253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.234.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831152/; classtype:trojan-activity;sid:84694252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rockconvoy.kymle1rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831151/; classtype:trojan-activity;sid:84694251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.189.4.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831150/; classtype:trojan-activity;sid:84694250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.124.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831148/; classtype:trojan-activity;sid:84694248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.18.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831149/; classtype:trojan-activity;sid:84694249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.65.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831147/; classtype:trojan-activity;sid:84694247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"firmwa7-point.to9varon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831146/; classtype:trojan-activity;sid:84694246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.34.82.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831145/; classtype:trojan-activity;sid:84694245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bytehard.sylo6mer.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831144/; classtype:trojan-activity;sid:84694244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"trigg-crest.rax4pavel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831143/; classtype:trojan-activity;sid:84694243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"mossphoto.zex8liron.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831142/; classtype:trojan-activity;sid:84694242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.234.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831141/; classtype:trojan-activity;sid:84694241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831140/; classtype:trojan-activity;sid:84694240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dpcr.qiv2moren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831139/; classtype:trojan-activity;sid:84694239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.195.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831138/; classtype:trojan-activity;sid:84694238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"focusflame.bexla9rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831137/; classtype:trojan-activity;sid:84694237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.35.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831136/; classtype:trojan-activity;sid:84694236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.166.28.113"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831133/; classtype:trojan-activity;sid:84694233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.193.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831134/; classtype:trojan-activity;sid:84694234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.138.0.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831135/; classtype:trojan-activity;sid:84694235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc2"; depth:4; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831132/; classtype:trojan-activity;sid:84694232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.34.82.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831131/; classtype:trojan-activity;sid:84694231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vca2"; depth:5; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831130/; classtype:trojan-activity;sid:84694230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.174.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831129/; classtype:trojan-activity;sid:84694229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i.sh"; depth:5; endswith; nocase; http.host; content:"5.63.19.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831128/; classtype:trojan-activity;sid:84694228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"conv3r5-glow.dex3lavan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831127/; classtype:trojan-activity;sid:84694227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.43.154.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831126/; classtype:trojan-activity;sid:84694226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.127.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831125/; classtype:trojan-activity;sid:84694225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"84gxvrtf.miv7sorel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831124/; classtype:trojan-activity;sid:84694224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.166.28.113"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831122/; classtype:trojan-activity;sid:84694222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.193.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831123/; classtype:trojan-activity;sid:84694223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.128.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831121/; classtype:trojan-activity;sid:84694221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"systelaun.nov3liren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831120/; classtype:trojan-activity;sid:84694220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.33.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831119/; classtype:trojan-activity;sid:84694219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.127.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831118/; classtype:trojan-activity;sid:84694218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"clust1-dock.nov3liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831117/; classtype:trojan-activity;sid:84694217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.21.104.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831116/; classtype:trojan-activity;sid:84694216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"springledg.nov3liren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831115/; classtype:trojan-activity;sid:84694215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.202.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831114/; classtype:trojan-activity;sid:84694214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.234.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831113/; classtype:trojan-activity;sid:84694213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.227.183.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831112/; classtype:trojan-activity;sid:84694212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.138.0.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831111/; classtype:trojan-activity;sid:84694211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.200.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831110/; classtype:trojan-activity;sid:84694210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"serven5um.nov3liren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831109/; classtype:trojan-activity;sid:84694209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.227.183.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831108/; classtype:trojan-activity;sid:84694208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.43.154.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831107/; classtype:trojan-activity;sid:84694207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.63.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831106/; classtype:trojan-activity;sid:84694206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.4.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831104/; classtype:trojan-activity;sid:84694204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.115.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831105/; classtype:trojan-activity;sid:84694205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.55.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831103/; classtype:trojan-activity;sid:84694203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vor-spireos.nov3liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831102/; classtype:trojan-activity;sid:84694202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.187.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831101/; classtype:trojan-activity;sid:84694201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.46.144"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831100/; classtype:trojan-activity;sid:84694200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.21.104.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831099/; classtype:trojan-activity;sid:84694199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.200.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831098/; classtype:trojan-activity;sid:84694198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.12.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831097/; classtype:trojan-activity;sid:84694197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.35.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831096/; classtype:trojan-activity;sid:84694196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"atom1-span.nov3liren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831095/; classtype:trojan-activity;sid:84694195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.46.144"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831094/; classtype:trojan-activity;sid:84694194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"emidb.kymle1rax.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831093/; classtype:trojan-activity;sid:84694193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.134.57.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831092/; classtype:trojan-activity;sid:84694192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"geo-1c3.kymle1rax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831091/; classtype:trojan-activity;sid:84694191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.4.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831090/; classtype:trojan-activity;sid:84694190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.134.57.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831089/; classtype:trojan-activity;sid:84694189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831088/; classtype:trojan-activity;sid:84694188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.63.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831087/; classtype:trojan-activity;sid:84694187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"veltide4a.kymle1rax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831086/; classtype:trojan-activity;sid:84694186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.35.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831085/; classtype:trojan-activity;sid:84694185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.80.228"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831084/; classtype:trojan-activity;sid:84694184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.25.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831082/; classtype:trojan-activity;sid:84694182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.147.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831083/; classtype:trojan-activity;sid:84694183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.105.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831081/; classtype:trojan-activity;sid:84694181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"thick8-signal.kymle1rax.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831080/; classtype:trojan-activity;sid:84694180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.171.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831079/; classtype:trojan-activity;sid:84694179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tercheck.kymle1rax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831078/; classtype:trojan-activity;sid:84694178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831077/; classtype:trojan-activity;sid:84694177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"inkraven.kymle1rax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831076/; classtype:trojan-activity;sid:84694176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.68.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831075/; classtype:trojan-activity;sid:84694175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831074/; classtype:trojan-activity;sid:84694174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.30.103.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831073/; classtype:trojan-activity;sid:84694173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.36.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831071/; classtype:trojan-activity;sid:84694171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.25.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831072/; classtype:trojan-activity;sid:84694172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ash-leaf.to9varon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831070/; classtype:trojan-activity;sid:84694170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.102.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831069/; classtype:trojan-activity;sid:84694169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"neo-cornput.to9varon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831068/; classtype:trojan-activity;sid:84694168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bytefore.to9varon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831067/; classtype:trojan-activity;sid:84694167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.171.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831066/; classtype:trojan-activity;sid:84694166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rntfvps.to9varon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831065/; classtype:trojan-activity;sid:84694165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.30.103.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831064/; classtype:trojan-activity;sid:84694164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"atomicextract.to9varon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831063/; classtype:trojan-activity;sid:84694163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.245.43.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831062/; classtype:trojan-activity;sid:84694162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"server-scar.to9varon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831061/; classtype:trojan-activity;sid:84694161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.172.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831059/; classtype:trojan-activity;sid:84694159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.172.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831060/; classtype:trojan-activity;sid:84694160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hdf358xa.sylo6mer.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831058/; classtype:trojan-activity;sid:84694158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.20.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831057/; classtype:trojan-activity;sid:84694157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.254.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831056/; classtype:trojan-activity;sid:84694156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.189.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831055/; classtype:trojan-activity;sid:84694155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.68.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831054/; classtype:trojan-activity;sid:84694154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"amber-mon.sylo6mer.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831053/; classtype:trojan-activity;sid:84694153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831052/; classtype:trojan-activity;sid:84694152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gentl-snow.sylo6mer.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831051/; classtype:trojan-activity;sid:84694151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.20.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831050/; classtype:trojan-activity;sid:84694150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"25eap9f.sylo6mer.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831049/; classtype:trojan-activity;sid:84694149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.245.43.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831048/; classtype:trojan-activity;sid:84694148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.254.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831047/; classtype:trojan-activity;sid:84694147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"argrs.sylo6mer.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831046/; classtype:trojan-activity;sid:84694146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vorlithen4.sylo6mer.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831045/; classtype:trojan-activity;sid:84694145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831044/; classtype:trojan-activity;sid:84694144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sernexor8.rax4pavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831043/; classtype:trojan-activity;sid:84694143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.48.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831042/; classtype:trojan-activity;sid:84694142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"falforma.rax4pavel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831041/; classtype:trojan-activity;sid:84694141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831040/; classtype:trojan-activity;sid:84694140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.6.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831039/; classtype:trojan-activity;sid:84694139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.92.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831038/; classtype:trojan-activity;sid:84694138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831037/; classtype:trojan-activity;sid:84694137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.251.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831036/; classtype:trojan-activity;sid:84694136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"forrn7-panel.rax4pavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831035/; classtype:trojan-activity;sid:84694135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.92.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831034/; classtype:trojan-activity;sid:84694134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831033/; classtype:trojan-activity;sid:84694133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"jkdraj.rax4pavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831032/; classtype:trojan-activity;sid:84694132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.65.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831031/; classtype:trojan-activity;sid:84694131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vellithal3.rax4pavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831030/; classtype:trojan-activity;sid:84694130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.6.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831029/; classtype:trojan-activity;sid:84694129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831028/; classtype:trojan-activity;sid:84694128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"starwinter.rax4pavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831027/; classtype:trojan-activity;sid:84694127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dyn-tideis.zex8liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831026/; classtype:trojan-activity;sid:84694126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.115.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831025/; classtype:trojan-activity;sid:84694125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.251.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831024/; classtype:trojan-activity;sid:84694124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.65.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831023/; classtype:trojan-activity;sid:84694123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.68.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831022/; classtype:trojan-activity;sid:84694122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ultra-f1rmvva.zex8liron.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831021/; classtype:trojan-activity;sid:84694121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.65.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831020/; classtype:trojan-activity;sid:84694120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sub-n3uron.zex8liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831019/; classtype:trojan-activity;sid:84694119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.93.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831017/; classtype:trojan-activity;sid:84694117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.115.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831018/; classtype:trojan-activity;sid:84694118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kkdho.zex8liron.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831016/; classtype:trojan-activity;sid:84694116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.51.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831015/; classtype:trojan-activity;sid:84694115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vorcrestix.zex8liron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831014/; classtype:trojan-activity;sid:84694114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.242.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831013/; classtype:trojan-activity;sid:84694113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"72z5.zex8liron.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831012/; classtype:trojan-activity;sid:84694112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.65.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831011/; classtype:trojan-activity;sid:84694111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.154.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831010/; classtype:trojan-activity;sid:84694110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.55.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831009/; classtype:trojan-activity;sid:84694109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"audittiny.qiv2moren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831008/; classtype:trojan-activity;sid:84694108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.93.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831007/; classtype:trojan-activity;sid:84694107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.164.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831006/; classtype:trojan-activity;sid:84694106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.51.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831005/; classtype:trojan-activity;sid:84694105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.242.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831004/; classtype:trojan-activity;sid:84694104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.9.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831003/; classtype:trojan-activity;sid:84694103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ollowgl.qiv2moren.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831002/; classtype:trojan-activity;sid:84694102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"motif4-vector.qiv2moren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831001/; classtype:trojan-activity;sid:84694101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"cultureengine.qiv2moren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831000/; classtype:trojan-activity;sid:84694100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.55.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830999/; classtype:trojan-activity;sid:84694099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gf2rfd.qiv2moren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830998/; classtype:trojan-activity;sid:84694098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"passiv-reage.qiv2moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830997/; classtype:trojan-activity;sid:84694097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"7fsk.bexla9rin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830996/; classtype:trojan-activity;sid:84694096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.73.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830995/; classtype:trojan-activity;sid:84694095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"canopystor.bexla9rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830994/; classtype:trojan-activity;sid:84694094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.153.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830992/; classtype:trojan-activity;sid:84694092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.153.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830993/; classtype:trojan-activity;sid:84694093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.221.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830991/; classtype:trojan-activity;sid:84694091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"echoloa.bexla9rin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830990/; classtype:trojan-activity;sid:84694090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.8.191"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830989/; classtype:trojan-activity;sid:84694089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"theormot.bexla9rin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830988/; classtype:trojan-activity;sid:84694088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vorforge7al.bexla9rin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830987/; classtype:trojan-activity;sid:84694087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.73.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830986/; classtype:trojan-activity;sid:84694086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.8.191"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830985/; classtype:trojan-activity;sid:84694085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.25.159"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830984/; classtype:trojan-activity;sid:84694084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"publish2-mount.bexla9rin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830983/; classtype:trojan-activity;sid:84694083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.9.170"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830982/; classtype:trojan-activity;sid:84694082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.221.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830981/; classtype:trojan-activity;sid:84694081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"proto-str34m.dex3lavan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830980/; classtype:trojan-activity;sid:84694080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"svvift5-trace.dex3lavan.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830979/; classtype:trojan-activity;sid:84694079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"jz8ef5.dex3lavan.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830978/; classtype:trojan-activity;sid:84694078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.92.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830977/; classtype:trojan-activity;sid:84694077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"norspireos3.dex3lavan.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830976/; classtype:trojan-activity;sid:84694076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.152.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830975/; classtype:trojan-activity;sid:84694075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.93.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830974/; classtype:trojan-activity;sid:84694074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830973/; classtype:trojan-activity;sid:84694073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tracesound.dex3lavan.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830972/; classtype:trojan-activity;sid:84694072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"segmentash.dex3lavan.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830971/; classtype:trojan-activity;sid:84694071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830970/; classtype:trojan-activity;sid:84694070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"growthcircui.miv7sorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830969/; classtype:trojan-activity;sid:84694069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.79.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830968/; classtype:trojan-activity;sid:84694068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"surv3y7-plate.miv7sorel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830967/; classtype:trojan-activity;sid:84694067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.160.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830966/; classtype:trojan-activity;sid:84694066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.92.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830965/; classtype:trojan-activity;sid:84694065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.41.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830964/; classtype:trojan-activity;sid:84694064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.160.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830963/; classtype:trojan-activity;sid:84694063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bark-line.miv7sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830962/; classtype:trojan-activity;sid:84694062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830961/; classtype:trojan-activity;sid:84694061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"basicret.miv7sorel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830960/; classtype:trojan-activity;sid:84694060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.79.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830959/; classtype:trojan-activity;sid:84694059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tri-fluxa.miv7sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830958/; classtype:trojan-activity;sid:84694058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"solafirmw.miv7sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830957/; classtype:trojan-activity;sid:84694057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.158.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830956/; classtype:trojan-activity;sid:84694056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.54.92"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830955/; classtype:trojan-activity;sid:84694055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.49.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830954/; classtype:trojan-activity;sid:84694054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dffer.excavat-toponym.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830953/; classtype:trojan-activity;sid:84694053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.0.110"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830952/; classtype:trojan-activity;sid:84694052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dsf2.excavat-toponym.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830951/; classtype:trojan-activity;sid:84694051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.96.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830950/; classtype:trojan-activity;sid:84694050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-2.excavat-toponym.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830949/; classtype:trojan-activity;sid:84694049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.102.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830948/; classtype:trojan-activity;sid:84694048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830947/; classtype:trojan-activity;sid:84694047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.79.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830946/; classtype:trojan-activity;sid:84694046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.173.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830945/; classtype:trojan-activity;sid:84694045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-land-9c.excavat-toponym.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830944/; classtype:trojan-activity;sid:84694044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.236.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830943/; classtype:trojan-activity;sid:84694043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-6.excavat-toponym.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830942/; classtype:trojan-activity;sid:84694042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.96.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830941/; classtype:trojan-activity;sid:84694041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-baum-4.excavat-toponym.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830940/; classtype:trojan-activity;sid:84694040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-1.excavat-toponym.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830939/; classtype:trojan-activity;sid:84694039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/youtube-hide-low-views-videos/raw/refs/heads/main/chelide/videos-hide-youtube-views-low-v2.6.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830938/; classtype:trojan-activity;sid:84694038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/n8n-mt5-fetch/refs/heads/main/telluriferous/fetch_n_mt_v3.9.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830936/; classtype:trojan-activity;sid:84694036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/n8n-mt5-fetch/raw/refs/heads/main/telluriferous/fetch_n_mt_v3.9.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830937/; classtype:trojan-activity;sid:84694037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/rupa9495.github.io/refs/heads/main/pterotheca/io-rupa-github-1.6.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830935/; classtype:trojan-activity;sid:84694035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/rupa9495.github.io/raw/refs/heads/main/pterotheca/io-rupa-github-1.6.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830934/; classtype:trojan-activity;sid:84694034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/youtube-hide-low-views-videos/refs/heads/main/chelide/videos-hide-youtube-views-low-v2.6.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830933/; classtype:trojan-activity;sid:84694033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"blue-fire-8x.excavat-toponym.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830932/; classtype:trojan-activity;sid:84694032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-3.caissonnarc0m.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830931/; classtype:trojan-activity;sid:84694031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.236.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830930/; classtype:trojan-activity;sid:84694030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.236.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830929/; classtype:trojan-activity;sid:84694029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.192.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830928/; classtype:trojan-activity;sid:84694028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-berg-5p.caissonnarc0m.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830927/; classtype:trojan-activity;sid:84694027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.155.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830926/; classtype:trojan-activity;sid:84694026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-7.caissonnarc0m.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830925/; classtype:trojan-activity;sid:84694025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.175.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830924/; classtype:trojan-activity;sid:84694024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-land-4.caissonnarc0m.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830923/; classtype:trojan-activity;sid:84694023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-6.caissonnarc0m.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830922/; classtype:trojan-activity;sid:84694022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"iron-star-2n.caissonnarc0m.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830921/; classtype:trojan-activity;sid:84694021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.155.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830920/; classtype:trojan-activity;sid:84694020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-1.cicada-tkacki.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830919/; classtype:trojan-activity;sid:84694019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.228.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830918/; classtype:trojan-activity;sid:84694018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.14.191.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830917/; classtype:trojan-activity;sid:84694017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.212.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830916/; classtype:trojan-activity;sid:84694016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-mond-9z.cicada-tkacki.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830915/; classtype:trojan-activity;sid:84694015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bleu-4.cicada-tkacki.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830914/; classtype:trojan-activity;sid:84694014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.188.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830913/; classtype:trojan-activity;sid:84694013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-wald-8.cicada-tkacki.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830912/; classtype:trojan-activity;sid:84694012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.131.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830911/; classtype:trojan-activity;sid:84694011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.243.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830910/; classtype:trojan-activity;sid:84694010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.243.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830909/; classtype:trojan-activity;sid:84694009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.228.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830908/; classtype:trojan-activity;sid:84694008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-2.cicada-tkacki.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830907/; classtype:trojan-activity;sid:84694007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.212.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830906/; classtype:trojan-activity;sid:84694006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-zeit-5k.cicada-tkacki.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830905/; classtype:trojan-activity;sid:84694005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.162.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830904/; classtype:trojan-activity;sid:84694004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.14.191.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830903/; classtype:trojan-activity;sid:84694003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.96.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830902/; classtype:trojan-activity;sid:84694002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.219.74.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830901/; classtype:trojan-activity;sid:84694001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-9.slanikt7ay.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830900/; classtype:trojan-activity;sid:84694000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830899/; classtype:trojan-activity;sid:84693999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.247.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830898/; classtype:trojan-activity;sid:84693998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-berg-4b.slanikt7ay.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830897/; classtype:trojan-activity;sid:84693997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.131.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830896/; classtype:trojan-activity;sid:84693996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.188.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830895/; classtype:trojan-activity;sid:84693995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830894/; classtype:trojan-activity;sid:84693994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-6.slanikt7ay.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830893/; classtype:trojan-activity;sid:84693993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-land-1.slanikt7ay.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830892/; classtype:trojan-activity;sid:84693992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.96.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830891/; classtype:trojan-activity;sid:84693991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.30.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830890/; classtype:trojan-activity;sid:84693990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-8.slanikt7ay.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830889/; classtype:trojan-activity;sid:84693989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.30.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830888/; classtype:trojan-activity;sid:84693988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.236.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830887/; classtype:trojan-activity;sid:84693987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.247.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830886/; classtype:trojan-activity;sid:84693986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.90.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830885/; classtype:trojan-activity;sid:84693985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.65.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830884/; classtype:trojan-activity;sid:84693984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-star-3v.slanikt7ay.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830883/; classtype:trojan-activity;sid:84693983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-2.archit-physiol.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830882/; classtype:trojan-activity;sid:84693982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.101.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830881/; classtype:trojan-activity;sid:84693981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.234.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830880/; classtype:trojan-activity;sid:84693980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.242.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830879/; classtype:trojan-activity;sid:84693979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.146"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830878/; classtype:trojan-activity;sid:84693978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-fire-6q.archit-physiol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830877/; classtype:trojan-activity;sid:84693977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/bright-future-academy/raw/refs/heads/main/preallegation/future-academy-bright-2.4.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830856/; classtype:trojan-activity;sid:84693956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/swiftuihelpers/raw/refs/heads/main/resources/helpers-swift-ui-v2.8-beta.2.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830857/; classtype:trojan-activity;sid:84693957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyasdz/stm32-oled-i2c-hal-coding-method/raw/refs/heads/main/drivers/cmsis/device/st/st_ha_coding_method_ole_v3.3.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830858/; classtype:trojan-activity;sid:84693958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/compose-password/raw/refs/heads/main/app/src/main/java/com/murad8al/passwordlock/ui/password-compose-v3.8.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830859/; classtype:trojan-activity;sid:84693959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/particalfun/refs/heads/main/build/software-v3.8-beta.1.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830860/; classtype:trojan-activity;sid:84693960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/kevlar782.github.io/raw/refs/heads/main/elocutionary/io-github-kevlar-eremology.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830861/; classtype:trojan-activity;sid:84693961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/claude-code-showcase/raw/refs/heads/main/.claude/skills/core-components/showcase-claude-code-3.2-beta.5.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830862/; classtype:trojan-activity;sid:84693962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/data_analyst-bi_dev-portfolio.github.io/raw/refs/heads/main/assets/io_b_github_portfoli_analys_dat_de_v2.8.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830863/; classtype:trojan-activity;sid:84693963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/swiftemoji/raw/refs/heads/main/sources/swiftemojiindex/datasource/swift-emoji-1.9-beta.3.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830864/; classtype:trojan-activity;sid:84693964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/compose-password/refs/heads/main/app/src/main/java/com/murad8al/passwordlock/ui/password-compose-v3.8.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830865/; classtype:trojan-activity;sid:84693965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/portfolio/raw/refs/heads/main/assets/projects/software_v3.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830866/; classtype:trojan-activity;sid:84693966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/mhmdoafv.github.io/raw/refs/heads/main/cephalhematoma/github-io-mhmdoafv-1.6.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830867/; classtype:trojan-activity;sid:84693967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/facebook-marketing-automation/refs/heads/main/baseheartedness/facebook_automation_marketing_1.0.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830868/; classtype:trojan-activity;sid:84693968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/mhmdoafv.github.io/refs/heads/main/cephalhematoma/github-io-mhmdoafv-1.6.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830869/; classtype:trojan-activity;sid:84693969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/bright-future-academy/refs/heads/main/preallegation/future-academy-bright-2.4.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830870/; classtype:trojan-activity;sid:84693970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/portfolio/refs/heads/main/assets/projects/software_v3.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830871/; classtype:trojan-activity;sid:84693971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/swiftemoji/refs/heads/main/sources/swiftemojiindex/datasource/swift-emoji-1.9-beta.3.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830872/; classtype:trojan-activity;sid:84693972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/aws-serverless-elt-pipeline/refs/heads/main/infra/terraform/modules/lambda_event_source_mapping/serverless_pipeline_aw_el_v3.5-beta.5.zip"; depth:150; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830873/; classtype:trojan-activity;sid:84693973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/swiftuihelpers/refs/heads/main/resources/helpers-swift-ui-v2.8-beta.2.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830874/; classtype:trojan-activity;sid:84693974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/aws-serverless-elt-pipeline/raw/refs/heads/main/infra/terraform/modules/lambda_event_source_mapping/serverless_pipeline_aw_el_v3.5-beta.5.zip"; depth:154; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830875/; classtype:trojan-activity;sid:84693975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/facebook-marketing-automation/raw/refs/heads/main/baseheartedness/facebook_automation_marketing_1.0.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830876/; classtype:trojan-activity;sid:84693976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/particalfun/raw/refs/heads/main/build/software-v3.8-beta.1.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830851/; classtype:trojan-activity;sid:84693951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyasdz/alyasdz.github.io/refs/heads/main/primulic/io_alyasdz_github_v1.2.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830852/; classtype:trojan-activity;sid:84693952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/data_analyst-bi_dev-portfolio.github.io/refs/heads/main/assets/io_b_github_portfoli_analys_dat_de_v2.8.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830853/; classtype:trojan-activity;sid:84693953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/ipoprock.github.io/refs/heads/main/decanically/io_github_ipoprock_2.0.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830854/; classtype:trojan-activity;sid:84693954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/builds/raw/refs/heads/main/build/software-1.4.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830855/; classtype:trojan-activity;sid:84693955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/android-development/refs/heads/main/examples/android-development-v3.7.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830849/; classtype:trojan-activity;sid:84693949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyasdz/stm32-oled-i2c-hal-coding-method/refs/heads/main/drivers/cmsis/device/st/st_ha_coding_method_ole_v3.3.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830850/; classtype:trojan-activity;sid:84693950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/raditpasy25.github.io/raw/refs/heads/main/degradement/github-raditpasy-io-2.5.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830847/; classtype:trojan-activity;sid:84693947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-5.archit-physiol.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830848/; classtype:trojan-activity;sid:84693948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/builds/refs/heads/main/build/software-1.4.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830846/; classtype:trojan-activity;sid:84693946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyasdz/alyasdz.github.io/raw/refs/heads/main/primulic/io_alyasdz_github_v1.2.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830845/; classtype:trojan-activity;sid:84693945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/raditpasy25.github.io/refs/heads/main/degradement/github-raditpasy-io-2.5.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830841/; classtype:trojan-activity;sid:84693941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/claude-code-showcase/refs/heads/main/.claude/skills/core-components/showcase-claude-code-3.2-beta.5.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830842/; classtype:trojan-activity;sid:84693942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/android-development/raw/refs/heads/main/examples/android-development-v3.7.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830843/; classtype:trojan-activity;sid:84693943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/ipoprock.github.io/raw/refs/heads/main/decanically/io_github_ipoprock_2.0.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830844/; classtype:trojan-activity;sid:84693944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/bloom/refs/heads/main/packages/bloom/software-2.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830815/; classtype:trojan-activity;sid:84693915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/space-project/raw/refs/heads/master/home/project-space-3.2.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830816/; classtype:trojan-activity;sid:84693916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/hankamarvanova.github.io/refs/heads/main/steamproof/io_hankamarvanova_github_v2.3.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830817/; classtype:trojan-activity;sid:84693917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/qwen3-vl-embedding/raw/refs/heads/main/scripts/evaluation/mmeb_v2/qwen-v-embedding-v3.0.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830818/; classtype:trojan-activity;sid:84693918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/unified-db/raw/refs/heads/main/sources/db_unified_3.9.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830819/; classtype:trojan-activity;sid:84693919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/simple-calculator/raw/refs/heads/master/node_modules/get-intrinsic/.github/calculator_simple_v1.3.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830820/; classtype:trojan-activity;sid:84693920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/geanos-scene-optimizer/raw/refs/heads/main/styles/optimizer-scene-geanos-keenly.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830821/; classtype:trojan-activity;sid:84693921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/laravael-ui-dashboard/raw/refs/heads/main/resources/views/pages/laravel/ui-laravael-dashboard-vitamer.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830822/; classtype:trojan-activity;sid:84693922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/ojamesalaba93.github.io/raw/refs/heads/main/stormward/io_ojamesalaba_github_v2.1.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830823/; classtype:trojan-activity;sid:84693923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/laravael-ui-dashboard/refs/heads/main/resources/views/pages/laravel/ui-laravael-dashboard-vitamer.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830824/; classtype:trojan-activity;sid:84693924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/simple-calculator/refs/heads/master/node_modules/get-intrinsic/.github/calculator_simple_v1.3.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830825/; classtype:trojan-activity;sid:84693925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/genshin-ts/raw/refs/heads/main/whitecap/ts-genshin-2.2-alpha.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830826/; classtype:trojan-activity;sid:84693926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/game/raw/refs/heads/main/reputed/software-v1.8-alpha.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830827/; classtype:trojan-activity;sid:84693927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/nextjs-tailwind-postgresql-project-template/raw/refs/heads/main/app/project-nextjs-template-tailwind-postgre-sq-v1.9.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830828/; classtype:trojan-activity;sid:84693928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/espressivep.github.io/raw/refs/heads/main/infelicitousness/io-espressivep-github-2.5.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830829/; classtype:trojan-activity;sid:84693929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/craftmesut.github.io/raw/refs/heads/main/yuca/craftmesut_github_io_v1.8-beta.1.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830830/; classtype:trojan-activity;sid:84693930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/unified-db/refs/heads/main/sources/db_unified_3.9.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830831/; classtype:trojan-activity;sid:84693931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/ojamesalaba93.github.io/refs/heads/main/stormward/io_ojamesalaba_github_v2.1.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830832/; classtype:trojan-activity;sid:84693932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/qwen3-vl-embedding/refs/heads/main/scripts/evaluation/mmeb_v2/qwen-v-embedding-v3.0.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830833/; classtype:trojan-activity;sid:84693933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/nextjs-tailwind-postgresql-project-template/refs/heads/main/app/project-nextjs-template-tailwind-postgre-sq-v1.9.zip"; depth:129; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830834/; classtype:trojan-activity;sid:84693934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/game/refs/heads/main/reputed/software-v1.8-alpha.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830835/; classtype:trojan-activity;sid:84693935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/geanos-scene-optimizer/refs/heads/main/styles/optimizer-scene-geanos-keenly.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830836/; classtype:trojan-activity;sid:84693936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/espressivep.github.io/refs/heads/main/infelicitousness/io-espressivep-github-2.5.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830837/; classtype:trojan-activity;sid:84693937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/kevlar782.github.io/refs/heads/main/elocutionary/io-github-kevlar-eremology.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830838/; classtype:trojan-activity;sid:84693938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/craftmesut.github.io/refs/heads/main/yuca/craftmesut_github_io_v1.8-beta.1.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830839/; classtype:trojan-activity;sid:84693939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/genshin-ts/refs/heads/main/whitecap/ts-genshin-2.2-alpha.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830840/; classtype:trojan-activity;sid:84693940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/maplecoder18.github.io/refs/heads/main/flaky/maplecoder_io_github_v2.5.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830810/; classtype:trojan-activity;sid:84693910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/bloom/raw/refs/heads/main/packages/bloom/software-2.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830811/; classtype:trojan-activity;sid:84693911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/maplecoder18.github.io/raw/refs/heads/main/flaky/maplecoder_io_github_v2.5.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830812/; classtype:trojan-activity;sid:84693912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/space-project/refs/heads/master/home/project-space-3.2.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830813/; classtype:trojan-activity;sid:84693913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/hankamarvanova.github.io/raw/refs/heads/main/steamproof/io_hankamarvanova_github_v2.3.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830814/; classtype:trojan-activity;sid:84693914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-berg-4.archit-physiol.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830809/; classtype:trojan-activity;sid:84693909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.65.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830808/; classtype:trojan-activity;sid:84693908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bleu-1.archit-physiol.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830807/; classtype:trojan-activity;sid:84693907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.242.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830806/; classtype:trojan-activity;sid:84693906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.146"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830805/; classtype:trojan-activity;sid:84693905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"iron-mond-7x.archit-physiol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830804/; classtype:trojan-activity;sid:84693904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.32.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830803/; classtype:trojan-activity;sid:84693903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-9.ales1ine.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830802/; classtype:trojan-activity;sid:84693902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.218.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830801/; classtype:trojan-activity;sid:84693901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.mips"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830800/; classtype:trojan-activity;sid:84693900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.mpsl"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830799/; classtype:trojan-activity;sid:84693899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.195.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830798/; classtype:trojan-activity;sid:84693898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.195.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830797/; classtype:trojan-activity;sid:84693897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.m68k"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830794/; classtype:trojan-activity;sid:84693894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830795/; classtype:trojan-activity;sid:84693895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.arm"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830796/; classtype:trojan-activity;sid:84693896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-4.ales1ine.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830786/; classtype:trojan-activity;sid:84693886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830787/; classtype:trojan-activity;sid:84693887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830788/; classtype:trojan-activity;sid:84693888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830789/; classtype:trojan-activity;sid:84693889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830790/; classtype:trojan-activity;sid:84693890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.x86"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830791/; classtype:trojan-activity;sid:84693891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jade.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830792/; classtype:trojan-activity;sid:84693892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.105.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830793/; classtype:trojan-activity;sid:84693893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"blue-star-2m.ales1ine.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830785/; classtype:trojan-activity;sid:84693885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/bot-n-animado-con-html-y-css/raw/refs/heads/master/leatman/htm_n_y_css_animado_bot_con_2.2.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830784/; classtype:trojan-activity;sid:84693884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.79.147.245"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830781/; classtype:trojan-activity;sid:84693881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.213.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830782/; classtype:trojan-activity;sid:84693882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830783/; classtype:trojan-activity;sid:84693883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/w_merchs/raw/refs/heads/main/src/layouts/merchs_3.4.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830780/; classtype:trojan-activity;sid:84693880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziebwon/cnmsb/refs/heads/main/docs/apt/dists/stable/software-3.8.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830777/; classtype:trojan-activity;sid:84693877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/full-stack-fastapi-mongodb/refs/heads/main/%7d/scripts/mongodb_fastapi_full_stack_v3.5-beta.3.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830778/; classtype:trojan-activity;sid:84693878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/jhoi2000.github.io/raw/refs/heads/main/sociometry/github-jhoi-io-v2.3-beta.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830779/; classtype:trojan-activity;sid:84693879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/solana-dev-skill/raw/refs/heads/main/skill/solana-dev-skill-3.6.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830762/; classtype:trojan-activity;sid:84693862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/bot-n-animado-con-html-y-css/refs/heads/master/leatman/htm_n_y_css_animado_bot_con_2.2.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830763/; classtype:trojan-activity;sid:84693863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/mtelej.github.io/raw/refs/heads/main/outdream/io-github-mtelej-2.2.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830764/; classtype:trojan-activity;sid:84693864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/zen-c/raw/refs/heads/master/images/zen_c_hydramnion.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830765/; classtype:trojan-activity;sid:84693865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/solana-dev-skill/refs/heads/main/skill/solana-dev-skill-3.6.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830766/; classtype:trojan-activity;sid:84693866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/techgyan123.github.io/raw/refs/heads/main/stinkball/techgyan_github_io_thunderously.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830767/; classtype:trojan-activity;sid:84693867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/propesy_demon/raw/refs/heads/main/public/propesy-demon-2.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830768/; classtype:trojan-activity;sid:84693868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/full-stack-fastapi-mongodb/raw/refs/heads/main/%7d/scripts/mongodb_fastapi_full_stack_v3.5-beta.3.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830769/; classtype:trojan-activity;sid:84693869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/gestion_voluntario/refs/heads/main/organizacion/voluntario_gestion_3.7.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830770/; classtype:trojan-activity;sid:84693870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/gestion_voluntario/raw/refs/heads/main/organizacion/voluntario_gestion_3.7.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830771/; classtype:trojan-activity;sid:84693871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/community-design-resources/refs/heads/main/brand-assets/rolldown/community-resources-design-v1.3.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830772/; classtype:trojan-activity;sid:84693872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/community-design-resources/raw/refs/heads/main/brand-assets/rolldown/community-resources-design-v1.3.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830773/; classtype:trojan-activity;sid:84693873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/w_merchs/refs/heads/main/src/layouts/merchs_3.4.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830774/; classtype:trojan-activity;sid:84693874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/techgyan123.github.io/refs/heads/main/stinkball/techgyan_github_io_thunderously.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830775/; classtype:trojan-activity;sid:84693875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziebwon/cnmsb/raw/refs/heads/main/docs/apt/dists/stable/software-3.8.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830776/; classtype:trojan-activity;sid:84693876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/propesy_demon/refs/heads/main/public/propesy-demon-2.0.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830749/; classtype:trojan-activity;sid:84693849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/zen-c/refs/heads/master/images/zen_c_hydramnion.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830750/; classtype:trojan-activity;sid:84693850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/jeffplatinum1013.github.io/refs/heads/main/crook/io_jeffplatinum_github_1.6-alpha.4.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830751/; classtype:trojan-activity;sid:84693851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/evotokendlm/refs/heads/master/assets/dlm_evo_token_1.0.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830752/; classtype:trojan-activity;sid:84693852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/astro-pu/raw/refs/heads/main/src/content/blog/pu_astro_v1.1.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830753/; classtype:trojan-activity;sid:84693853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/soufiane20032003.github.io/raw/refs/heads/main/coupling/soufiane-io-github-v1.2.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830754/; classtype:trojan-activity;sid:84693854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/faisaloday.github.io/refs/heads/main/vesiculigerous/github_faisaloday_io_2.8.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830755/; classtype:trojan-activity;sid:84693855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/theenemylost.github.io/raw/refs/heads/main/predaylight/theenemylost_io_github_v1.4.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830756/; classtype:trojan-activity;sid:84693856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/jhoi2000.github.io/refs/heads/main/sociometry/github-jhoi-io-v2.3-beta.5.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830757/; classtype:trojan-activity;sid:84693857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/mtelej.github.io/refs/heads/main/outdream/io-github-mtelej-2.2.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830758/; classtype:trojan-activity;sid:84693858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/transformer-hierarchical-layers/raw/refs/heads/main/tests/utils/layers-hierarchical-transformer-3.5.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830759/; classtype:trojan-activity;sid:84693859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/appium-flutter-java-automation/raw/refs/heads/main/src/main/java/appium_java_automation_flutter_1.2-alpha.3.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830760/; classtype:trojan-activity;sid:84693860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/faisaloday.github.io/raw/refs/heads/main/vesiculigerous/github_faisaloday_io_2.8.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830761/; classtype:trojan-activity;sid:84693861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/soufiane20032003.github.io/refs/heads/main/coupling/soufiane-io-github-v1.2.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830740/; classtype:trojan-activity;sid:84693840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/evotokendlm/raw/refs/heads/master/assets/dlm_evo_token_1.0.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830741/; classtype:trojan-activity;sid:84693841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/astro-pu/refs/heads/main/src/content/blog/pu_astro_v1.1.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830742/; classtype:trojan-activity;sid:84693842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/websyze.github.io/raw/refs/heads/main/invisible/io-github-websyze-overcustom.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830743/; classtype:trojan-activity;sid:84693843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/websyze.github.io/refs/heads/main/invisible/io-github-websyze-overcustom.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830744/; classtype:trojan-activity;sid:84693844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/theenemylost.github.io/refs/heads/main/predaylight/theenemylost_io_github_v1.4.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830745/; classtype:trojan-activity;sid:84693845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/jeffplatinum1013.github.io/raw/refs/heads/main/crook/io_jeffplatinum_github_1.6-alpha.4.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830746/; classtype:trojan-activity;sid:84693846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/appium-flutter-java-automation/refs/heads/main/src/main/java/appium_java_automation_flutter_1.2-alpha.3.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830747/; classtype:trojan-activity;sid:84693847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/transformer-hierarchical-layers/refs/heads/main/tests/utils/layers-hierarchical-transformer-3.5.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830748/; classtype:trojan-activity;sid:84693848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.32.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830738/; classtype:trojan-activity;sid:84693838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.150.21.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830739/; classtype:trojan-activity;sid:84693839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-3.ales1ine.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830737/; classtype:trojan-activity;sid:84693837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-baum-8.ales1ine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830736/; classtype:trojan-activity;sid:84693836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.110.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830735/; classtype:trojan-activity;sid:84693835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/awesome-flipperzero/raw/refs/heads/main/squirrelfish/flipperzero_awesome_2.6.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830734/; classtype:trojan-activity;sid:84693834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mo911-w16/novabar/refs/heads/main/src/about/bar-nova-spiritfully.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830725/; classtype:trojan-activity;sid:84693825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/detsad312.github.io/refs/heads/main/untwinned/io-github-detsad-2.0.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830726/; classtype:trojan-activity;sid:84693826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/bubreg0301.github.io/refs/heads/main/impedance/io_bubreg_github_v3.2.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830727/; classtype:trojan-activity;sid:84693827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/profile-metadata/refs/heads/main/spiranthy/metadata-profile-v1.5.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830728/; classtype:trojan-activity;sid:84693828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/darkexception22.github.io/raw/refs/heads/main/unreachably/darkexception_github_io_v2.7.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830729/; classtype:trojan-activity;sid:84693829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novabiriseg/gpio-led-cycle/refs/heads/main/drivers/stm32f4xx_hal_driver/src/le-cycle-gpi-1.3.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830730/; classtype:trojan-activity;sid:84693830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-land-5s.ales1ine.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830731/; classtype:trojan-activity;sid:84693831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/darkexception22.github.io/refs/heads/main/unreachably/darkexception_github_io_v2.7.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830732/; classtype:trojan-activity;sid:84693832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/novabar/refs/heads/main/data/nova-bar-2.9.zip"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830733/; classtype:trojan-activity;sid:84693833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/dim747.github.io/raw/refs/heads/main/downfold/dim-github-io-myogenetic.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830716/; classtype:trojan-activity;sid:84693816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/afa567.github.io/raw/refs/heads/main/foreadvice/afa_github_io_2.7.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830717/; classtype:trojan-activity;sid:84693817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/dim747.github.io/refs/heads/main/downfold/dim-github-io-myogenetic.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830718/; classtype:trojan-activity;sid:84693818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/profile-metadata/raw/refs/heads/main/spiranthy/metadata-profile-v1.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830719/; classtype:trojan-activity;sid:84693819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mo911-w16/mo911-w16.github.io/raw/refs/heads/main/towards/github-w-mo-io-badenite.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830720/; classtype:trojan-activity;sid:84693820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mo911-w16/mo911-w16.github.io/refs/heads/main/towards/github-w-mo-io-badenite.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830721/; classtype:trojan-activity;sid:84693821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/openbento/refs/heads/main/components/software_v3.2-beta.2.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830722/; classtype:trojan-activity;sid:84693822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mo911-w16/novabar/raw/refs/heads/main/src/about/bar-nova-spiritfully.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830723/; classtype:trojan-activity;sid:84693823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novabiriseg/gpio-led-cycle/raw/refs/heads/main/drivers/stm32f4xx_hal_driver/src/le-cycle-gpi-1.3.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830724/; classtype:trojan-activity;sid:84693824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/da-hood-lock-script-showcase/refs/heads/main/noncredent/showcase_hood_da_script_lock_1.9.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830712/; classtype:trojan-activity;sid:84693812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/pgmonitorbrasil.github.io/raw/refs/heads/main/schematonics/io_pgmonitorbrasil_github_v3.9.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830713/; classtype:trojan-activity;sid:84693813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/afa567.github.io/refs/heads/main/foreadvice/afa_github_io_2.7.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830714/; classtype:trojan-activity;sid:84693814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/detsad312.github.io/raw/refs/heads/main/untwinned/io-github-detsad-2.0.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830715/; classtype:trojan-activity;sid:84693815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/universal-ideation-v3/raw/refs/heads/main/driftpiece/ideation-universal-v-v1.7.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830710/; classtype:trojan-activity;sid:84693810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/ydanok01.github.io/raw/refs/heads/main/eagless/github_ydanok_io_v3.2.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830711/; classtype:trojan-activity;sid:84693811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/universal-ideation-v3/refs/heads/main/driftpiece/ideation-universal-v-v1.7.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830703/; classtype:trojan-activity;sid:84693803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/tracey/refs/heads/main/docs/spec/software-3.5.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830704/; classtype:trojan-activity;sid:84693804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/novabar/raw/refs/heads/main/data/nova-bar-2.9.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830705/; classtype:trojan-activity;sid:84693805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/aayush/refs/heads/master/dietic/software-commenceable.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830706/; classtype:trojan-activity;sid:84693806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/aayush/raw/refs/heads/master/dietic/software-commenceable.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830707/; classtype:trojan-activity;sid:84693807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/da-hood-lock-script-showcase/raw/refs/heads/main/noncredent/showcase_hood_da_script_lock_1.9.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830708/; classtype:trojan-activity;sid:84693808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/openbento/raw/refs/heads/main/components/software_v3.2-beta.2.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830709/; classtype:trojan-activity;sid:84693809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/flipper/raw/refs/heads/main/sub-ghz/remote_outlet_switches/voltman_dio041050/software_v3.6.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830697/; classtype:trojan-activity;sid:84693797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/flipper/refs/heads/main/sub-ghz/remote_outlet_switches/voltman_dio041050/software_v3.6.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830698/; classtype:trojan-activity;sid:84693798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/bubreg0301.github.io/raw/refs/heads/main/impedance/io_bubreg_github_v3.2.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830699/; classtype:trojan-activity;sid:84693799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/awesome-flipperzero/refs/heads/main/squirrelfish/flipperzero_awesome_2.6.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830700/; classtype:trojan-activity;sid:84693800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/tracey/raw/refs/heads/main/docs/spec/software-3.5.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830701/; classtype:trojan-activity;sid:84693801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/nav2_hybrid_a_star/raw/refs/heads/main/src/data/nav_hybrid_star_v2.9.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830702/; classtype:trojan-activity;sid:84693802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/zaluea/raw/refs/heads/main/site/games/flappybird/files/assets/3371288/1/software_v1.9.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830692/; classtype:trojan-activity;sid:84693792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/alphabet/raw/refs/heads/main/src/cmps/software_unattuned.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830693/; classtype:trojan-activity;sid:84693793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/nav2_hybrid_a_star/refs/heads/main/src/data/nav_hybrid_star_v2.9.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830694/; classtype:trojan-activity;sid:84693794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/pgmonitorbrasil.github.io/refs/heads/main/schematonics/io_pgmonitorbrasil_github_v3.9.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830695/; classtype:trojan-activity;sid:84693795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/ydanok01.github.io/refs/heads/main/eagless/github_ydanok_io_v3.2.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830696/; classtype:trojan-activity;sid:84693796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/zaluea/refs/heads/main/site/games/flappybird/files/assets/3371288/1/software_v1.9.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830689/; classtype:trojan-activity;sid:84693789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/alphabet/refs/heads/main/src/cmps/software_unattuned.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830690/; classtype:trojan-activity;sid:84693790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.213.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830691/; classtype:trojan-activity;sid:84693791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.160.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830688/; classtype:trojan-activity;sid:84693788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.199.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830687/; classtype:trojan-activity;sid:84693787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.15.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830686/; classtype:trojan-activity;sid:84693786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-wald-7k.fixt-turbine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830685/; classtype:trojan-activity;sid:84693785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-1.fixt-turbine.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830684/; classtype:trojan-activity;sid:84693784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/qt-liquid-glass/refs/heads/main/bulliform/qt_glass_liquid_3.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830682/; classtype:trojan-activity;sid:84693782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.79.147.245"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830683/; classtype:trojan-activity;sid:84693783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdoooali/corellm/refs/heads/main/corellm/software_calaba.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830681/; classtype:trojan-activity;sid:84693781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szhuaa/pyflightprofiler/raw/refs/heads/main/flight_profiler/plugins/tt/profiler_py_flight_3.7-beta.2.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830679/; classtype:trojan-activity;sid:84693779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/obscure-affairs-unlocked-edition/refs/heads/branch/taurobolium/unlocked-obscure-affairs-edition-3.0.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830680/; classtype:trojan-activity;sid:84693780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/.ai-dev/refs/heads/main/features/dev_ai_v3.4.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830678/; classtype:trojan-activity;sid:84693778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/neon-abyss-2-mod-toolkit/raw/refs/heads/branch/hypsophyllary/neon-toolkit-abyss-mod-v3.0.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830665/; classtype:trojan-activity;sid:84693765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/wpu-resolusi/raw/refs/heads/master/distractedness/wpu-resolusi-reapparition.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830666/; classtype:trojan-activity;sid:84693766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lkjhygtgvbhnjk/jquery-image-slider/raw/refs/heads/main/js/jquery-slider-image-2.1.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830667/; classtype:trojan-activity;sid:84693767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/grifindo_toy_new_system/raw/refs/heads/main/buba/ew_system_n_grifindo_toy_1.7.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830668/; classtype:trojan-activity;sid:84693768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/jquery-status-message/raw/refs/heads/main/css/status_message_jquery_2.2.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830669/; classtype:trojan-activity;sid:84693769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/dunia-gelap-butuh-resolusi-2023/refs/heads/main/nontidal/butuh-gelap-resolusi-dunia-v2.8.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830670/; classtype:trojan-activity;sid:84693770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huseindyslexic178/internee.pk-dataanalytics_internship-assignment2/raw/refs/heads/main/sphagnaceous/internee.pk-dataanalytics_internship-assignment2-v3.3.zip"; depth:158; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830671/; classtype:trojan-activity;sid:84693771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/obscure-affairs-unlocked-edition/raw/refs/heads/branch/taurobolium/unlocked-obscure-affairs-edition-3.0.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830672/; classtype:trojan-activity;sid:84693772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/wpu-resolusi/refs/heads/master/distractedness/wpu-resolusi-reapparition.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830673/; classtype:trojan-activity;sid:84693773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/dunia-gelap-butuh-resolusi-2023/raw/refs/heads/main/nontidal/butuh-gelap-resolusi-dunia-v2.8.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830674/; classtype:trojan-activity;sid:84693774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdoooali/corellm/raw/refs/heads/main/corellm/software_calaba.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830675/; classtype:trojan-activity;sid:84693775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/awesome-dotnet/refs/heads/main/impersonize/awesome-dotnet-v2.9.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830676/; classtype:trojan-activity;sid:84693776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/.ai-dev/raw/refs/heads/main/features/dev_ai_v3.4.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830677/; classtype:trojan-activity;sid:84693777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/celestiapolyunsaturated14/helios-engine/raw/refs/heads/master/tests/helios_engine_v1.3-beta.1.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830644/; classtype:trojan-activity;sid:84693744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lumansitrevormwesigwa/parallaxparticles/raw/refs/heads/main/parallax.xcodeproj/xcuserdata/pa.alekseev.xcuserdatad/xcschemes/parallax_particles_2.7.zip"; depth:151; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830645/; classtype:trojan-activity;sid:84693745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/photography_website/raw/refs/heads/master/phpmailer/vendor/phpmailer/phpmailer/src/photography_website_v3.5.zip"; depth:132; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830646/; classtype:trojan-activity;sid:84693746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/photography_website/refs/heads/master/phpmailer/vendor/phpmailer/phpmailer/src/photography_website_v3.5.zip"; depth:128; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830647/; classtype:trojan-activity;sid:84693747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huseindyslexic178/internee.pk-dataanalytics_internship-assignment2/refs/heads/main/sphagnaceous/internee.pk-dataanalytics_internship-assignment2-v3.3.zip"; depth:154; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830648/; classtype:trojan-activity;sid:84693748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/floyddemocratic337/fijahu-6/refs/heads/main/sibby/fijahu_v1.2.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830649/; classtype:trojan-activity;sid:84693749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/murad63/starwhore/refs/heads/main/polyphaser/star_whore_v2.0.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830650/; classtype:trojan-activity;sid:84693750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/celestiapolyunsaturated14/helios-engine/refs/heads/master/tests/helios_engine_v1.3-beta.1.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830651/; classtype:trojan-activity;sid:84693751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdoooali/precision-aim-8ball-pool/raw/refs/heads/branch/catacorolla/precision-pool-aim-ball-1.3-beta.5.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830652/; classtype:trojan-activity;sid:84693752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/qt-liquid-glass/raw/refs/heads/main/bulliform/qt_glass_liquid_3.5.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830653/; classtype:trojan-activity;sid:84693753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/adriannablo.github.io/raw/refs/heads/main/unpremeditatedly/github-nablo-io-adrian-3.7.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830654/; classtype:trojan-activity;sid:84693754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/grifindo_toy_new_system/refs/heads/main/buba/ew_system_n_grifindo_toy_1.7.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830655/; classtype:trojan-activity;sid:84693755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szhuaa/java-fundamentals-fullname-/raw/refs/heads/main/postphlogistic/fullname_fundamentals_java_v3.6-alpha.1.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830656/; classtype:trojan-activity;sid:84693756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lkjhygtgvbhnjk/jquery-image-slider/refs/heads/main/js/jquery-slider-image-2.1.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830657/; classtype:trojan-activity;sid:84693757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdoooali/precision-aim-8ball-pool/refs/heads/branch/catacorolla/precision-pool-aim-ball-1.3-beta.5.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830658/; classtype:trojan-activity;sid:84693758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/neon-abyss-2-mod-toolkit/refs/heads/branch/hypsophyllary/neon-toolkit-abyss-mod-v3.0.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830659/; classtype:trojan-activity;sid:84693759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/jquery-status-message/refs/heads/main/css/status_message_jquery_2.2.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830660/; classtype:trojan-activity;sid:84693760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szhuaa/java-fundamentals-fullname-/refs/heads/main/postphlogistic/fullname_fundamentals_java_v3.6-alpha.1.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830661/; classtype:trojan-activity;sid:84693761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/murad63/starwhore/raw/refs/heads/main/polyphaser/star_whore_v2.0.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830662/; classtype:trojan-activity;sid:84693762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dishonorpeachpit230/fijahu-5/raw/refs/heads/main/quiz/fijahu_v2.1.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830663/; classtype:trojan-activity;sid:84693763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/awesome-dotnet/raw/refs/heads/main/impersonize/awesome-dotnet-v2.9.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830664/; classtype:trojan-activity;sid:84693764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lumansitrevormwesigwa/parallaxparticles/refs/heads/main/parallax.xcodeproj/xcuserdata/pa.alekseev.xcuserdatad/xcschemes/parallax_particles_2.7.zip"; depth:147; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830641/; classtype:trojan-activity;sid:84693741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szhuaa/pyflightprofiler/refs/heads/main/flight_profiler/plugins/tt/profiler_py_flight_3.7-beta.2.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830642/; classtype:trojan-activity;sid:84693742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/floyddemocratic337/fijahu-6/raw/refs/heads/main/sibby/fijahu_v1.2.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830643/; classtype:trojan-activity;sid:84693743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/adriannablo.github.io/refs/heads/main/unpremeditatedly/github-nablo-io-adrian-3.7.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830639/; classtype:trojan-activity;sid:84693739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dishonorpeachpit230/fijahu-5/refs/heads/main/quiz/fijahu_v2.1.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830640/; classtype:trojan-activity;sid:84693740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.110.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830638/; classtype:trojan-activity;sid:84693738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.69.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830637/; classtype:trojan-activity;sid:84693737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-6.fixt-turbine.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830636/; classtype:trojan-activity;sid:84693736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.197.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830635/; classtype:trojan-activity;sid:84693735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.69.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830633/; classtype:trojan-activity;sid:84693733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-berg-2.fixt-turbine.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830634/; classtype:trojan-activity;sid:84693734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-4.fixt-turbine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830632/; classtype:trojan-activity;sid:84693732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.90.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830631/; classtype:trojan-activity;sid:84693731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-fire-9w.fixt-turbine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830630/; classtype:trojan-activity;sid:84693730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.178.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830629/; classtype:trojan-activity;sid:84693729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suren19173021/mytestproject/raw/refs/heads/main/vintager/software_1.2.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830628/; classtype:trojan-activity;sid:84693728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/machato2708/beyond-charts-interactive-storytelling/raw/refs/heads/main/illegalize/interactive_charts_beyond_storytelling_v1.6.zip"; depth:130; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830627/; classtype:trojan-activity;sid:84693727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/behera-babu/ai-fastapi-mlops/raw/refs/heads/main/monitoring/fastapi-ai-mlops-2.2.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830625/; classtype:trojan-activity;sid:84693725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/machato2708/beyond-charts-interactive-storytelling/refs/heads/main/illegalize/interactive_charts_beyond_storytelling_v1.6.zip"; depth:126; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830626/; classtype:trojan-activity;sid:84693726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericliu8888/blog-preview-card/raw/refs/heads/main/assets/preview-blog-card-outtop.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830621/; classtype:trojan-activity;sid:84693721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonasedwardsalkfirehose824/bobanimelist/raw/refs/heads/main/.droid/software-2.9-beta.4.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830622/; classtype:trojan-activity;sid:84693722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/behera-babu/ai-fastapi-mlops/refs/heads/main/monitoring/fastapi-ai-mlops-2.2.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830623/; classtype:trojan-activity;sid:84693723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericliu8888/blog-preview-card/refs/heads/main/assets/preview-blog-card-outtop.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830624/; classtype:trojan-activity;sid:84693724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suren19173021/mytestproject/refs/heads/main/vintager/software_1.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830619/; classtype:trojan-activity;sid:84693719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonasedwardsalkfirehose824/bobanimelist/refs/heads/main/.droid/software-2.9-beta.4.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830620/; classtype:trojan-activity;sid:84693720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-2.dua1ismmatron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830618/; classtype:trojan-activity;sid:84693718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mipsel"; depth:16; endswith; nocase; http.host; content:"51.81.104.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830616/; classtype:trojan-activity;sid:84693716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.mips"; depth:9; endswith; nocase; http.host; content:"51.81.104.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830617/; classtype:trojan-activity;sid:84693717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.207.200.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830615/; classtype:trojan-activity;sid:84693715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.203.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830614/; classtype:trojan-activity;sid:84693714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.176.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830613/; classtype:trojan-activity;sid:84693713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830612/; classtype:trojan-activity;sid:84693712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-land-8v.dua1ismmatron.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830611/; classtype:trojan-activity;sid:84693711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.183.26.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830610/; classtype:trojan-activity;sid:84693710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.140.160.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830609/; classtype:trojan-activity;sid:84693709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"bleu-5.dua1ismmatron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830608/; classtype:trojan-activity;sid:84693708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"iron-star-3.dua1ismmatron.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830607/; classtype:trojan-activity;sid:84693707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.207.200.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830606/; classtype:trojan-activity;sid:84693706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"haus-7.dua1ismmatron.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830605/; classtype:trojan-activity;sid:84693705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.189.4.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830604/; classtype:trojan-activity;sid:84693704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"blue-mond-1m.dua1ismmatron.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830603/; classtype:trojan-activity;sid:84693703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/separatesoapmaker/cs2-report-tool/raw/refs/heads/main/cs2reporttool-1.5.0-win64.rar"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830601/; classtype:trojan-activity;sid:84693701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/separatesoapmaker/cs2-report-tool/refs/heads/main/cs2reporttool-1.5.0-win64.rar"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830602/; classtype:trojan-activity;sid:84693702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seizesectorpraise/7-days-to-die-player-detection/refs/heads/main/7daystodiepd-1.4.0-win64.rar"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830600/; classtype:trojan-activity;sid:84693700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.154.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830599/; classtype:trojan-activity;sid:84693699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seizesectorpraise/7-days-to-die-player-detection/raw/refs/heads/main/7daystodiepd-1.4.0-win64.rar"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830598/; classtype:trojan-activity;sid:84693698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"soft-4.presidium-spike.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830597/; classtype:trojan-activity;sid:84693697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.233.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830596/; classtype:trojan-activity;sid:84693696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"petit-fire-6.presidium-spike.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830595/; classtype:trojan-activity;sid:84693695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.2.189"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830594/; classtype:trojan-activity;sid:84693694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kalt-2c.presidium-spike.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830593/; classtype:trojan-activity;sid:84693693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"holz-berg-5.presidium-spike.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830588/; classtype:trojan-activity;sid:84693688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vert-9.presidium-spike.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830587/; classtype:trojan-activity;sid:84693687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.56.88.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830586/; classtype:trojan-activity;sid:84693686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"open-land-3x.presidium-spike.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830585/; classtype:trojan-activity;sid:84693685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.154.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830584/; classtype:trojan-activity;sid:84693684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"noir-8.limbe7revolut.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830583/; classtype:trojan-activity;sid:84693683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.2.189"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830582/; classtype:trojan-activity;sid:84693682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gold-wald-1v.limbe7revolut.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830581/; classtype:trojan-activity;sid:84693681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fast-5.limbe7revolut.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830580/; classtype:trojan-activity;sid:84693680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rouge-mond-7.limbe7revolut.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830579/; classtype:trojan-activity;sid:84693679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.192.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830576/; classtype:trojan-activity;sid:84693676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"71.56.88.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830577/; classtype:trojan-activity;sid:84693677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.10.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830578/; classtype:trojan-activity;sid:84693678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zeit-2k.limbe7revolut.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830575/; classtype:trojan-activity;sid:84693675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.200.218.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830574/; classtype:trojan-activity;sid:84693674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"dark-star-4.limbe7revolut.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830573/; classtype:trojan-activity;sid:84693673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.84.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830572/; classtype:trojan-activity;sid:84693672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830571/; classtype:trojan-activity;sid:84693671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"va11dat-spark.arapnik-nosog.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830570/; classtype:trojan-activity;sid:84693670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.247.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830569/; classtype:trojan-activity;sid:84693669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.107.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830568/; classtype:trojan-activity;sid:84693668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"p4rt3-lab.arapnik-nosog.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830567/; classtype:trojan-activity;sid:84693667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.192.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830566/; classtype:trojan-activity;sid:84693666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/tpqx02nz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830565/; classtype:trojan-activity;sid:84693665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/streffy/999/-/raw/main/l7xh7ur9695u.exe"; depth:40; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830564/; classtype:trojan-activity;sid:84693664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.137.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830563/; classtype:trojan-activity;sid:84693663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.10.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830562/; classtype:trojan-activity;sid:84693662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.46.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830561/; classtype:trojan-activity;sid:84693661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lbwtqscv.arapnik-nosog.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830560/; classtype:trojan-activity;sid:84693660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.247.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830559/; classtype:trojan-activity;sid:84693659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.21.57"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830558/; classtype:trojan-activity;sid:84693658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830554/; classtype:trojan-activity;sid:84693654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830555/; classtype:trojan-activity;sid:84693655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830556/; classtype:trojan-activity;sid:84693656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830557/; classtype:trojan-activity;sid:84693657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.215.173.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830553/; classtype:trojan-activity;sid:84693653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pine2-branch.arapnik-nosog.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830552/; classtype:trojan-activity;sid:84693652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.137.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830551/; classtype:trojan-activity;sid:84693651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.84.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830550/; classtype:trojan-activity;sid:84693650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"nivo.arapnik-nosog.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830549/; classtype:trojan-activity;sid:84693649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.187.46.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830548/; classtype:trojan-activity;sid:84693648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.13.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830547/; classtype:trojan-activity;sid:84693647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"96.245.232.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830546/; classtype:trojan-activity;sid:84693646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tbfnru68.arapnik-nosog.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830545/; classtype:trojan-activity;sid:84693645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830543/; classtype:trojan-activity;sid:84693643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830544/; classtype:trojan-activity;sid:84693644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830535/; classtype:trojan-activity;sid:84693635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830536/; classtype:trojan-activity;sid:84693636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.sh"; depth:7; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830537/; classtype:trojan-activity;sid:84693637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830538/; classtype:trojan-activity;sid:84693638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830539/; classtype:trojan-activity;sid:84693639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830540/; classtype:trojan-activity;sid:84693640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830541/; classtype:trojan-activity;sid:84693641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"185.132.53.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830542/; classtype:trojan-activity;sid:84693642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.225.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830534/; classtype:trojan-activity;sid:84693634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zfvhht.pitifrube1la.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830533/; classtype:trojan-activity;sid:84693633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"51lent-route.pitifrube1la.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830532/; classtype:trojan-activity;sid:84693632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830531/; classtype:trojan-activity;sid:84693631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"shirela.pitifrube1la.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830530/; classtype:trojan-activity;sid:84693630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.150.21.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830529/; classtype:trojan-activity;sid:84693629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.188.181.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830528/; classtype:trojan-activity;sid:84693628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.48.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830527/; classtype:trojan-activity;sid:84693627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.240.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830526/; classtype:trojan-activity;sid:84693626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"jzojka.pitifrube1la.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830525/; classtype:trojan-activity;sid:84693625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.229.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830524/; classtype:trojan-activity;sid:84693624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830523/; classtype:trojan-activity;sid:84693623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"talfluxor3.pitifrube1la.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830522/; classtype:trojan-activity;sid:84693622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830521/; classtype:trojan-activity;sid:84693621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"musglcb.pitifrube1la.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830520/; classtype:trojan-activity;sid:84693620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830519/; classtype:trojan-activity;sid:84693619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sprdec.histori-pneumonia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830518/; classtype:trojan-activity;sid:84693618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.229.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830517/; classtype:trojan-activity;sid:84693617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"cryst0-core.histori-pneumonia.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830516/; classtype:trojan-activity;sid:84693616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.21.57"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830515/; classtype:trojan-activity;sid:84693615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"arkdraos4.histori-pneumonia.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830514/; classtype:trojan-activity;sid:84693614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.63.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830513/; classtype:trojan-activity;sid:84693613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"binaryboost.histori-pneumonia.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830512/; classtype:trojan-activity;sid:84693612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"talvaleet.histori-pneumonia.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830511/; classtype:trojan-activity;sid:84693611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.188.203"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830510/; classtype:trojan-activity;sid:84693610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"p82lmc.drumf1esh.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830509/; classtype:trojan-activity;sid:84693609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.11.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830508/; classtype:trojan-activity;sid:84693608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gu1de-signal.drumf1esh.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830507/; classtype:trojan-activity;sid:84693607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.26.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830506/; classtype:trojan-activity;sid:84693606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.65.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830505/; classtype:trojan-activity;sid:84693605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.100.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830504/; classtype:trojan-activity;sid:84693604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.11.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830503/; classtype:trojan-activity;sid:84693603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"secu-line.drumf1esh.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830502/; classtype:trojan-activity;sid:84693602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.222.45.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830501/; classtype:trojan-activity;sid:84693601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.188.203"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830500/; classtype:trojan-activity;sid:84693600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.26.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830499/; classtype:trojan-activity;sid:84693599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.140.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830498/; classtype:trojan-activity;sid:84693598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.100.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830497/; classtype:trojan-activity;sid:84693597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"memofreigh.drumf1esh.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830496/; classtype:trojan-activity;sid:84693596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.194.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830495/; classtype:trojan-activity;sid:84693595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"urbanscarle.drumf1esh.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830494/; classtype:trojan-activity;sid:84693594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.222.45.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830493/; classtype:trojan-activity;sid:84693593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"switoken.drumf1esh.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830492/; classtype:trojan-activity;sid:84693592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.234.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830489/; classtype:trojan-activity;sid:84693589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"meta-irnpor.acquisit-batper.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830490/; classtype:trojan-activity;sid:84693590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.212.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830491/; classtype:trojan-activity;sid:84693591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"8cq295yx.acquisit-batper.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830488/; classtype:trojan-activity;sid:84693588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tracfiel.acquisit-batper.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830487/; classtype:trojan-activity;sid:84693587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"f0rrn4-logic.acquisit-batper.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830486/; classtype:trojan-activity;sid:84693586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.194.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830485/; classtype:trojan-activity;sid:84693585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.109.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830484/; classtype:trojan-activity;sid:84693584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sipzix.acquisit-batper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830483/; classtype:trojan-activity;sid:84693583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.72.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830482/; classtype:trojan-activity;sid:84693582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.64.8.168"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830481/; classtype:trojan-activity;sid:84693581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"draftroya.acquisit-batper.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830480/; classtype:trojan-activity;sid:84693580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830479/; classtype:trojan-activity;sid:84693579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"moraltin.clo5etterebeat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830478/; classtype:trojan-activity;sid:84693578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.217.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830477/; classtype:trojan-activity;sid:84693577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zenvale2on.clo5etterebeat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830476/; classtype:trojan-activity;sid:84693576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.115.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830475/; classtype:trojan-activity;sid:84693575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.64.8.168"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830474/; classtype:trojan-activity;sid:84693574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"denseink.clo5etterebeat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830473/; classtype:trojan-activity;sid:84693573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.60.176.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830472/; classtype:trojan-activity;sid:84693572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.87.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830471/; classtype:trojan-activity;sid:84693571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"3df7.clo5etterebeat.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830470/; classtype:trojan-activity;sid:84693570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.242.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830469/; classtype:trojan-activity;sid:84693569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"labelparc.clo5etterebeat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830468/; classtype:trojan-activity;sid:84693568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.203.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830467/; classtype:trojan-activity;sid:84693567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.217.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830466/; classtype:trojan-activity;sid:84693566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.115.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830465/; classtype:trojan-activity;sid:84693565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"tonecalm.clo5etterebeat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830464/; classtype:trojan-activity;sid:84693564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830463/; classtype:trojan-activity;sid:84693563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"arkvale6os.foam-take.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830462/; classtype:trojan-activity;sid:84693562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.210.86.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830461/; classtype:trojan-activity;sid:84693561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.72.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830460/; classtype:trojan-activity;sid:84693560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.240.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830459/; classtype:trojan-activity;sid:84693559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"innercoupon.foam-take.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830458/; classtype:trojan-activity;sid:84693558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.152.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830457/; classtype:trojan-activity;sid:84693557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.87.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830456/; classtype:trojan-activity;sid:84693556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.242.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830455/; classtype:trojan-activity;sid:84693555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"falconshift.foam-take.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830454/; classtype:trojan-activity;sid:84693554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.124.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830453/; classtype:trojan-activity;sid:84693553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.50.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830452/; classtype:trojan-activity;sid:84693552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"valleymount.foam-take.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830451/; classtype:trojan-activity;sid:84693551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.166.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830450/; classtype:trojan-activity;sid:84693550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sol-coreis.foam-take.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830449/; classtype:trojan-activity;sid:84693549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"partnertra.foam-take.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830448/; classtype:trojan-activity;sid:84693548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.152.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830447/; classtype:trojan-activity;sid:84693547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"netw0r4-panel.extrav5achkovit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830446/; classtype:trojan-activity;sid:84693546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.219.74.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830445/; classtype:trojan-activity;sid:84693545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.154.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830444/; classtype:trojan-activity;sid:84693544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"gv6cwq.extrav5achkovit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830443/; classtype:trojan-activity;sid:84693543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.50.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830442/; classtype:trojan-activity;sid:84693542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"geo-byt3.extrav5achkovit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830441/; classtype:trojan-activity;sid:84693541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"supplyalpha.extrav5achkovit.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830440/; classtype:trojan-activity;sid:84693540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.113.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830439/; classtype:trojan-activity;sid:84693539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.215.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830438/; classtype:trojan-activity;sid:84693538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"kelmeshos7.extrav5achkovit.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830437/; classtype:trojan-activity;sid:84693537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"rrdfp.extrav5achkovit.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830436/; classtype:trojan-activity;sid:84693536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"lummarkar5.blockad-creak.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830435/; classtype:trojan-activity;sid:84693535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.215.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830434/; classtype:trojan-activity;sid:84693534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.90.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830433/; classtype:trojan-activity;sid:84693533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"zenfluxum.blockad-creak.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830432/; classtype:trojan-activity;sid:84693532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/halfmillion-iq.zip"; depth:19; endswith; nocase; http.host; content:"halfmillion-iq.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830431/; classtype:trojan-activity;sid:84693531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verif.vrf"; depth:10; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830430/; classtype:trojan-activity;sid:84693530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.vrf"; depth:17; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830429/; classtype:trojan-activity;sid:84693529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"profit-guide.blockad-creak.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830428/; classtype:trojan-activity;sid:84693528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.83.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830427/; classtype:trojan-activity;sid:84693527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pack.vrf"; depth:9; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830426/; classtype:trojan-activity;sid:84693526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830420/; classtype:trojan-activity;sid:84693520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mshta.vrf"; depth:10; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830421/; classtype:trojan-activity;sid:84693521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/counter/"; depth:9; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830422/; classtype:trojan-activity;sid:84693522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/count.txt"; depth:10; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830423/; classtype:trojan-activity;sid:84693523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/count.php"; depth:10; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830424/; classtype:trojan-activity;sid:84693524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preloader.vrf"; depth:14; endswith; nocase; http.host; content:"104.164.55.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830425/; classtype:trojan-activity;sid:84693525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"courwind.blockad-creak.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830419/; classtype:trojan-activity;sid:84693519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.52.129.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830418/; classtype:trojan-activity;sid:84693518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.90.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830417/; classtype:trojan-activity;sid:84693517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/v5jlftdu3mnbgxut12vq9/re538102de-rechnung-24-04-2026.vbs|3f|rlkey=rr6uy2w6r7mscb6tch788zfuo|7c|26|7c|st=zqv9oka1|7c|26|7c|dl=1"; depth:134; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830416/; classtype:trojan-activity;sid:84693516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"sandboxrev.blockad-creak.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830415/; classtype:trojan-activity;sid:84693515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pthq.boa7dswim.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830414/; classtype:trojan-activity;sid:84693514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.221.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830413/; classtype:trojan-activity;sid:84693513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ten5or-point.boa7dswim.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830412/; classtype:trojan-activity;sid:84693512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830410/; classtype:trojan-activity;sid:84693510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.178.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830411/; classtype:trojan-activity;sid:84693511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830409/; classtype:trojan-activity;sid:84693509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_x86"; depth:19; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830406/; classtype:trojan-activity;sid:84693506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm7"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830407/; classtype:trojan-activity;sid:84693507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm"; depth:19; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830408/; classtype:trojan-activity;sid:84693508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm5"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830401/; classtype:trojan-activity;sid:84693501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_spc"; depth:19; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830402/; classtype:trojan-activity;sid:84693502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_sh4"; depth:19; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830403/; classtype:trojan-activity;sid:84693503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_x86_64"; depth:22; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830404/; classtype:trojan-activity;sid:84693504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arm6"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830405/; classtype:trojan-activity;sid:84693505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_mpsl"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830400/; classtype:trojan-activity;sid:84693500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_i468"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830399/; classtype:trojan-activity;sid:84693499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_m68k"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830383/; classtype:trojan-activity;sid:84693483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_ppc"; depth:19; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830384/; classtype:trojan-activity;sid:84693484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_mips"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830385/; classtype:trojan-activity;sid:84693485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.arm6"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830386/; classtype:trojan-activity;sid:84693486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.mips"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830387/; classtype:trojan-activity;sid:84693487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.sparc"; depth:17; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830388/; classtype:trojan-activity;sid:84693488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.ppc"; depth:15; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830389/; classtype:trojan-activity;sid:84693489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.i686"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830390/; classtype:trojan-activity;sid:84693490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.mips64"; depth:18; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830391/; classtype:trojan-activity;sid:84693491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.arm"; depth:15; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830392/; classtype:trojan-activity;sid:84693492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.mpsl"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830393/; classtype:trojan-activity;sid:84693493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.x86"; depth:15; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830394/; classtype:trojan-activity;sid:84693494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.m68k"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830395/; classtype:trojan-activity;sid:84693495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.arm5"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830396/; classtype:trojan-activity;sid:84693496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_i686"; depth:20; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830397/; classtype:trojan-activity;sid:84693497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamesdior/main_arc"; depth:19; endswith; nocase; http.host; content:"games.payos.cfd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830398/; classtype:trojan-activity;sid:84693498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.sh4"; depth:15; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830380/; classtype:trojan-activity;sid:84693480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.arm7"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830381/; classtype:trojan-activity;sid:84693481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.x86_64"; depth:18; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830382/; classtype:trojan-activity;sid:84693482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.250.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830379/; classtype:trojan-activity;sid:84693479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.250.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830377/; classtype:trojan-activity;sid:84693477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.126.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830378/; classtype:trojan-activity;sid:84693478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fleequot.boa7dswim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830376/; classtype:trojan-activity;sid:84693476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.177.77.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830375/; classtype:trojan-activity;sid:84693475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"emroz.boa7dswim.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830374/; classtype:trojan-activity;sid:84693474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.184.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830373/; classtype:trojan-activity;sid:84693473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.55.64.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830372/; classtype:trojan-activity;sid:84693472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.21.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830371/; classtype:trojan-activity;sid:84693471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"broad4-grid.boa7dswim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830370/; classtype:trojan-activity;sid:84693470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.49.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830369/; classtype:trojan-activity;sid:84693469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.184.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830368/; classtype:trojan-activity;sid:84693468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.148.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830367/; classtype:trojan-activity;sid:84693467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.149.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830366/; classtype:trojan-activity;sid:84693466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.178.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830365/; classtype:trojan-activity;sid:84693465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830364/; classtype:trojan-activity;sid:84693464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"anciesto.boa7dswim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830363/; classtype:trojan-activity;sid:84693463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.126.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830362/; classtype:trojan-activity;sid:84693462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"fallbasic.wi3sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830361/; classtype:trojan-activity;sid:84693461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.245.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830360/; classtype:trojan-activity;sid:84693460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.148.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830359/; classtype:trojan-activity;sid:84693459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"14.177.77.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830358/; classtype:trojan-activity;sid:84693458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.245.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830357/; classtype:trojan-activity;sid:84693457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pastusout.wi3sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830356/; classtype:trojan-activity;sid:84693456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.201.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830355/; classtype:trojan-activity;sid:84693455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.201.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830354/; classtype:trojan-activity;sid:84693454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.90.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830353/; classtype:trojan-activity;sid:84693453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.49.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830352/; classtype:trojan-activity;sid:84693452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hkez.de8xamel.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830351/; classtype:trojan-activity;sid:84693451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_151244.png"; depth:15; endswith; nocase; http.host; content:"emailspro.store"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830350/; classtype:trojan-activity;sid:84693450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1497131696754135064/1497132075638067280/pedido.js|3f|ex=69ec6866|7c|26|7c|is=69eb16e6|7c|26|7c|hm=4caa37e847a28f8fc40185f5563c3c8156ce47bfaa7a7ed7f5f1645b2b8dc180|7c|26|7c|"; depth:185; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830349/; classtype:trojan-activity;sid:84693449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_095114.png"; depth:15; endswith; nocase; http.host; content:"apostol.free.nf"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830348/; classtype:trojan-activity;sid:84693448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.149.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830347/; classtype:trojan-activity;sid:84693447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"33prnco.de8xamel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830346/; classtype:trojan-activity;sid:84693446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.89.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830344/; classtype:trojan-activity;sid:84693444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.205.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830345/; classtype:trojan-activity;sid:84693445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.246.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830343/; classtype:trojan-activity;sid:84693443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.90.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830342/; classtype:trojan-activity;sid:84693442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"c0ol6-field.de8xamel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830341/; classtype:trojan-activity;sid:84693441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"nhmud1dx.de8xamel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830340/; classtype:trojan-activity;sid:84693440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830339/; classtype:trojan-activity;sid:84693439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.91.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830338/; classtype:trojan-activity;sid:84693438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.246.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830337/; classtype:trojan-activity;sid:84693437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830336/; classtype:trojan-activity;sid:84693436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"talnex4on.de8xamel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830335/; classtype:trojan-activity;sid:84693435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.108.161.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830334/; classtype:trojan-activity;sid:84693434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.191.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830333/; classtype:trojan-activity;sid:84693433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ihsk.de8xamel.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830332/; classtype:trojan-activity;sid:84693432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.234.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830331/; classtype:trojan-activity;sid:84693431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"41.108.161.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830330/; classtype:trojan-activity;sid:84693430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"reed-pla.qi4mavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830329/; classtype:trojan-activity;sid:84693429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"nzsrghd.qi4mavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830328/; classtype:trojan-activity;sid:84693428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.122.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830327/; classtype:trojan-activity;sid:84693427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.202.14.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830326/; classtype:trojan-activity;sid:84693426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830325/; classtype:trojan-activity;sid:84693425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"otter0-array.qi4mavel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830324/; classtype:trojan-activity;sid:84693424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.165.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830323/; classtype:trojan-activity;sid:84693423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.165.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830322/; classtype:trojan-activity;sid:84693422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"vellith4en.qi4mavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830321/; classtype:trojan-activity;sid:84693421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"shipdat.qi4mavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830320/; classtype:trojan-activity;sid:84693420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.88.7.48"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830319/; classtype:trojan-activity;sid:84693419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.113.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830318/; classtype:trojan-activity;sid:84693418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.54.212.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830317/; classtype:trojan-activity;sid:84693417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830316/; classtype:trojan-activity;sid:84693416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ungljmv.qi4mavel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830315/; classtype:trojan-activity;sid:84693415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.123.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830314/; classtype:trojan-activity;sid:84693414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ultra-g0ld.9zorexal.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830313/; classtype:trojan-activity;sid:84693413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830311/; classtype:trojan-activity;sid:84693411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.91.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830312/; classtype:trojan-activity;sid:84693412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.246.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830310/; classtype:trojan-activity;sid:84693410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830309/; classtype:trojan-activity;sid:84693409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.147.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830308/; classtype:trojan-activity;sid:84693408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.54.212.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830307/; classtype:trojan-activity;sid:84693407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.205.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830306/; classtype:trojan-activity;sid:84693406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"hmhfs.9zorexal.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830305/; classtype:trojan-activity;sid:84693405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.192.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830304/; classtype:trojan-activity;sid:84693404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830303/; classtype:trojan-activity;sid:84693403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830301/; classtype:trojan-activity;sid:84693401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830302/; classtype:trojan-activity;sid:84693402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830294/; classtype:trojan-activity;sid:84693394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830295/; classtype:trojan-activity;sid:84693395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830296/; classtype:trojan-activity;sid:84693396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830297/; classtype:trojan-activity;sid:84693397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830298/; classtype:trojan-activity;sid:84693398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830299/; classtype:trojan-activity;sid:84693399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830300/; classtype:trojan-activity;sid:84693400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"45.135.193.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830293/; classtype:trojan-activity;sid:84693393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.88.7.48"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830292/; classtype:trojan-activity;sid:84693392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"cascad5-cache.9zorexal.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830291/; classtype:trojan-activity;sid:84693391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.202.14.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830290/; classtype:trojan-activity;sid:84693390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.123.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830289/; classtype:trojan-activity;sid:84693389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830288/; classtype:trojan-activity;sid:84693388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.214.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830287/; classtype:trojan-activity;sid:84693387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"geo-1atti.9zorexal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830286/; classtype:trojan-activity;sid:84693386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"meta-b4rk.9zorexal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830285/; classtype:trojan-activity;sid:84693385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.160.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830284/; classtype:trojan-activity;sid:84693384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.246.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830283/; classtype:trojan-activity;sid:84693383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.82.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830282/; classtype:trojan-activity;sid:84693382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.184.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830281/; classtype:trojan-activity;sid:84693381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"ajvo1s.po7vaxel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830279/; classtype:trojan-activity;sid:84693379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.89.252.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830280/; classtype:trojan-activity;sid:84693380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830278/; classtype:trojan-activity;sid:84693378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.89.252.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830277/; classtype:trojan-activity;sid:84693377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.i486"; depth:16; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830275/; classtype:trojan-activity;sid:84693375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0v/vision.arc"; depth:15; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830276/; classtype:trojan-activity;sid:84693376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"jch52q.po7vaxel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830274/; classtype:trojan-activity;sid:84693374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830273/; classtype:trojan-activity;sid:84693373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.72.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830272/; classtype:trojan-activity;sid:84693372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"docyl.po7vaxel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830271/; classtype:trojan-activity;sid:84693371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"pixobs.po7vaxel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830270/; classtype:trojan-activity;sid:84693370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830268/; classtype:trojan-activity;sid:84693368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830269/; classtype:trojan-activity;sid:84693369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.188.181.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830267/; classtype:trojan-activity;sid:84693367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830265/; classtype:trojan-activity;sid:84693365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830266/; classtype:trojan-activity;sid:84693366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830259/; classtype:trojan-activity;sid:84693359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cat.sh"; depth:12; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830260/; classtype:trojan-activity;sid:84693360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830261/; classtype:trojan-activity;sid:84693361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830262/; classtype:trojan-activity;sid:84693362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830263/; classtype:trojan-activity;sid:84693363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830264/; classtype:trojan-activity;sid:84693364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830256/; classtype:trojan-activity;sid:84693356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830257/; classtype:trojan-activity;sid:84693357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830258/; classtype:trojan-activity;sid:84693358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdk-msdn-3457325-null/load-file0dsdf567.chk"; depth:44; endswith; nocase; http.host; content:"d34l-node.po7vaxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830255/; classtype:trojan-activity;sid:84693355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.205.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830254/; classtype:trojan-activity;sid:84693354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pastusout.wi3sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830253/; classtype:trojan-activity;sid:84693353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830252/; classtype:trojan-activity;sid:84693352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830251/; classtype:trojan-activity;sid:84693351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830250/; classtype:trojan-activity;sid:84693350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830241/; classtype:trojan-activity;sid:84693341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830242/; classtype:trojan-activity;sid:84693342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830243/; classtype:trojan-activity;sid:84693343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830244/; classtype:trojan-activity;sid:84693344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830245/; classtype:trojan-activity;sid:84693345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830246/; classtype:trojan-activity;sid:84693346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830247/; classtype:trojan-activity;sid:84693347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830248/; classtype:trojan-activity;sid:84693348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830249/; classtype:trojan-activity;sid:84693349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fallbasic.wi3sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830240/; classtype:trojan-activity;sid:84693340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830239/; classtype:trojan-activity;sid:84693339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.251.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830238/; classtype:trojan-activity;sid:84693338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ku193bt.wi3sorin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830237/; classtype:trojan-activity;sid:84693337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830236/; classtype:trojan-activity;sid:84693336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830235/; classtype:trojan-activity;sid:84693335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830233/; classtype:trojan-activity;sid:84693333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830234/; classtype:trojan-activity;sid:84693334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830231/; classtype:trojan-activity;sid:84693331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830232/; classtype:trojan-activity;sid:84693332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830228/; classtype:trojan-activity;sid:84693328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830229/; classtype:trojan-activity;sid:84693329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830230/; classtype:trojan-activity;sid:84693330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830225/; classtype:trojan-activity;sid:84693325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830226/; classtype:trojan-activity;sid:84693326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830227/; classtype:trojan-activity;sid:84693327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830223/; classtype:trojan-activity;sid:84693323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ciabins.sh"; depth:11; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830224/; classtype:trojan-activity;sid:84693324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talspireos.wi3sorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830222/; classtype:trojan-activity;sid:84693322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.157.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830221/; classtype:trojan-activity;sid:84693321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.237.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830220/; classtype:trojan-activity;sid:84693320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"st80et3.wi3sorin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830219/; classtype:trojan-activity;sid:84693319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/80pb46ul2nj1avw5hzabr/img_070420.png|3f|rlkey=f48psv1go7b2s1nsytfjr9nld|7c|26|7c|st=z8hkxjy9|7c|26|7c|dl=1"; depth:114; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830218/; classtype:trojan-activity;sid:84693318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"loadermin.wi3sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830217/; classtype:trojan-activity;sid:84693317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830216/; classtype:trojan-activity;sid:84693316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tricoreos5.po7vaxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830215/; classtype:trojan-activity;sid:84693315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830214/; classtype:trojan-activity;sid:84693314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jewn.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830213/; classtype:trojan-activity;sid:84693313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830212/; classtype:trojan-activity;sid:84693312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.166.36.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830211/; classtype:trojan-activity;sid:84693311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ajvo1s.po7vaxel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830210/; classtype:trojan-activity;sid:84693310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830209/; classtype:trojan-activity;sid:84693309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.157.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830208/; classtype:trojan-activity;sid:84693308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.237.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830207/; classtype:trojan-activity;sid:84693307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.24.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830206/; classtype:trojan-activity;sid:84693306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynforgeal.kymle2rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830205/; classtype:trojan-activity;sid:84693305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.174.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830204/; classtype:trojan-activity;sid:84693304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lw92.kymle2rax.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830203/; classtype:trojan-activity;sid:84693303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.33.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830202/; classtype:trojan-activity;sid:84693302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.55.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830201/; classtype:trojan-activity;sid:84693301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830199/; classtype:trojan-activity;sid:84693299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.72.25"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830200/; classtype:trojan-activity;sid:84693300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rjhmik2i.kymle2rax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830198/; classtype:trojan-activity;sid:84693298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.244.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830197/; classtype:trojan-activity;sid:84693297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mossbra.kymle2rax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830196/; classtype:trojan-activity;sid:84693296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830195/; classtype:trojan-activity;sid:84693295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.215.173.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830194/; classtype:trojan-activity;sid:84693294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.254.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830193/; classtype:trojan-activity;sid:84693293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.245.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830192/; classtype:trojan-activity;sid:84693292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.42.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830191/; classtype:trojan-activity;sid:84693291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vinecarg.to9varil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830190/; classtype:trojan-activity;sid:84693290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.72.98.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830189/; classtype:trojan-activity;sid:84693289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.42.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830188/; classtype:trojan-activity;sid:84693288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rs9y.to9varil.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830187/; classtype:trojan-activity;sid:84693287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.217.33.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830186/; classtype:trojan-activity;sid:84693286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qc3zfzu.to9varil.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830185/; classtype:trojan-activity;sid:84693285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.220.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830184/; classtype:trojan-activity;sid:84693284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.238.24.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830183/; classtype:trojan-activity;sid:84693283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.194.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830182/; classtype:trojan-activity;sid:84693282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.244.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830181/; classtype:trojan-activity;sid:84693281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.26.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830180/; classtype:trojan-activity;sid:84693280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p4rse-forge.to9varil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830179/; classtype:trojan-activity;sid:84693279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.72.98.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830178/; classtype:trojan-activity;sid:84693278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.24.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830177/; classtype:trojan-activity;sid:84693277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"processlis.to9varil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830176/; classtype:trojan-activity;sid:84693276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cl52qlla.to9varil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830175/; classtype:trojan-activity;sid:84693275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"triggerdispatch.sylov4en.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830174/; classtype:trojan-activity;sid:84693274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.26.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830173/; classtype:trojan-activity;sid:84693273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"measu8-drive.sylov4en.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830172/; classtype:trojan-activity;sid:84693272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.13.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830171/; classtype:trojan-activity;sid:84693271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clucrawl.sylov4en.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830170/; classtype:trojan-activity;sid:84693270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.206.205.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830169/; classtype:trojan-activity;sid:84693269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hublistener.sylov4en.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830168/; classtype:trojan-activity;sid:84693268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.102.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830167/; classtype:trojan-activity;sid:84693267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.206.205.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830166/; classtype:trojan-activity;sid:84693266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lgjov.sylov4en.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830165/; classtype:trojan-activity;sid:84693265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.92.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830164/; classtype:trojan-activity;sid:84693264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.92.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830163/; classtype:trojan-activity;sid:84693263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.36.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830162/; classtype:trojan-activity;sid:84693262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830161/; classtype:trojan-activity;sid:84693261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"adapt1-line.sylov4en.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830160/; classtype:trojan-activity;sid:84693260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.102.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830159/; classtype:trojan-activity;sid:84693259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5pru4-mark.ra6ximel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830158/; classtype:trojan-activity;sid:84693258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.124.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830157/; classtype:trojan-activity;sid:84693257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jakej.ra6ximel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830156/; classtype:trojan-activity;sid:84693256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830155/; classtype:trojan-activity;sid:84693255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b4nd-signal.ra6ximel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830154/; classtype:trojan-activity;sid:84693254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.116.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830153/; classtype:trojan-activity;sid:84693253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.26.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830152/; classtype:trojan-activity;sid:84693252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velcrestar5.ra6ximel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830151/; classtype:trojan-activity;sid:84693251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunauth.ra6ximel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830150/; classtype:trojan-activity;sid:84693250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.47.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830149/; classtype:trojan-activity;sid:84693249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ark-forgeon.ra6ximel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830148/; classtype:trojan-activity;sid:84693248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"azure-sharp.1zoravel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830147/; classtype:trojan-activity;sid:84693247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.47.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830146/; classtype:trojan-activity;sid:84693246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c4st-layer.1zoravel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830145/; classtype:trojan-activity;sid:84693245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.116.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830144/; classtype:trojan-activity;sid:84693244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.249.199.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830143/; classtype:trojan-activity;sid:84693243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.197.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830142/; classtype:trojan-activity;sid:84693242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-f1eet.1zoravel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830141/; classtype:trojan-activity;sid:84693241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.243.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830140/; classtype:trojan-activity;sid:84693240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830139/; classtype:trojan-activity;sid:84693239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.53.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830136/; classtype:trojan-activity;sid:84693236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.54.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830137/; classtype:trojan-activity;sid:84693237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"158.94.210.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830138/; classtype:trojan-activity;sid:84693238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.55.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830132/; classtype:trojan-activity;sid:84693232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.55.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830133/; classtype:trojan-activity;sid:84693233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.54.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830134/; classtype:trojan-activity;sid:84693234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/vnc.exe"; depth:27; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830135/; classtype:trojan-activity;sid:84693235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"balcg.1zoravel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830131/; classtype:trojan-activity;sid:84693231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p1a5-watch.1zoravel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830130/; classtype:trojan-activity;sid:84693230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.81.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830129/; classtype:trojan-activity;sid:84693229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sku4jn.1zoravel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830128/; classtype:trojan-activity;sid:84693228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-7k.inject-mitroph.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830127/; classtype:trojan-activity;sid:84693227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.197.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830126/; classtype:trojan-activity;sid:84693226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-land-3.inject-mitroph.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830125/; classtype:trojan-activity;sid:84693225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.192.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830124/; classtype:trojan-activity;sid:84693224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.124.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830123/; classtype:trojan-activity;sid:84693223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-1.inject-mitroph.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830122/; classtype:trojan-activity;sid:84693222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"102.132.17.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830121/; classtype:trojan-activity;sid:84693221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.192.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830120/; classtype:trojan-activity;sid:84693220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wald-baum-6w.inject-mitroph.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830119/; classtype:trojan-activity;sid:84693219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.42.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830118/; classtype:trojan-activity;sid:84693218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.193.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830117/; classtype:trojan-activity;sid:84693217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-4.inject-mitroph.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830116/; classtype:trojan-activity;sid:84693216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.117.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830115/; classtype:trojan-activity;sid:84693215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iron-zeit-8.inject-mitroph.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830114/; classtype:trojan-activity;sid:84693214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"berg-5x.dometo1ochy.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830113/; classtype:trojan-activity;sid:84693213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-mond-1.dometo1ochy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830112/; classtype:trojan-activity;sid:84693212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.42.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830111/; classtype:trojan-activity;sid:84693211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.183.26.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830110/; classtype:trojan-activity;sid:84693210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.49.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830109/; classtype:trojan-activity;sid:84693209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kalt-9.dometo1ochy.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830108/; classtype:trojan-activity;sid:84693208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.229.184.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830107/; classtype:trojan-activity;sid:84693207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-haus-4.dometo1ochy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830106/; classtype:trojan-activity;sid:84693206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.193.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830105/; classtype:trojan-activity;sid:84693205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.140.189.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830104/; classtype:trojan-activity;sid:84693204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-7.dometo1ochy.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830103/; classtype:trojan-activity;sid:84693203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-3p.dometo1ochy.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830102/; classtype:trojan-activity;sid:84693202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new.php|3f|type=mips"; depth:21; endswith; nocase; http.host; content:"132.243.164.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830101/; classtype:trojan-activity;sid:84693201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.ps1"; depth:12; endswith; nocase; http.host; content:"use-claude.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830100/; classtype:trojan-activity;sid:84693200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.229.184.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830099/; classtype:trojan-activity;sid:84693199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.49.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830098/; classtype:trojan-activity;sid:84693198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-2.jazz-password.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830097/; classtype:trojan-activity;sid:84693197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.29.31.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830095/; classtype:trojan-activity;sid:84693195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.29.31.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830096/; classtype:trojan-activity;sid:84693196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-land-5.jazz-password.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830094/; classtype:trojan-activity;sid:84693194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-3v.jazz-password.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830093/; classtype:trojan-activity;sid:84693193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.151.248.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830092/; classtype:trojan-activity;sid:84693192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-star-6.jazz-password.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830091/; classtype:trojan-activity;sid:84693191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.21.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830090/; classtype:trojan-activity;sid:84693190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zeit-4k.jazz-password.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830089/; classtype:trojan-activity;sid:84693189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.248.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830088/; classtype:trojan-activity;sid:84693188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-holz-8.jazz-password.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830087/; classtype:trojan-activity;sid:84693187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.84.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830086/; classtype:trojan-activity;sid:84693186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haus-5.geor8eharvest.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830085/; classtype:trojan-activity;sid:84693185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-berg-1.geor8eharvest.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830084/; classtype:trojan-activity;sid:84693184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-7v.geor8eharvest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830083/; classtype:trojan-activity;sid:84693183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-wald-2.geor8eharvest.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830082/; classtype:trojan-activity;sid:84693182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.119.180.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830081/; classtype:trojan-activity;sid:84693181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.84.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830080/; classtype:trojan-activity;sid:84693180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-4.geor8eharvest.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830079/; classtype:trojan-activity;sid:84693179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-9q.geor8eharvest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830078/; classtype:trojan-activity;sid:84693178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.146.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830076/; classtype:trojan-activity;sid:84693176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.212.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830077/; classtype:trojan-activity;sid:84693177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.69.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830075/; classtype:trojan-activity;sid:84693175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.89.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830074/; classtype:trojan-activity;sid:84693174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"land-1.godn2strich.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830073/; classtype:trojan-activity;sid:84693173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.119.180.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830072/; classtype:trojan-activity;sid:84693172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.136.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830071/; classtype:trojan-activity;sid:84693171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.70.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830070/; classtype:trojan-activity;sid:84693170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.236.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830069/; classtype:trojan-activity;sid:84693169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-open-5.godn2strich.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830068/; classtype:trojan-activity;sid:84693168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-2x.godn2strich.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830067/; classtype:trojan-activity;sid:84693167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.128.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830066/; classtype:trojan-activity;sid:84693166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.146.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830065/; classtype:trojan-activity;sid:84693165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.178.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830064/; classtype:trojan-activity;sid:84693164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"holz-baum-4.godn2strich.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830063/; classtype:trojan-activity;sid:84693163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.128.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830062/; classtype:trojan-activity;sid:84693162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.24.153"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830061/; classtype:trojan-activity;sid:84693161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-9.godn2strich.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830060/; classtype:trojan-activity;sid:84693160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.236.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830059/; classtype:trojan-activity;sid:84693159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-zeit-3s.godn2strich.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830058/; classtype:trojan-activity;sid:84693158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haus-1.melting-torrent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830057/; classtype:trojan-activity;sid:84693157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.142.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830056/; classtype:trojan-activity;sid:84693156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kalt-mond-8.melting-torrent.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830055/; classtype:trojan-activity;sid:84693155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-4m.melting-torrent.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830054/; classtype:trojan-activity;sid:84693154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.21.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830053/; classtype:trojan-activity;sid:84693153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-wind-5.melting-torrent.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830052/; classtype:trojan-activity;sid:84693152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-2.melting-torrent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830051/; classtype:trojan-activity;sid:84693151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iron-9v.melting-torrent.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830050/; classtype:trojan-activity;sid:84693150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-6.after-coordinat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830049/; classtype:trojan-activity;sid:84693149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-star-1.after-coordinat.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830048/; classtype:trojan-activity;sid:84693148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"berg-4k.after-coordinat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830047/; classtype:trojan-activity;sid:84693147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-land-3.after-coordinat.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830046/; classtype:trojan-activity;sid:84693146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.21.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830045/; classtype:trojan-activity;sid:84693145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830043/; classtype:trojan-activity;sid:84693143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zeit-8.after-coordinat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830044/; classtype:trojan-activity;sid:84693144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-holz-5c.after-coordinat.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830042/; classtype:trojan-activity;sid:84693142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.73.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830041/; classtype:trojan-activity;sid:84693141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-1.there5econd.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830040/; classtype:trojan-activity;sid:84693140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wald-petit-7.there5econd.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830039/; classtype:trojan-activity;sid:84693139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.118.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830038/; classtype:trojan-activity;sid:84693138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830037/; classtype:trojan-activity;sid:84693137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-3x.there5econd.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830036/; classtype:trojan-activity;sid:84693136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-fire-4.there5econd.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830035/; classtype:trojan-activity;sid:84693135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haus-9.there5econd.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830034/; classtype:trojan-activity;sid:84693134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.41.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830033/; classtype:trojan-activity;sid:84693133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-mond-2m.there5econd.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830032/; classtype:trojan-activity;sid:84693132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-5.accustom-unrecog.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830031/; classtype:trojan-activity;sid:84693131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.229.35.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830030/; classtype:trojan-activity;sid:84693130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.249.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830029/; classtype:trojan-activity;sid:84693129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830028/; classtype:trojan-activity;sid:84693128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-petit-8.accustom-unrecog.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830027/; classtype:trojan-activity;sid:84693127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.249.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830026/; classtype:trojan-activity;sid:84693126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.82.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830025/; classtype:trojan-activity;sid:84693125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.144.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830024/; classtype:trojan-activity;sid:84693124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.250.27.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830023/; classtype:trojan-activity;sid:84693123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.41.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830022/; classtype:trojan-activity;sid:84693122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"baum-w1.accustom-unrecog.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830021/; classtype:trojan-activity;sid:84693121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kalt-berg-6.accustom-unrecog.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830020/; classtype:trojan-activity;sid:84693120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-3.accustom-unrecog.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830019/; classtype:trojan-activity;sid:84693119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-4z.accustom-unrecog.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830018/; classtype:trojan-activity;sid:84693118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.228.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830017/; classtype:trojan-activity;sid:84693117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.0.110"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830016/; classtype:trojan-activity;sid:84693116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.144.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830015/; classtype:trojan-activity;sid:84693115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-2.ma8nemezzan.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830014/; classtype:trojan-activity;sid:84693114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-star-9k.ma8nemezzan.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830013/; classtype:trojan-activity;sid:84693113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"holz-5.ma8nemezzan.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830012/; classtype:trojan-activity;sid:84693112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.7.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830011/; classtype:trojan-activity;sid:84693111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.55.64.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830010/; classtype:trojan-activity;sid:84693110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.116.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830009/; classtype:trojan-activity;sid:84693109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-land-1v.ma8nemezzan.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830008/; classtype:trojan-activity;sid:84693108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.7.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830007/; classtype:trojan-activity;sid:84693107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-7.ma8nemezzan.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830006/; classtype:trojan-activity;sid:84693106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.228.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830005/; classtype:trojan-activity;sid:84693105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-zeit-3.ma8nemezzan.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830004/; classtype:trojan-activity;sid:84693104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"boo5-scope.light-parcel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830003/; classtype:trojan-activity;sid:84693103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830002/; classtype:trojan-activity;sid:84693102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ancien0-path.light-parcel.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3830001/; classtype:trojan-activity;sid:84693101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.185.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3830000/; classtype:trojan-activity;sid:84693100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sdsa.light-parcel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829999/; classtype:trojan-activity;sid:84693099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fore0-core.light-parcel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829998/; classtype:trojan-activity;sid:84693098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ev8l.light-parcel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829997/; classtype:trojan-activity;sid:84693097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.252.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829996/; classtype:trojan-activity;sid:84693096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.152.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829995/; classtype:trojan-activity;sid:84693095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.42.30.175"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829994/; classtype:trojan-activity;sid:84693094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.185.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829993/; classtype:trojan-activity;sid:84693093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.178.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829992/; classtype:trojan-activity;sid:84693092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"manifes-daw.light-parcel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829991/; classtype:trojan-activity;sid:84693091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.152.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829990/; classtype:trojan-activity;sid:84693090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"du5t-port.plantpo1luter.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829989/; classtype:trojan-activity;sid:84693089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.245.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829988/; classtype:trojan-activity;sid:84693088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.245.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829987/; classtype:trojan-activity;sid:84693087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ciphermolecu.plantpo1luter.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829986/; classtype:trojan-activity;sid:84693086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.226.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829985/; classtype:trojan-activity;sid:84693085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mercrestos.plantpo1luter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829984/; classtype:trojan-activity;sid:84693084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.178.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829983/; classtype:trojan-activity;sid:84693083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.42.30.175"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829982/; classtype:trojan-activity;sid:84693082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tri-draa.plantpo1luter.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829981/; classtype:trojan-activity;sid:84693081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.252.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829980/; classtype:trojan-activity;sid:84693080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829979/; classtype:trojan-activity;sid:84693079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"525x6rn.plantpo1luter.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829978/; classtype:trojan-activity;sid:84693078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.96.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829977/; classtype:trojan-activity;sid:84693077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"supply-basi.plantpo1luter.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829976/; classtype:trojan-activity;sid:84693076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xzkgjdst.capriccio-nephew.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829975/; classtype:trojan-activity;sid:84693075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"valeanc.capriccio-nephew.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829974/; classtype:trojan-activity;sid:84693074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mixwoo.capriccio-nephew.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829973/; classtype:trojan-activity;sid:84693073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.210.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829972/; classtype:trojan-activity;sid:84693072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oqjwoky.capriccio-nephew.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829971/; classtype:trojan-activity;sid:84693071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.128.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829970/; classtype:trojan-activity;sid:84693070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.247.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829969/; classtype:trojan-activity;sid:84693069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.144.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829968/; classtype:trojan-activity;sid:84693068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/p/vc"; depth:30; endswith; nocase; http.host; content:"auzhpjmyaqayopaqidmc.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829967/; classtype:trojan-activity;sid:84693067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"autumnpul.capriccio-nephew.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829966/; classtype:trojan-activity;sid:84693066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/p/i.sh"; depth:32; endswith; nocase; http.host; content:"auzhpjmyaqayopaqidmc.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829965/; classtype:trojan-activity;sid:84693065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"azqr2vav.capriccio-nephew.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829964/; classtype:trojan-activity;sid:84693064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.152.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829963/; classtype:trojan-activity;sid:84693063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.147.100.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829962/; classtype:trojan-activity;sid:84693062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kelvaleum.boatdi1l.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829961/; classtype:trojan-activity;sid:84693061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.128.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829960/; classtype:trojan-activity;sid:84693060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.47.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829959/; classtype:trojan-activity;sid:84693059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.104.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829958/; classtype:trojan-activity;sid:84693058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829957/; classtype:trojan-activity;sid:84693057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zen-drais.boatdi1l.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829956/; classtype:trojan-activity;sid:84693056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"175.107.233.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829955/; classtype:trojan-activity;sid:84693055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"206.135.172.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829954/; classtype:trojan-activity;sid:84693054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.229.155.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829953/; classtype:trojan-activity;sid:84693053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.201.140.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829952/; classtype:trojan-activity;sid:84693052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.203.46.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829951/; classtype:trojan-activity;sid:84693051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.sh4"; depth:20; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829948/; classtype:trojan-activity;sid:84693048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.x86_64"; depth:23; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829949/; classtype:trojan-activity;sid:84693049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.m68k"; depth:21; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829950/; classtype:trojan-activity;sid:84693050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.mpsl"; depth:21; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829946/; classtype:trojan-activity;sid:84693046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.x86"; depth:20; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829947/; classtype:trojan-activity;sid:84693047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.mips"; depth:21; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829945/; classtype:trojan-activity;sid:84693045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm5"; depth:21; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829941/; classtype:trojan-activity;sid:84693041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.ppc"; depth:20; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829942/; classtype:trojan-activity;sid:84693042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm"; depth:20; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829943/; classtype:trojan-activity;sid:84693043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm7"; depth:21; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829944/; classtype:trojan-activity;sid:84693044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm6"; depth:21; endswith; nocase; http.host; content:"68.183.233.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829940/; classtype:trojan-activity;sid:84693040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.mips"; depth:21; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829933/; classtype:trojan-activity;sid:84693033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.x86"; depth:20; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829934/; classtype:trojan-activity;sid:84693034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm5"; depth:21; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829935/; classtype:trojan-activity;sid:84693035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.mpsl"; depth:21; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829936/; classtype:trojan-activity;sid:84693036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.m68k"; depth:21; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829937/; classtype:trojan-activity;sid:84693037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm6"; depth:21; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829938/; classtype:trojan-activity;sid:84693038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.x86_64"; depth:23; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829939/; classtype:trojan-activity;sid:84693039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm"; depth:20; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829931/; classtype:trojan-activity;sid:84693031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.arm7"; depth:21; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829932/; classtype:trojan-activity;sid:84693032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.sh4"; depth:20; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829929/; classtype:trojan-activity;sid:84693029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/concakhbtandhuy.ppc"; depth:20; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829930/; classtype:trojan-activity;sid:84693030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.146.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829928/; classtype:trojan-activity;sid:84693028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gxbpjafl.boatdi1l.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829927/; classtype:trojan-activity;sid:84693027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"94.26.106.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829926/; classtype:trojan-activity;sid:84693026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toot"; depth:5; endswith; nocase; http.host; content:"103.149.29.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829925/; classtype:trojan-activity;sid:84693025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829921/; classtype:trojan-activity;sid:84693021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829922/; classtype:trojan-activity;sid:84693022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/busybox.arm5"; depth:18; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829923/; classtype:trojan-activity;sid:84693023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829924/; classtype:trojan-activity;sid:84693024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"103.77.246.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829920/; classtype:trojan-activity;sid:84693020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.144.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829919/; classtype:trojan-activity;sid:84693019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.247.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829917/; classtype:trojan-activity;sid:84693017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"69.178.6.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829918/; classtype:trojan-activity;sid:84693018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jz39wex.boatdi1l.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829916/; classtype:trojan-activity;sid:84693016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.38.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829915/; classtype:trojan-activity;sid:84693015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6sfy.boatdi1l.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829914/; classtype:trojan-activity;sid:84693014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.47.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829913/; classtype:trojan-activity;sid:84693013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sol-tideex.boatdi1l.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829912/; classtype:trojan-activity;sid:84693012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"69.178.6.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829911/; classtype:trojan-activity;sid:84693011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rail-trace.alexand-trouble.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829910/; classtype:trojan-activity;sid:84693010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"directspring.alexand-trouble.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829909/; classtype:trojan-activity;sid:84693009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.70.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829908/; classtype:trojan-activity;sid:84693008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.230.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829907/; classtype:trojan-activity;sid:84693007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.48.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829906/; classtype:trojan-activity;sid:84693006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pqj8j.alexand-trouble.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829905/; classtype:trojan-activity;sid:84693005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bircmed.alexand-trouble.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829904/; classtype:trojan-activity;sid:84693004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.230.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829903/; classtype:trojan-activity;sid:84693003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829902/; classtype:trojan-activity;sid:84693002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talspirea9.alexand-trouble.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829901/; classtype:trojan-activity;sid:84693001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.230.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829899/; classtype:trojan-activity;sid:84692999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yxex4i.alexand-trouble.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829900/; classtype:trojan-activity;sid:84693000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.48.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829898/; classtype:trojan-activity;sid:84692998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lmk4z.through7esid.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829897/; classtype:trojan-activity;sid:84692997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"191.37.19.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829896/; classtype:trojan-activity;sid:84692996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.166.255"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829895/; classtype:trojan-activity;sid:84692995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-rn0du.through7esid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829894/; classtype:trojan-activity;sid:84692994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"abl3zv.through7esid.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829893/; classtype:trojan-activity;sid:84692993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.249.123.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829892/; classtype:trojan-activity;sid:84692992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.24.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829891/; classtype:trojan-activity;sid:84692991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-r3fin.through7esid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829890/; classtype:trojan-activity;sid:84692990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.102.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829889/; classtype:trojan-activity;sid:84692989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.24.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829888/; classtype:trojan-activity;sid:84692988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xjnorrmf.through7esid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829887/; classtype:trojan-activity;sid:84692987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.255.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829886/; classtype:trojan-activity;sid:84692986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"r4il2-point.through7esid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829885/; classtype:trojan-activity;sid:84692985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.230.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829884/; classtype:trojan-activity;sid:84692984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829883/; classtype:trojan-activity;sid:84692983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829882/; classtype:trojan-activity;sid:84692982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.ppc"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829876/; classtype:trojan-activity;sid:84692976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.mips"; depth:17; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829877/; classtype:trojan-activity;sid:84692977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.arm5"; depth:17; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829878/; classtype:trojan-activity;sid:84692978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.arm7"; depth:17; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829879/; classtype:trojan-activity;sid:84692979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.arm6"; depth:17; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829880/; classtype:trojan-activity;sid:84692980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.sh4"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829881/; classtype:trojan-activity;sid:84692981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_spc"; depth:9; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829867/; classtype:trojan-activity;sid:84692967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829868/; classtype:trojan-activity;sid:84692968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.spc"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829869/; classtype:trojan-activity;sid:84692969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.arc"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829870/; classtype:trojan-activity;sid:84692970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.x86_64"; depth:19; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829871/; classtype:trojan-activity;sid:84692971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.arm"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829872/; classtype:trojan-activity;sid:84692972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.m68k"; depth:17; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829873/; classtype:trojan-activity;sid:84692973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.x86"; depth:16; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829874/; classtype:trojan-activity;sid:84692974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljezs/uytea.mpsl"; depth:17; endswith; nocase; http.host; content:"45.131.108.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829875/; classtype:trojan-activity;sid:84692975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829861/; classtype:trojan-activity;sid:84692961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829862/; classtype:trojan-activity;sid:84692962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829863/; classtype:trojan-activity;sid:84692963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829864/; classtype:trojan-activity;sid:84692964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829865/; classtype:trojan-activity;sid:84692965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829866/; classtype:trojan-activity;sid:84692966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829860/; classtype:trojan-activity;sid:84692960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"45.135.193.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829859/; classtype:trojan-activity;sid:84692959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.239.210.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829858/; classtype:trojan-activity;sid:84692958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-draon.polyate-eye.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829857/; classtype:trojan-activity;sid:84692957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.21.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829856/; classtype:trojan-activity;sid:84692956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"partne0-sync.polyate-eye.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829855/; classtype:trojan-activity;sid:84692955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quormark6os.polyate-eye.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829854/; classtype:trojan-activity;sid:84692954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.255.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829853/; classtype:trojan-activity;sid:84692953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829852/; classtype:trojan-activity;sid:84692952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.72.180.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829851/; classtype:trojan-activity;sid:84692951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.77.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829850/; classtype:trojan-activity;sid:84692950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yt3oufng.polyate-eye.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829849/; classtype:trojan-activity;sid:84692949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.146.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829848/; classtype:trojan-activity;sid:84692948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lunarorganize.polyate-eye.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829847/; classtype:trojan-activity;sid:84692947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vel-lineet.polyate-eye.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829846/; classtype:trojan-activity;sid:84692946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.218.57.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829845/; classtype:trojan-activity;sid:84692945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"primeree.obli8edanger.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829844/; classtype:trojan-activity;sid:84692944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.115.102.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829843/; classtype:trojan-activity;sid:84692943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.77.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829842/; classtype:trojan-activity;sid:84692942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829841/; classtype:trojan-activity;sid:84692941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.146.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829840/; classtype:trojan-activity;sid:84692940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"parcelpow.obli8edanger.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829839/; classtype:trojan-activity;sid:84692939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.31.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829838/; classtype:trojan-activity;sid:84692938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pb3kwq.obli8edanger.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829837/; classtype:trojan-activity;sid:84692937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.81.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829836/; classtype:trojan-activity;sid:84692936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.255.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829835/; classtype:trojan-activity;sid:84692935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.72.180.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829834/; classtype:trojan-activity;sid:84692934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.255.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829833/; classtype:trojan-activity;sid:84692933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c0mpu7-phase.obli8edanger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829832/; classtype:trojan-activity;sid:84692932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.148.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829831/; classtype:trojan-activity;sid:84692931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829826/; classtype:trojan-activity;sid:84692926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829827/; classtype:trojan-activity;sid:84692927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829828/; classtype:trojan-activity;sid:84692928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829829/; classtype:trojan-activity;sid:84692929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829830/; classtype:trojan-activity;sid:84692930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.sh"; depth:7; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829822/; classtype:trojan-activity;sid:84692922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829823/; classtype:trojan-activity;sid:84692923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829824/; classtype:trojan-activity;sid:84692924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829825/; classtype:trojan-activity;sid:84692925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.227.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829820/; classtype:trojan-activity;sid:84692920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.149.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829821/; classtype:trojan-activity;sid:84692921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.246.21.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829819/; classtype:trojan-activity;sid:84692919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nugr.obli8edanger.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829818/; classtype:trojan-activity;sid:84692918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"2.57.241.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829817/; classtype:trojan-activity;sid:84692917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.114.178.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829816/; classtype:trojan-activity;sid:84692916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1sdw0.obli8edanger.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829815/; classtype:trojan-activity;sid:84692915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.148.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829814/; classtype:trojan-activity;sid:84692914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"airwayequity.dark-hypnosis.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829813/; classtype:trojan-activity;sid:84692913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.149.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829812/; classtype:trojan-activity;sid:84692912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.35.50.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829810/; classtype:trojan-activity;sid:84692910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.128.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829811/; classtype:trojan-activity;sid:84692911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velnexor3.dark-hypnosis.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829809/; classtype:trojan-activity;sid:84692909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"html.dark-hypnosis.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829808/; classtype:trojan-activity;sid:84692908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.246.21.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829807/; classtype:trojan-activity;sid:84692907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.35.50.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829806/; classtype:trojan-activity;sid:84692906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-r3bat.dark-hypnosis.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829805/; classtype:trojan-activity;sid:84692905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"82.114.178.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829804/; classtype:trojan-activity;sid:84692904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bundldaw.dark-hypnosis.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829803/; classtype:trojan-activity;sid:84692903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mercore1et.rainbow7ain.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829802/; classtype:trojan-activity;sid:84692902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shallo-layer.rainbow7ain.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829801/; classtype:trojan-activity;sid:84692901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.183.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829800/; classtype:trojan-activity;sid:84692900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solline1ix.rainbow7ain.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829799/; classtype:trojan-activity;sid:84692899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serlinea8.rainbow7ain.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829798/; classtype:trojan-activity;sid:84692898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.249.112.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829797/; classtype:trojan-activity;sid:84692897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ca1rn-mount.rainbow7ain.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829796/; classtype:trojan-activity;sid:84692896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"epyc.rainbow7ain.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829795/; classtype:trojan-activity;sid:84692895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flee-bridge.zom8lirex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829794/; classtype:trojan-activity;sid:84692894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.21.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829792/; classtype:trojan-activity;sid:84692892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"154.249.112.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829793/; classtype:trojan-activity;sid:84692893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.60.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829791/; classtype:trojan-activity;sid:84692891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kionap.zom8lirex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829790/; classtype:trojan-activity;sid:84692890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.60.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829789/; classtype:trojan-activity;sid:84692889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.182.253.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829788/; classtype:trojan-activity;sid:84692888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.173.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829787/; classtype:trojan-activity;sid:84692887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"30jp.zom8lirex.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829786/; classtype:trojan-activity;sid:84692886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"w90084qc.zom8lirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829785/; classtype:trojan-activity;sid:84692885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"roughcomp.zom8lirex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829784/; classtype:trojan-activity;sid:84692884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"timberexpose.zom8lirex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829783/; classtype:trojan-activity;sid:84692883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829781/; classtype:trojan-activity;sid:84692881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.152.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829782/; classtype:trojan-activity;sid:84692882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.212.120.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829780/; classtype:trojan-activity;sid:84692880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"g1yph5-switch.qi2mavel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829779/; classtype:trojan-activity;sid:84692879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=general|7c|26|7c|c=|7c|26|7c|c=general|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:173; endswith; nocase; http.host; content:"206.72.197.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829778/; classtype:trojan-activity;sid:84692878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psd8ezaw/plugins/cred64.dll"; depth:28; endswith; nocase; http.host; content:"163.245.208.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829777/; classtype:trojan-activity;sid:84692877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xj15ti.qi2mavel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829776/; classtype:trojan-activity;sid:84692876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psd8ezaw/plugins/cred.dll"; depth:26; endswith; nocase; http.host; content:"163.245.208.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829774/; classtype:trojan-activity;sid:84692874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.34.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829775/; classtype:trojan-activity;sid:84692875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829773/; classtype:trojan-activity;sid:84692873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"modelfabri.qi2mavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829772/; classtype:trojan-activity;sid:84692872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.249.199.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829771/; classtype:trojan-activity;sid:84692871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fujyh.qi2mavel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829770/; classtype:trojan-activity;sid:84692870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.63.30.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829769/; classtype:trojan-activity;sid:84692869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.118.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829768/; classtype:trojan-activity;sid:84692868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shapeprivat.qi2mavel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829767/; classtype:trojan-activity;sid:84692867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.184.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829766/; classtype:trojan-activity;sid:84692866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.212.120.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829765/; classtype:trojan-activity;sid:84692865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenmarka.qi2mavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829764/; classtype:trojan-activity;sid:84692864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.228.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829763/; classtype:trojan-activity;sid:84692863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ttgfvj.bovla7xel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829762/; classtype:trojan-activity;sid:84692862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829761/; classtype:trojan-activity;sid:84692861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"o999.bovla7xel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829755/; classtype:trojan-activity;sid:84692855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829756/; classtype:trojan-activity;sid:84692856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829757/; classtype:trojan-activity;sid:84692857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829758/; classtype:trojan-activity;sid:84692858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829759/; classtype:trojan-activity;sid:84692859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829760/; classtype:trojan-activity;sid:84692860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829753/; classtype:trojan-activity;sid:84692853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829754/; classtype:trojan-activity;sid:84692854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.148.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829752/; classtype:trojan-activity;sid:84692852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.221.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829751/; classtype:trojan-activity;sid:84692851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.199.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829750/; classtype:trojan-activity;sid:84692850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.19.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829749/; classtype:trojan-activity;sid:84692849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c1inic-crest.bovla7xel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829748/; classtype:trojan-activity;sid:84692848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.228.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829747/; classtype:trojan-activity;sid:84692847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.184.8.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829746/; classtype:trojan-activity;sid:84692846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.184.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829745/; classtype:trojan-activity;sid:84692845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fkcrc.bovla7xel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829744/; classtype:trojan-activity;sid:84692844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gsfyi.bovla7xel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829743/; classtype:trojan-activity;sid:84692843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.197.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829742/; classtype:trojan-activity;sid:84692842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.213.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829741/; classtype:trojan-activity;sid:84692841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.211.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829740/; classtype:trojan-activity;sid:84692840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glmu.bovla7xel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829739/; classtype:trojan-activity;sid:84692839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.199.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829738/; classtype:trojan-activity;sid:84692838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.165.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829737/; classtype:trojan-activity;sid:84692837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"segpaylo.de4xamel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829736/; classtype:trojan-activity;sid:84692836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.177.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829735/; classtype:trojan-activity;sid:84692835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.57.49.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829734/; classtype:trojan-activity;sid:84692834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"locallan.de4xamel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829733/; classtype:trojan-activity;sid:84692833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pric3-flow.de4xamel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829732/; classtype:trojan-activity;sid:84692832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.184.8.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829731/; classtype:trojan-activity;sid:84692831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.125.60.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829730/; classtype:trojan-activity;sid:84692830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cryptocatal.de4xamel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829729/; classtype:trojan-activity;sid:84692829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.213.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829728/; classtype:trojan-activity;sid:84692828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.211.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829727/; classtype:trojan-activity;sid:84692827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"compil0-spark.de4xamel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829726/; classtype:trojan-activity;sid:84692826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"27ny0.de4xamel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829725/; classtype:trojan-activity;sid:84692825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.255.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829724/; classtype:trojan-activity;sid:84692824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829723/; classtype:trojan-activity;sid:84692823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.84.56.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829722/; classtype:trojan-activity;sid:84692822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"42qq.po3vaxel.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829721/; classtype:trojan-activity;sid:84692821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.220.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829720/; classtype:trojan-activity;sid:84692820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.220.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829719/; classtype:trojan-activity;sid:84692819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.69.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829718/; classtype:trojan-activity;sid:84692818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nordraex.po3vaxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829717/; classtype:trojan-activity;sid:84692817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.211.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829716/; classtype:trojan-activity;sid:84692816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.69.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829715/; classtype:trojan-activity;sid:84692815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bark8-grid.po3vaxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829714/; classtype:trojan-activity;sid:84692814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.165.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829713/; classtype:trojan-activity;sid:84692813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829711/; classtype:trojan-activity;sid:84692811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.51.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829712/; classtype:trojan-activity;sid:84692812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9sy22gk.po3vaxel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829710/; classtype:trojan-activity;sid:84692810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.205.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829709/; classtype:trojan-activity;sid:84692809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"88.84.56.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829708/; classtype:trojan-activity;sid:84692808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-r0ut.po3vaxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829707/; classtype:trojan-activity;sid:84692807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.112.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829706/; classtype:trojan-activity;sid:84692806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"civi4-forge.po3vaxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829705/; classtype:trojan-activity;sid:84692805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.81.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829704/; classtype:trojan-activity;sid:84692804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teste.txt"; depth:10; endswith; nocase; http.host; content:"216.245.184.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829702/; classtype:trojan-activity;sid:84692802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/um.vbs"; depth:7; endswith; nocase; http.host; content:"216.245.184.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829703/; classtype:trojan-activity;sid:84692803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.148.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829701/; classtype:trojan-activity;sid:84692801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guardtimb.kymle6rax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829700/; classtype:trojan-activity;sid:84692800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.51.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829699/; classtype:trojan-activity;sid:84692799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.225.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829698/; classtype:trojan-activity;sid:84692798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.112.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829697/; classtype:trojan-activity;sid:84692797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yeay.kymle6rax.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829696/; classtype:trojan-activity;sid:84692796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.119.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829695/; classtype:trojan-activity;sid:84692795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ravenworke.kymle6rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829694/; classtype:trojan-activity;sid:84692794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.81.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829693/; classtype:trojan-activity;sid:84692793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.254.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829692/; classtype:trojan-activity;sid:84692792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"104.32.65.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829691/; classtype:trojan-activity;sid:84692791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829690/; classtype:trojan-activity;sid:84692790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.119.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829689/; classtype:trojan-activity;sid:84692789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.59.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829688/; classtype:trojan-activity;sid:84692788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.211.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829687/; classtype:trojan-activity;sid:84692787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.225.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829686/; classtype:trojan-activity;sid:84692786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.155.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829685/; classtype:trojan-activity;sid:84692785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bpja3y.to1varil.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829684/; classtype:trojan-activity;sid:84692784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.121.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829683/; classtype:trojan-activity;sid:84692783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vormark6um.to1varil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829682/; classtype:trojan-activity;sid:84692782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.113.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829680/; classtype:trojan-activity;sid:84692780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.66.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829681/; classtype:trojan-activity;sid:84692781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.104.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829679/; classtype:trojan-activity;sid:84692779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.194.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829678/; classtype:trojan-activity;sid:84692778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.155.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829677/; classtype:trojan-activity;sid:84692777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.113.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829675/; classtype:trojan-activity;sid:84692775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.6.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829676/; classtype:trojan-activity;sid:84692776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.211.117.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829674/; classtype:trojan-activity;sid:84692774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.211.117.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829672/; classtype:trojan-activity;sid:84692772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.113.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829673/; classtype:trojan-activity;sid:84692773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.113.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829671/; classtype:trojan-activity;sid:84692771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.59.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829670/; classtype:trojan-activity;sid:84692770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"delstrea.sylov8en.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829669/; classtype:trojan-activity;sid:84692769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.44.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829668/; classtype:trojan-activity;sid:84692768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"supsensor.sylov8en.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829667/; classtype:trojan-activity;sid:84692767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nbfirv.sylov8en.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829666/; classtype:trojan-activity;sid:84692766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"veltideen.sylov8en.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829665/; classtype:trojan-activity;sid:84692765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ap-mesh.sylov8en.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829664/; classtype:trojan-activity;sid:84692764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.117.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829663/; classtype:trojan-activity;sid:84692763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zyddq.ra5ximor.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829662/; classtype:trojan-activity;sid:84692762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bangwdpy.ra5ximor.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829661/; classtype:trojan-activity;sid:84692761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.224.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829660/; classtype:trojan-activity;sid:84692760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"refinecivil.ra5ximor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829659/; classtype:trojan-activity;sid:84692759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.44.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829658/; classtype:trojan-activity;sid:84692758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"reef-mark.ra5ximor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829657/; classtype:trojan-activity;sid:84692757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.126.208.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829656/; classtype:trojan-activity;sid:84692756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.76.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829655/; classtype:trojan-activity;sid:84692755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dusttide.ra5ximor.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829654/; classtype:trojan-activity;sid:84692754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.224.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829653/; classtype:trojan-activity;sid:84692753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"61ok.ra5ximor.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829652/; classtype:trojan-activity;sid:84692752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"faithf2-frame.2zoravel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829651/; classtype:trojan-activity;sid:84692751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.10.192.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829650/; classtype:trojan-activity;sid:84692750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snowbrand.2zoravel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829649/; classtype:trojan-activity;sid:84692749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.126.208.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829648/; classtype:trojan-activity;sid:84692748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tr4cke-chain.2zoravel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829647/; classtype:trojan-activity;sid:84692747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.52.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829646/; classtype:trojan-activity;sid:84692746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper8-signal.2zoravel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829645/; classtype:trojan-activity;sid:84692745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829644/; classtype:trojan-activity;sid:84692744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trans6-stream.2zoravel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829643/; classtype:trojan-activity;sid:84692743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.149.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829642/; classtype:trojan-activity;sid:84692742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jcgopydo.2zoravel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829641/; classtype:trojan-activity;sid:84692741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ur0a.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829640/; classtype:trojan-activity;sid:84692740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.52.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829639/; classtype:trojan-activity;sid:84692739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.145.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829638/; classtype:trojan-activity;sid:84692738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wi1d-array.rentcad.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829637/; classtype:trojan-activity;sid:84692737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.145.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829636/; classtype:trojan-activity;sid:84692736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xwql.rentcad.in.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829635/; classtype:trojan-activity;sid:84692735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.21.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829634/; classtype:trojan-activity;sid:84692734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829633/; classtype:trojan-activity;sid:84692733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.241.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829632/; classtype:trojan-activity;sid:84692732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.149.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829631/; classtype:trojan-activity;sid:84692731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ciphercas.sadfont.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829630/; classtype:trojan-activity;sid:84692730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"capita-sla.sadfont.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829629/; classtype:trojan-activity;sid:84692729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mervale9al.qazsadf.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829628/; classtype:trojan-activity;sid:84692728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.21.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829627/; classtype:trojan-activity;sid:84692727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"norlineum5.qazsadf.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829626/; classtype:trojan-activity;sid:84692726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829625/; classtype:trojan-activity;sid:84692725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.19.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829624/; classtype:trojan-activity;sid:84692724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.147.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829623/; classtype:trojan-activity;sid:84692723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-3mbe.wertbash.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829622/; classtype:trojan-activity;sid:84692722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"80qqgwqb.wertbash.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829621/; classtype:trojan-activity;sid:84692721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.32.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829620/; classtype:trojan-activity;sid:84692720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dat.wsf"; depth:8; endswith; nocase; http.host; content:"158.94.210.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829619/; classtype:trojan-activity;sid:84692719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dat.wsf"; depth:8; endswith; nocase; http.host; content:"plugins-costs-nyc-boulevard.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829618/; classtype:trojan-activity;sid:84692718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dat.bat"; depth:8; endswith; nocase; http.host; content:"plugins-costs-nyc-boulevard.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829616/; classtype:trojan-activity;sid:84692716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kru.zip"; depth:8; endswith; nocase; http.host; content:"plugins-costs-nyc-boulevard.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829617/; classtype:trojan-activity;sid:84692717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dat.bat"; depth:8; endswith; nocase; http.host; content:"158.94.210.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829614/; classtype:trojan-activity;sid:84692714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kru.zip"; depth:8; endswith; nocase; http.host; content:"158.94.210.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829615/; classtype:trojan-activity;sid:84692715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.151.116.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829613/; classtype:trojan-activity;sid:84692713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sdk-focus.sasdherk.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829612/; classtype:trojan-activity;sid:84692712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829611/; classtype:trojan-activity;sid:84692711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.127.233.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829610/; classtype:trojan-activity;sid:84692710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynspirea2.sasdherk.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829609/; classtype:trojan-activity;sid:84692709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.19.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829608/; classtype:trojan-activity;sid:84692708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.61.209.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829607/; classtype:trojan-activity;sid:84692707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.92.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829606/; classtype:trojan-activity;sid:84692706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p0rt.qazsadf.in.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829605/; classtype:trojan-activity;sid:84692705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.32.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829604/; classtype:trojan-activity;sid:84692704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.226.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829603/; classtype:trojan-activity;sid:84692703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.60.176.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829598/; classtype:trojan-activity;sid:84692698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.151.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829599/; classtype:trojan-activity;sid:84692699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.45.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829600/; classtype:trojan-activity;sid:84692700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.87.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829601/; classtype:trojan-activity;sid:84692701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dsff5.rentcad.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829602/; classtype:trojan-activity;sid:84692702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.240.198.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829597/; classtype:trojan-activity;sid:84692697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.240.198.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829596/; classtype:trojan-activity;sid:84692696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.159.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829594/; classtype:trojan-activity;sid:84692694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.159.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829595/; classtype:trojan-activity;sid:84692695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.69.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829593/; classtype:trojan-activity;sid:84692693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.59.82.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829575/; classtype:trojan-activity;sid:84692675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.98.97.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829576/; classtype:trojan-activity;sid:84692676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.235.249.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829577/; classtype:trojan-activity;sid:84692677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.38.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829578/; classtype:trojan-activity;sid:84692678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.67.213.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829579/; classtype:trojan-activity;sid:84692679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.226.178.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829580/; classtype:trojan-activity;sid:84692680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.87.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829581/; classtype:trojan-activity;sid:84692681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.181.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829582/; classtype:trojan-activity;sid:84692682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.237.157.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829583/; classtype:trojan-activity;sid:84692683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.219.44.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829584/; classtype:trojan-activity;sid:84692684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"139.213.32.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829585/; classtype:trojan-activity;sid:84692685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.151.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829586/; classtype:trojan-activity;sid:84692686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.192.254.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829587/; classtype:trojan-activity;sid:84692687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.21.29.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829588/; classtype:trojan-activity;sid:84692688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.87.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829589/; classtype:trojan-activity;sid:84692689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.16.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829590/; classtype:trojan-activity;sid:84692690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.97.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829591/; classtype:trojan-activity;sid:84692691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.101.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829592/; classtype:trojan-activity;sid:84692692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.235.221.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829572/; classtype:trojan-activity;sid:84692672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.107.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829573/; classtype:trojan-activity;sid:84692673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.119.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829574/; classtype:trojan-activity;sid:84692674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.88.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829565/; classtype:trojan-activity;sid:84692665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.49.213.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829566/; classtype:trojan-activity;sid:84692666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829567/; classtype:trojan-activity;sid:84692667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829568/; classtype:trojan-activity;sid:84692668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.176.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829569/; classtype:trojan-activity;sid:84692669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.95.36.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829570/; classtype:trojan-activity;sid:84692670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.84.219.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829571/; classtype:trojan-activity;sid:84692671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.210.86.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829561/; classtype:trojan-activity;sid:84692661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.29.9.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829562/; classtype:trojan-activity;sid:84692662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.142.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829563/; classtype:trojan-activity;sid:84692663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.88.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829564/; classtype:trojan-activity;sid:84692664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.237.157.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829560/; classtype:trojan-activity;sid:84692660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.226.178.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829559/; classtype:trojan-activity;sid:84692659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.55.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829557/; classtype:trojan-activity;sid:84692657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.218.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829558/; classtype:trojan-activity;sid:84692658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.232.53.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829550/; classtype:trojan-activity;sid:84692650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.131.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829551/; classtype:trojan-activity;sid:84692651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.88.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829552/; classtype:trojan-activity;sid:84692652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.119.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829553/; classtype:trojan-activity;sid:84692653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.66.41.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829554/; classtype:trojan-activity;sid:84692654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.29.9.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829555/; classtype:trojan-activity;sid:84692655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.38.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829556/; classtype:trojan-activity;sid:84692656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.88.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829540/; classtype:trojan-activity;sid:84692640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.238.27.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829541/; classtype:trojan-activity;sid:84692641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829542/; classtype:trojan-activity;sid:84692642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829543/; classtype:trojan-activity;sid:84692643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829544/; classtype:trojan-activity;sid:84692644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.143.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829545/; classtype:trojan-activity;sid:84692645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.88.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829546/; classtype:trojan-activity;sid:84692646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.59.96.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829547/; classtype:trojan-activity;sid:84692647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.69.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829548/; classtype:trojan-activity;sid:84692648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.6.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829549/; classtype:trojan-activity;sid:84692649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.59.96.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829539/; classtype:trojan-activity;sid:84692639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.107.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829534/; classtype:trojan-activity;sid:84692634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.143.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829535/; classtype:trojan-activity;sid:84692635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.181.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829536/; classtype:trojan-activity;sid:84692636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.232.228.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829537/; classtype:trojan-activity;sid:84692637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.163.209.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829538/; classtype:trojan-activity;sid:84692638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.192.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829525/; classtype:trojan-activity;sid:84692625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.38.149.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829526/; classtype:trojan-activity;sid:84692626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.45.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829527/; classtype:trojan-activity;sid:84692627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.89.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829528/; classtype:trojan-activity;sid:84692628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.235.221.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829529/; classtype:trojan-activity;sid:84692629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.123.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829530/; classtype:trojan-activity;sid:84692630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.22.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829531/; classtype:trojan-activity;sid:84692631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.98.97.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829532/; classtype:trojan-activity;sid:84692632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.76.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829533/; classtype:trojan-activity;sid:84692633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829524/; classtype:trojan-activity;sid:84692624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.115.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829523/; classtype:trojan-activity;sid:84692623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.179.64.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829522/; classtype:trojan-activity;sid:84692622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.240.175.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829521/; classtype:trojan-activity;sid:84692621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.53.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829519/; classtype:trojan-activity;sid:84692619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.166.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829520/; classtype:trojan-activity;sid:84692620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.72.35.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829518/; classtype:trojan-activity;sid:84692618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.245.46.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829517/; classtype:trojan-activity;sid:84692617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.181.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829516/; classtype:trojan-activity;sid:84692616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.226.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829515/; classtype:trojan-activity;sid:84692615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.147.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829514/; classtype:trojan-activity;sid:84692614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.68.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829513/; classtype:trojan-activity;sid:84692613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.179.64.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829512/; classtype:trojan-activity;sid:84692612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.95.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829511/; classtype:trojan-activity;sid:84692611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.175.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829510/; classtype:trojan-activity;sid:84692610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"151.41.153.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829509/; classtype:trojan-activity;sid:84692609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.192.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829508/; classtype:trojan-activity;sid:84692608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.146.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829507/; classtype:trojan-activity;sid:84692607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.227.156.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829506/; classtype:trojan-activity;sid:84692606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.192.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829505/; classtype:trojan-activity;sid:84692605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.28.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829504/; classtype:trojan-activity;sid:84692604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.84.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829503/; classtype:trojan-activity;sid:84692603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pds6zjwn.rentcad.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829502/; classtype:trojan-activity;sid:84692602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.214.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829501/; classtype:trojan-activity;sid:84692601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.128.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829500/; classtype:trojan-activity;sid:84692600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"peak-lab.rentcad.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829499/; classtype:trojan-activity;sid:84692599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"151.41.153.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829498/; classtype:trojan-activity;sid:84692598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"majorbright.rentcad.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829497/; classtype:trojan-activity;sid:84692597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.66.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829496/; classtype:trojan-activity;sid:84692596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.173.199.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829495/; classtype:trojan-activity;sid:84692595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829494/; classtype:trojan-activity;sid:84692594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829493/; classtype:trojan-activity;sid:84692593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"voicebund.rentcad.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829492/; classtype:trojan-activity;sid:84692592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.72.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829491/; classtype:trojan-activity;sid:84692591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.0.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829489/; classtype:trojan-activity;sid:84692589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyp3-plate.rentcad.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829490/; classtype:trojan-activity;sid:84692590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.10.133.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829488/; classtype:trojan-activity;sid:84692588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.0.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829486/; classtype:trojan-activity;sid:84692586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.66.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829487/; classtype:trojan-activity;sid:84692587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkdraa6.rentcad.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829485/; classtype:trojan-activity;sid:84692585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gdvdjt.sadfont.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829484/; classtype:trojan-activity;sid:84692584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gran-sync.sadfont.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829483/; classtype:trojan-activity;sid:84692583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.44.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829482/; classtype:trojan-activity;sid:84692582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.173.199.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829481/; classtype:trojan-activity;sid:84692581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.95.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829480/; classtype:trojan-activity;sid:84692580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.10.133.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829479/; classtype:trojan-activity;sid:84692579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"north9-line.sadfont.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829478/; classtype:trojan-activity;sid:84692578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.183.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829477/; classtype:trojan-activity;sid:84692577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.128.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829476/; classtype:trojan-activity;sid:84692576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.96.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829475/; classtype:trojan-activity;sid:84692575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_5408372e708a48629b728d0ea386361c.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829474/; classtype:trojan-activity;sid:84692574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ailimius.otd|3f|m=1/"; depth:21; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829472/; classtype:trojan-activity;sid:84692572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"himachaly17aplr.blogspot.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829473/; classtype:trojan-activity;sid:84692573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phukli.docx"; depth:12; endswith; nocase; http.host; content:"htlwub00k.blogspot.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829471/; classtype:trojan-activity;sid:84692571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ailimius.otd|3f|m=1"; depth:20; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829467/; classtype:trojan-activity;sid:84692567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829468/; classtype:trojan-activity;sid:84692568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_95941126f4e0499ba380d354c8f595e2.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829469/; classtype:trojan-activity;sid:84692569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml|3f|m=1"; depth:16; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829470/; classtype:trojan-activity;sid:84692570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_e294b64717f9404887beb0ddc0ef324e.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829465/; classtype:trojan-activity;sid:84692565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.224.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829466/; classtype:trojan-activity;sid:84692566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829454/; classtype:trojan-activity;sid:84692554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//////////////////////////////////////scooba.docx.pdf"; depth:53; endswith; nocase; http.host; content:"himachaly17aplr.blogspot.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829455/; classtype:trojan-activity;sid:84692555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"nadcapfeb25-26.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829456/; classtype:trojan-activity;sid:84692556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml|3f|m=1/"; depth:17; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829458/; classtype:trojan-activity;sid:84692558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_5408372e708a48629b728d0ea386361c.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829459/; classtype:trojan-activity;sid:84692559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"htlwub00k.blogspot.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829460/; classtype:trojan-activity;sid:84692560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml|3f|m=1"; depth:16; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829461/; classtype:trojan-activity;sid:84692561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml|3f|m=1"; depth:16; endswith; nocase; http.host; content:"nadcapfeb25-26.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829462/; classtype:trojan-activity;sid:84692562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/march.pdf"; depth:10; endswith; nocase; http.host; content:"nadcapfeb25-26.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829463/; classtype:trojan-activity;sid:84692563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ailimius.otd"; depth:13; endswith; nocase; http.host; content:"missusecapmrch.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829464/; classtype:trojan-activity;sid:84692564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"277lk6.sadfont.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829453/; classtype:trojan-activity;sid:84692553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"notifieropti.sadfont.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829452/; classtype:trojan-activity;sid:84692552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.44.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829451/; classtype:trojan-activity;sid:84692551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4sset3-node.qazsadf.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829450/; classtype:trojan-activity;sid:84692550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.139.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829449/; classtype:trojan-activity;sid:84692549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.171.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829448/; classtype:trojan-activity;sid:84692548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qu1ck-flow.qazsadf.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829447/; classtype:trojan-activity;sid:84692547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.173.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829446/; classtype:trojan-activity;sid:84692546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zkmoskj.qazsadf.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829445/; classtype:trojan-activity;sid:84692545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.177.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829444/; classtype:trojan-activity;sid:84692544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.82.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829443/; classtype:trojan-activity;sid:84692543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"753s.qazsadf.in.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829442/; classtype:trojan-activity;sid:84692542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"v3lve4-core.qazsadf.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829441/; classtype:trojan-activity;sid:84692541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.173.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829440/; classtype:trojan-activity;sid:84692540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gr0vvt1-port.qazsadf.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829439/; classtype:trojan-activity;sid:84692539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.139.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829438/; classtype:trojan-activity;sid:84692538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829437/; classtype:trojan-activity;sid:84692537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.187.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829436/; classtype:trojan-activity;sid:84692536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-valeor.wertbash.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829435/; classtype:trojan-activity;sid:84692535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829434/; classtype:trojan-activity;sid:84692534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.103.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829433/; classtype:trojan-activity;sid:84692533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.249.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829432/; classtype:trojan-activity;sid:84692532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bui73.wertbash.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829431/; classtype:trojan-activity;sid:84692531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.174.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829430/; classtype:trojan-activity;sid:84692530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.145.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829429/; classtype:trojan-activity;sid:84692529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"so1id-sheet.wertbash.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829428/; classtype:trojan-activity;sid:84692528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.187.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829427/; classtype:trojan-activity;sid:84692527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"storsens.wertbash.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829426/; classtype:trojan-activity;sid:84692526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.249.123.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829425/; classtype:trojan-activity;sid:84692525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.15.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829424/; classtype:trojan-activity;sid:84692524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ljzoiu.wertbash.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829423/; classtype:trojan-activity;sid:84692523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.249.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829422/; classtype:trojan-activity;sid:84692522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.64.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829421/; classtype:trojan-activity;sid:84692521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.10.192.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829420/; classtype:trojan-activity;sid:84692520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zencrest9um.wertbash.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829419/; classtype:trojan-activity;sid:84692519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ejm0c.sasdherk.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829418/; classtype:trojan-activity;sid:84692518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.103.28"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829417/; classtype:trojan-activity;sid:84692517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.57.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829416/; classtype:trojan-activity;sid:84692516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829415/; classtype:trojan-activity;sid:84692515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ambe1-point.sasdherk.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829414/; classtype:trojan-activity;sid:84692514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"port-dat.sasdherk.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829413/; classtype:trojan-activity;sid:84692513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.57.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829412/; classtype:trojan-activity;sid:84692512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salesplataniik-commits/updates/v1/1583.txt"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829410/; classtype:trojan-activity;sid:84692510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salesplataniik-commits/sales/raw/refs/heads/main/nrrwihqidthwszel.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829411/; classtype:trojan-activity;sid:84692511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.64.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829409/; classtype:trojan-activity;sid:84692509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pulspost.sasdherk.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829408/; classtype:trojan-activity;sid:84692508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829405/; classtype:trojan-activity;sid:84692505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829406/; classtype:trojan-activity;sid:84692506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829407/; classtype:trojan-activity;sid:84692507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829387/; classtype:trojan-activity;sid:84692487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/x86"; depth:11; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829388/; classtype:trojan-activity;sid:84692488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829389/; classtype:trojan-activity;sid:84692489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/triangle"; depth:9; endswith; nocase; http.host; content:"69.10.36.54"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829390/; classtype:trojan-activity;sid:84692490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829391/; classtype:trojan-activity;sid:84692491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829392/; classtype:trojan-activity;sid:84692492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829393/; classtype:trojan-activity;sid:84692493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829394/; classtype:trojan-activity;sid:84692494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829395/; classtype:trojan-activity;sid:84692495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829396/; classtype:trojan-activity;sid:84692496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829397/; classtype:trojan-activity;sid:84692497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829398/; classtype:trojan-activity;sid:84692498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829399/; classtype:trojan-activity;sid:84692499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gertgherthre.exe"; depth:17; endswith; nocase; http.host; content:"62.60.226.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829400/; classtype:trojan-activity;sid:84692500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829401/; classtype:trojan-activity;sid:84692501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829402/; classtype:trojan-activity;sid:84692502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829403/; classtype:trojan-activity;sid:84692503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.109.100.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829404/; classtype:trojan-activity;sid:84692504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/x86_64"; depth:14; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829384/; classtype:trojan-activity;sid:84692484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/dlr.arm"; depth:15; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829385/; classtype:trojan-activity;sid:84692485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.x86_64"; depth:18; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829386/; classtype:trojan-activity;sid:84692486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.sh"; depth:12; endswith; nocase; http.host; content:"23.140.244.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829383/; classtype:trojan-activity;sid:84692483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52.exe"; depth:7; endswith; nocase; http.host; content:"168.222.254.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829380/; classtype:trojan-activity;sid:84692480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5252.exe"; depth:9; endswith; nocase; http.host; content:"168.222.254.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829381/; classtype:trojan-activity;sid:84692481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app"; depth:4; endswith; nocase; http.host; content:"desktop-version.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829382/; classtype:trojan-activity;sid:84692482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829378/; classtype:trojan-activity;sid:84692478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inqcode/skq12kjj3jj1/raw/refs/heads/main/svchost.zowner"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829379/; classtype:trojan-activity;sid:84692479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829376/; classtype:trojan-activity;sid:84692476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/mipsel"; depth:14; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829377/; classtype:trojan-activity;sid:84692477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.x86"; depth:8; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829364/; classtype:trojan-activity;sid:84692464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.mpsl"; depth:16; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829365/; classtype:trojan-activity;sid:84692465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.mips"; depth:16; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829366/; classtype:trojan-activity;sid:84692466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/armv5l"; depth:14; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829367/; classtype:trojan-activity;sid:84692467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.arm7"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829368/; classtype:trojan-activity;sid:84692468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/dlr.arm64"; depth:17; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829369/; classtype:trojan-activity;sid:84692469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.arm"; depth:15; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829370/; classtype:trojan-activity;sid:84692470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829371/; classtype:trojan-activity;sid:84692471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm64"; depth:10; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829372/; classtype:trojan-activity;sid:84692472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.x86"; depth:15; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829373/; classtype:trojan-activity;sid:84692473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.mips"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829374/; classtype:trojan-activity;sid:84692474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.mpsl"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829375/; classtype:trojan-activity;sid:84692475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.arm7"; depth:16; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829350/; classtype:trojan-activity;sid:84692450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86"; depth:8; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829351/; classtype:trojan-activity;sid:84692451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829352/; classtype:trojan-activity;sid:84692452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829353/; classtype:trojan-activity;sid:84692453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829354/; classtype:trojan-activity;sid:84692454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/armv7l"; depth:14; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829355/; classtype:trojan-activity;sid:84692455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829356/; classtype:trojan-activity;sid:84692456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829357/; classtype:trojan-activity;sid:84692457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/svc.arm64"; depth:17; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829358/; classtype:trojan-activity;sid:84692458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.x86_64"; depth:11; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829359/; classtype:trojan-activity;sid:84692459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829360/; classtype:trojan-activity;sid:84692460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/mips"; depth:12; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829361/; classtype:trojan-activity;sid:84692461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/dlr.x86"; depth:15; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829362/; classtype:trojan-activity;sid:84692462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.arm"; depth:8; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829363/; classtype:trojan-activity;sid:84692463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/dlr.mips"; depth:16; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829345/; classtype:trojan-activity;sid:84692445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/arm64"; depth:13; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829346/; classtype:trojan-activity;sid:84692446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svc.arm64"; depth:10; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829347/; classtype:trojan-activity;sid:84692447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wawan.sh"; depth:9; endswith; nocase; http.host; content:"144.172.98.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829348/; classtype:trojan-activity;sid:84692448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829349/; classtype:trojan-activity;sid:84692449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/dlr.mpsl"; depth:16; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829342/; classtype:trojan-activity;sid:84692442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/dlr.arm7"; depth:16; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829343/; classtype:trojan-activity;sid:84692443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829344/; classtype:trojan-activity;sid:84692444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/d"; depth:9; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829341/; classtype:trojan-activity;sid:84692441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d"; depth:2; endswith; nocase; http.host; content:"45.156.87.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829340/; classtype:trojan-activity;sid:84692440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.36.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829339/; classtype:trojan-activity;sid:84692439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.69.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829338/; classtype:trojan-activity;sid:84692438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.194.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829337/; classtype:trojan-activity;sid:84692437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.145.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829336/; classtype:trojan-activity;sid:84692436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829334/; classtype:trojan-activity;sid:84692434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829335/; classtype:trojan-activity;sid:84692435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_spc"; depth:18; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829333/; classtype:trojan-activity;sid:84692433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.95.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829332/; classtype:trojan-activity;sid:84692432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"encod-logic.sasdherk.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829330/; classtype:trojan-activity;sid:84692430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829331/; classtype:trojan-activity;sid:84692431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.103.28"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829329/; classtype:trojan-activity;sid:84692429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.5.58"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829328/; classtype:trojan-activity;sid:84692428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.252.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829327/; classtype:trojan-activity;sid:84692427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crawleramp.sasdherk.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829326/; classtype:trojan-activity;sid:84692426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.69.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829325/; classtype:trojan-activity;sid:84692425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haus-5.svolota-player.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829324/; classtype:trojan-activity;sid:84692424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-3m.svolota-player.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829323/; classtype:trojan-activity;sid:84692423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.187.45.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829322/; classtype:trojan-activity;sid:84692422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.30.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829321/; classtype:trojan-activity;sid:84692421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.236.46.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829320/; classtype:trojan-activity;sid:84692420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-9.svolota-player.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829319/; classtype:trojan-activity;sid:84692419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.95.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829318/; classtype:trojan-activity;sid:84692418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.36.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829317/; classtype:trojan-activity;sid:84692417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mond-1v.svolota-player.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829316/; classtype:trojan-activity;sid:84692416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.252.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829315/; classtype:trojan-activity;sid:84692415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.162.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829314/; classtype:trojan-activity;sid:84692414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-2.svolota-player.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829313/; classtype:trojan-activity;sid:84692413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-4z.svolota-player.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829312/; classtype:trojan-activity;sid:84692412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"berg-8.histor5corching.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829311/; classtype:trojan-activity;sid:84692411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.41.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829310/; classtype:trojan-activity;sid:84692410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.86.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829309/; classtype:trojan-activity;sid:84692409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.148.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829308/; classtype:trojan-activity;sid:84692408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.211.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829307/; classtype:trojan-activity;sid:84692407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.86.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829306/; classtype:trojan-activity;sid:84692406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.36.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829305/; classtype:trojan-activity;sid:84692405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-3k.histor5corching.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829304/; classtype:trojan-activity;sid:84692404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-7.histor5corching.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829303/; classtype:trojan-activity;sid:84692403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.13.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829302/; classtype:trojan-activity;sid:84692402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.117.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829301/; classtype:trojan-activity;sid:84692401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wald-2x.histor5corching.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829300/; classtype:trojan-activity;sid:84692400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-5.histor5corching.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829299/; classtype:trojan-activity;sid:84692399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.45.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829297/; classtype:trojan-activity;sid:84692397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.211.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829298/; classtype:trojan-activity;sid:84692398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.249.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829296/; classtype:trojan-activity;sid:84692396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.82.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829295/; classtype:trojan-activity;sid:84692395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-9q.histor5corching.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829294/; classtype:trojan-activity;sid:84692394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kalt-6.blackbirdr0ot.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829292/; classtype:trojan-activity;sid:84692392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kalt-6.blackbirdr0ot.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829293/; classtype:trojan-activity;sid:84692393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.227.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829291/; classtype:trojan-activity;sid:84692391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-4b.blackbirdr0ot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829289/; classtype:trojan-activity;sid:84692389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-4b.blackbirdr0ot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829290/; classtype:trojan-activity;sid:84692390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.249.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829288/; classtype:trojan-activity;sid:84692388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.84.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829287/; classtype:trojan-activity;sid:84692387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-3.blackbirdr0ot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829286/; classtype:trojan-activity;sid:84692386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-3.blackbirdr0ot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829285/; classtype:trojan-activity;sid:84692385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.109.207.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829284/; classtype:trojan-activity;sid:84692384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moon-5z.blackbirdr0ot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829282/; classtype:trojan-activity;sid:84692382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moon-5z.blackbirdr0ot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829283/; classtype:trojan-activity;sid:84692383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.177.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829281/; classtype:trojan-activity;sid:84692381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"land-9.multi-machine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829280/; classtype:trojan-activity;sid:84692380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.109.207.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829279/; classtype:trojan-activity;sid:84692379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-1p.multi-machine.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829278/; classtype:trojan-activity;sid:84692378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"154.242.5.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829277/; classtype:trojan-activity;sid:84692377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-3.multi-machine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829276/; classtype:trojan-activity;sid:84692376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.161.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829275/; classtype:trojan-activity;sid:84692375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zeit-6x.multi-machine.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829274/; classtype:trojan-activity;sid:84692374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-2.multi-machine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829273/; classtype:trojan-activity;sid:84692373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iron-8v.multi-machine.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829272/; classtype:trojan-activity;sid:84692372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"berg-5.idol-worship.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829271/; classtype:trojan-activity;sid:84692371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.164.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829270/; classtype:trojan-activity;sid:84692370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-3z.idol-worship.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829269/; classtype:trojan-activity;sid:84692369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.82.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829268/; classtype:trojan-activity;sid:84692368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-7.idol-worship.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829267/; classtype:trojan-activity;sid:84692367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.136.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829266/; classtype:trojan-activity;sid:84692366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"baum-1s.idol-worship.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829265/; classtype:trojan-activity;sid:84692365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-9.idol-worship.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829264/; classtype:trojan-activity;sid:84692364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.153.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829263/; classtype:trojan-activity;sid:84692363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.204.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829262/; classtype:trojan-activity;sid:84692362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-4c.idol-worship.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829261/; classtype:trojan-activity;sid:84692361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.96.54"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829260/; classtype:trojan-activity;sid:84692360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haus-4.greecesco7es.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829259/; classtype:trojan-activity;sid:84692359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.25.188.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829258/; classtype:trojan-activity;sid:84692358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-x8.greecesco7es.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829257/; classtype:trojan-activity;sid:84692357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.136.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829256/; classtype:trojan-activity;sid:84692356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.33.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829255/; classtype:trojan-activity;sid:84692355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-1.greecesco7es.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829254/; classtype:trojan-activity;sid:84692354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.96.54"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829253/; classtype:trojan-activity;sid:84692353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mond-q7.greecesco7es.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829252/; classtype:trojan-activity;sid:84692352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.204.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829251/; classtype:trojan-activity;sid:84692351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-5.greecesco7es.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829250/; classtype:trojan-activity;sid:84692350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.64.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829249/; classtype:trojan-activity;sid:84692349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fire-2m.greecesco7es.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829248/; classtype:trojan-activity;sid:84692348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.25.188.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829247/; classtype:trojan-activity;sid:84692347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.230.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829246/; classtype:trojan-activity;sid:84692346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wald-9.credibil-debauch.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829245/; classtype:trojan-activity;sid:84692345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.26.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829244/; classtype:trojan-activity;sid:84692344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-y1.credibil-debauch.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829243/; classtype:trojan-activity;sid:84692343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-6.credibil-debauch.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829242/; classtype:trojan-activity;sid:84692342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.64.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829241/; classtype:trojan-activity;sid:84692341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geld-x5.credibil-debauch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829240/; classtype:trojan-activity;sid:84692340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.26.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829239/; classtype:trojan-activity;sid:84692339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-3.credibil-debauch.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829238/; classtype:trojan-activity;sid:84692338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"star-8v.credibil-debauch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829237/; classtype:trojan-activity;sid:84692337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"land-2.decay5obes.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829236/; classtype:trojan-activity;sid:84692336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829235/; classtype:trojan-activity;sid:84692335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-s6.decay5obes.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829234/; classtype:trojan-activity;sid:84692334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-4.decay5obes.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829233/; classtype:trojan-activity;sid:84692333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"153.0.69.242"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829232/; classtype:trojan-activity;sid:84692332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"berg-9z.decay5obes.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829231/; classtype:trojan-activity;sid:84692331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rouge-1.decay5obes.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829230/; classtype:trojan-activity;sid:84692330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-5b.decay5obes.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829229/; classtype:trojan-activity;sid:84692329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"179.49.213.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829228/; classtype:trojan-activity;sid:84692328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.33.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829227/; classtype:trojan-activity;sid:84692327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zeit-w2.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829226/; classtype:trojan-activity;sid:84692326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.65.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829224/; classtype:trojan-activity;sid:84692324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.182.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829225/; classtype:trojan-activity;sid:84692325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.89.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829223/; classtype:trojan-activity;sid:84692323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-4m.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829222/; classtype:trojan-activity;sid:84692322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-9.diet-lanolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829221/; classtype:trojan-activity;sid:84692321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"153.0.69.242"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829220/; classtype:trojan-activity;sid:84692320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.86.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829219/; classtype:trojan-activity;sid:84692319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"holz-v1.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829218/; classtype:trojan-activity;sid:84692318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.232.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829217/; classtype:trojan-activity;sid:84692317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.249.199.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829216/; classtype:trojan-activity;sid:84692316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-8k.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829215/; classtype:trojan-activity;sid:84692315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829214/; classtype:trojan-activity;sid:84692314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.104.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829213/; classtype:trojan-activity;sid:84692313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-3.diet-lanolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829212/; classtype:trojan-activity;sid:84692312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oualiide/manageengine-desktop-central-crack/refs/heads/master/ectocondyloid/central-crack-desktop-manage-engine-v2.7.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829211/; classtype:trojan-activity;sid:84692311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamevoid2366/authcrack-v8/raw/refs/heads/main/characteristically/auth-crack-v-2.1.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829208/; classtype:trojan-activity;sid:84692308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oualiide/manageengine-desktop-central-crack/raw/refs/heads/master/ectocondyloid/central-crack-desktop-manage-engine-v2.7.zip"; depth:125; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829209/; classtype:trojan-activity;sid:84692309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/cloudweb/raw/refs/heads/main/unshattered/software_v3.4-beta.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829210/; classtype:trojan-activity;sid:84692310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sanfin/jsoncrack.com/raw/refs/heads/main/public/assets/com-jsoncrack-3.3-beta.3.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829202/; classtype:trojan-activity;sid:84692302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/cloudweb/refs/heads/main/unshattered/software_v3.4-beta.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829203/; classtype:trojan-activity;sid:84692303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sanfin/jsoncrack.com/refs/heads/main/public/assets/com-jsoncrack-3.3-beta.3.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829204/; classtype:trojan-activity;sid:84692304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamevoid2366/authcrack-v8/refs/heads/main/characteristically/auth-crack-v-2.1.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829205/; classtype:trojan-activity;sid:84692305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/vercel/refs/heads/main/methylanthracene/software_1.9.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829206/; classtype:trojan-activity;sid:84692306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/todo/refs/heads/main/eyeberry/software_v3.2.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829207/; classtype:trojan-activity;sid:84692307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/vercel/raw/refs/heads/main/methylanthracene/software_1.9.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829201/; classtype:trojan-activity;sid:84692301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/hash_crack/raw/refs/heads/main/node_modules/reveal.js/plugin/search/crack_hash_v3.4.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829199/; classtype:trojan-activity;sid:84692299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/todo/raw/refs/heads/main/eyeberry/software_v3.2.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829200/; classtype:trojan-activity;sid:84692300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/web/raw/refs/heads/main/reticence/software-uncivilish.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829198/; classtype:trojan-activity;sid:84692298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/hash_crack/refs/heads/main/node_modules/reveal.js/plugin/search/crack_hash_v3.4.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829196/; classtype:trojan-activity;sid:84692296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/web/refs/heads/main/reticence/software-uncivilish.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829197/; classtype:trojan-activity;sid:84692297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.65.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829195/; classtype:trojan-activity;sid:84692295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vert-4m.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829194/; classtype:trojan-activity;sid:84692294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.68.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829193/; classtype:trojan-activity;sid:84692293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.175.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829192/; classtype:trojan-activity;sid:84692292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-9.diet-lanolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829191/; classtype:trojan-activity;sid:84692291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.170.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829190/; classtype:trojan-activity;sid:84692290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.232.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829189/; classtype:trojan-activity;sid:84692289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"holz-v1.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829188/; classtype:trojan-activity;sid:84692288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bleu-8k.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829187/; classtype:trojan-activity;sid:84692287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.249.199.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829186/; classtype:trojan-activity;sid:84692286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-3.diet-lanolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829185/; classtype:trojan-activity;sid:84692285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.170.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829184/; classtype:trojan-activity;sid:84692284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.185.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829183/; classtype:trojan-activity;sid:84692283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kalt-m5.infirmary5care.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829182/; classtype:trojan-activity;sid:84692282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"petit-7.infirmary5care.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829181/; classtype:trojan-activity;sid:84692281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.103.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829180/; classtype:trojan-activity;sid:84692280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/autopasscrack/raw/refs/heads/main/autopasscrack/auto_pass_crack_v3.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829173/; classtype:trojan-activity;sid:84692273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/whiteboxaescrack/raw/refs/heads/main/fonts/white-crack-box-aes-v2.5.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829174/; classtype:trojan-activity;sid:84692274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/shakti-site/refs/heads/main/unseclusive/site_shakti_1.5-alpha.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829175/; classtype:trojan-activity;sid:84692275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/shakti-site/raw/refs/heads/main/unseclusive/site_shakti_1.5-alpha.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829176/; classtype:trojan-activity;sid:84692276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chotu120/batcrack/refs/heads/master/internal/cracker/crack_bat_v2.8-beta.5.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829177/; classtype:trojan-activity;sid:84692277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chotu120/batcrack/raw/refs/heads/master/internal/cracker/crack_bat_v2.8-beta.5.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829178/; classtype:trojan-activity;sid:84692278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/valentine/raw/refs/heads/main/effortful/software-2.3.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829179/; classtype:trojan-activity;sid:84692279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/whiteboxaescrack/refs/heads/main/fonts/white-crack-box-aes-v2.5.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829170/; classtype:trojan-activity;sid:84692270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/autopasscrack/refs/heads/main/autopasscrack/auto_pass_crack_v3.8.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829171/; classtype:trojan-activity;sid:84692271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/valentine/refs/heads/main/effortful/software-2.3.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829172/; classtype:trojan-activity;sid:84692272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-2x.infirmary5care.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829169/; classtype:trojan-activity;sid:84692269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.178.91.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829168/; classtype:trojan-activity;sid:84692268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recordtrablade/wallpaper-engine-cracked-2026/releases/download/new/wallpaperengine-2.7.3-x64.rar"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829167/; classtype:trojan-activity;sid:84692267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/violetworkersky/minecraft-vape-v4-download-cracked/releases/download/new/minecraftvapev4-x64.rar"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829166/; classtype:trojan-activity;sid:84692266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"baum-z9.infirmary5care.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829164/; classtype:trojan-activity;sid:84692264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mediatorvault/expressvpn-cracked-version/releases/download/new/setup_expressvpn_pro-x64.rar"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829165/; classtype:trojan-activity;sid:84692265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.230.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829163/; classtype:trojan-activity;sid:84692263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.203.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829162/; classtype:trojan-activity;sid:84692262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skyroutecaptivate/crack-adobe-indesign-2026/releases/download/new/crack_indesign_2026_win64.rar"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829161/; classtype:trojan-activity;sid:84692261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829160/; classtype:trojan-activity;sid:84692260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"noir-4.infirmary5care.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829159/; classtype:trojan-activity;sid:84692259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.234.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829158/; classtype:trojan-activity;sid:84692258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d24c91a-8b5e-4f72-9136-735f0b4de1a8/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-1q.infirmary5care.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829157/; classtype:trojan-activity;sid:84692257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haul-cache.de6xamel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829156/; classtype:trojan-activity;sid:84692256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.178.91.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829155/; classtype:trojan-activity;sid:84692255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auranyuentrance/crack-adobe-illustrator-2026/releases/download/new/illustrator2026_31.0_x64.rar"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829154/; classtype:trojan-activity;sid:84692254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pin30-sync.de6xamel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829153/; classtype:trojan-activity;sid:84692253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skinflareckon10/crack-adobe-premiere-2026/releases/download/new/premierepro2026_28.0_x64.rar"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829152/; classtype:trojan-activity;sid:84692252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clad-chrism998/wasmcrack/raw/refs/heads/main/src/wasmcrack/struct_solver/wasm_crack_3.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829149/; classtype:trojan-activity;sid:84692249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pammyhangdog747/claude-cracks-the-whip/refs/heads/main/lapidarist/the_cracks_whip_claude_3.0.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829150/; classtype:trojan-activity;sid:84692250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pammyhangdog747/claude-cracks-the-whip/raw/refs/heads/main/lapidarist/the_cracks_whip_claude_3.0.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829151/; classtype:trojan-activity;sid:84692251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clad-chrism998/wasmcrack/refs/heads/main/src/wasmcrack/struct_solver/wasm_crack_3.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829148/; classtype:trojan-activity;sid:84692248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scamanif.de6xamel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829147/; classtype:trojan-activity;sid:84692247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.234.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829146/; classtype:trojan-activity;sid:84692246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.203.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829145/; classtype:trojan-activity;sid:84692245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mxt0kl.de6xamel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829144/; classtype:trojan-activity;sid:84692244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.12.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829143/; classtype:trojan-activity;sid:84692243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829142/; classtype:trojan-activity;sid:84692242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p68x.de6xamel.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829141/; classtype:trojan-activity;sid:84692241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"value-quota.wi9sorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829140/; classtype:trojan-activity;sid:84692240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vaul2-sheet.de6xamel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829138/; classtype:trojan-activity;sid:84692238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devjinma/crackftp/refs/heads/main/therence/ftp-crack-v3.7.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829139/; classtype:trojan-activity;sid:84692239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heicn.wi9sorin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829137/; classtype:trojan-activity;sid:84692237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/grandaland/refs/heads/main/bournless/software-3.9.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829136/; classtype:trojan-activity;sid:84692236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/prueva/raw/refs/heads/master/merycoidodon/software-v3.0.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829131/; classtype:trojan-activity;sid:84692231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/hash_buster/raw/refs/heads/drylikov/erythrosiderite/hash_buster_hydrophinae.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829132/; classtype:trojan-activity;sid:84692232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/grandaland/raw/refs/heads/main/bournless/software-3.9.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829133/; classtype:trojan-activity;sid:84692233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/prueva/refs/heads/master/merycoidodon/software-v3.0.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829134/; classtype:trojan-activity;sid:84692234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/guvann1/raw/refs/heads/main/confirmatory/guvann-v1.7.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829135/; classtype:trojan-activity;sid:84692235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/cyjl/raw/refs/heads/main/assets/software-3.3.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829119/; classtype:trojan-activity;sid:84692219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/devcrack-mobile-interviews/refs/heads/main/credit/mobile-dev-interviews-crack-v3.2-alpha.1.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829120/; classtype:trojan-activity;sid:84692220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luffy1402/crackftp-la/raw/refs/heads/main/gimped/ftp-la-crack-unenslave.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829121/; classtype:trojan-activity;sid:84692221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/cyjl/refs/heads/main/assets/software-3.3.zip"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829122/; classtype:trojan-activity;sid:84692222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luffy1402/crackftp-la/refs/heads/main/gimped/ftp-la-crack-unenslave.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829123/; classtype:trojan-activity;sid:84692223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/online-timer.github.io/refs/heads/main/font/online_timer_io_github_swainship.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829124/; classtype:trojan-activity;sid:84692224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/cursor-reset/raw/refs/heads/main/olympiadic/cursor_reset_1.3.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829125/; classtype:trojan-activity;sid:84692225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/social-bar/raw/refs/heads/gh-pages/fonts/social-bar-v3.8-alpha.3.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829126/; classtype:trojan-activity;sid:84692226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devjinma/crackftp/raw/refs/heads/main/therence/ftp-crack-v3.7.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829127/; classtype:trojan-activity;sid:84692227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/online-timer.github.io/raw/refs/heads/main/font/online_timer_io_github_swainship.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829128/; classtype:trojan-activity;sid:84692228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/devcrack-mobile-interviews/raw/refs/heads/main/credit/mobile-dev-interviews-crack-v3.2-alpha.1.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829129/; classtype:trojan-activity;sid:84692229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/social-bar/refs/heads/gh-pages/fonts/social-bar-v3.8-alpha.3.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829130/; classtype:trojan-activity;sid:84692230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/cursor-reset/refs/heads/main/olympiadic/cursor_reset_1.3.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829116/; classtype:trojan-activity;sid:84692216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/guvann1/refs/heads/main/confirmatory/guvann-v1.7.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829117/; classtype:trojan-activity;sid:84692217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/hash_buster/refs/heads/drylikov/erythrosiderite/hash_buster_hydrophinae.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829118/; classtype:trojan-activity;sid:84692218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proto-5h4d.wi9sorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829115/; classtype:trojan-activity;sid:84692215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.220.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829114/; classtype:trojan-activity;sid:84692214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.113.187.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829113/; classtype:trojan-activity;sid:84692213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0dszydja.wi9sorin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829112/; classtype:trojan-activity;sid:84692212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sub-sal3s.wi9sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829111/; classtype:trojan-activity;sid:84692211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.162.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829110/; classtype:trojan-activity;sid:84692210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"norlineis.wi9sorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829109/; classtype:trojan-activity;sid:84692209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.153.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829108/; classtype:trojan-activity;sid:84692208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.119.176.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829107/; classtype:trojan-activity;sid:84692207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-pol4r.po4vaxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829106/; classtype:trojan-activity;sid:84692206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.113.187.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829105/; classtype:trojan-activity;sid:84692205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"build-bio.po4vaxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829104/; classtype:trojan-activity;sid:84692204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.x86"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829093/; classtype:trojan-activity;sid:84692193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.riscv64"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829094/; classtype:trojan-activity;sid:84692194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.x64"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829095/; classtype:trojan-activity;sid:84692195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.aarch64"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829096/; classtype:trojan-activity;sid:84692196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.s390x"; depth:15; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829097/; classtype:trojan-activity;sid:84692197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829098/; classtype:trojan-activity;sid:84692198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mips64"; depth:20; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829099/; classtype:trojan-activity;sid:84692199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829100/; classtype:trojan-activity;sid:84692200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.riscv64"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829101/; classtype:trojan-activity;sid:84692201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mips64el"; depth:18; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829102/; classtype:trojan-activity;sid:84692202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mipsel"; depth:20; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829103/; classtype:trojan-activity;sid:84692203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.riscv64"; depth:21; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829088/; classtype:trojan-activity;sid:84692188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.x86"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829089/; classtype:trojan-activity;sid:84692189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.x86"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829090/; classtype:trojan-activity;sid:84692190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.arm"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829091/; classtype:trojan-activity;sid:84692191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.ppc"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829092/; classtype:trojan-activity;sid:84692192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.s390x"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829087/; classtype:trojan-activity;sid:84692187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.ppc"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829086/; classtype:trojan-activity;sid:84692186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.119.176.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829085/; classtype:trojan-activity;sid:84692185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mips64el"; depth:22; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829079/; classtype:trojan-activity;sid:84692179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.x64"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829080/; classtype:trojan-activity;sid:84692180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829081/; classtype:trojan-activity;sid:84692181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mips64"; depth:15; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829082/; classtype:trojan-activity;sid:84692182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.aarch64"; depth:21; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829083/; classtype:trojan-activity;sid:84692183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mips64el"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829084/; classtype:trojan-activity;sid:84692184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mips"; depth:18; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829071/; classtype:trojan-activity;sid:84692171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.s390x"; depth:19; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829072/; classtype:trojan-activity;sid:84692172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.arm"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829073/; classtype:trojan-activity;sid:84692173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.ppc"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829074/; classtype:trojan-activity;sid:84692174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mipsel"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829075/; classtype:trojan-activity;sid:84692175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mips64"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829076/; classtype:trojan-activity;sid:84692176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.x64"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829077/; classtype:trojan-activity;sid:84692177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mipsel"; depth:15; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829078/; classtype:trojan-activity;sid:84692178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.aarch64"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829070/; classtype:trojan-activity;sid:84692170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829069/; classtype:trojan-activity;sid:84692169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829068/; classtype:trojan-activity;sid:84692168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nc"; depth:8; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829067/; classtype:trojan-activity;sid:84692167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"switc1-index.po4vaxel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829066/; classtype:trojan-activity;sid:84692166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.89.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829065/; classtype:trojan-activity;sid:84692165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.245.46.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829064/; classtype:trojan-activity;sid:84692164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"730e.po4vaxel.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829063/; classtype:trojan-activity;sid:84692163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.153.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829062/; classtype:trojan-activity;sid:84692162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flee-line.po4vaxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829061/; classtype:trojan-activity;sid:84692161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-5ystem.po4vaxel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829059/; classtype:trojan-activity;sid:84692159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kpelhw.kymle7rax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829058/; classtype:trojan-activity;sid:84692158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.73.110"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829057/; classtype:trojan-activity;sid:84692157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.92.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829056/; classtype:trojan-activity;sid:84692156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"m3rg-watch.kymle7rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829055/; classtype:trojan-activity;sid:84692155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arknex6or.kymle7rax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829054/; classtype:trojan-activity;sid:84692154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"summit1-stream.kymle7rax.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829053/; classtype:trojan-activity;sid:84692153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumdraal1.kymle7rax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829052/; classtype:trojan-activity;sid:84692152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2yxdgkw7.kymle7rax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829051/; classtype:trojan-activity;sid:84692151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.57.48.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829050/; classtype:trojan-activity;sid:84692150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.57.48.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829049/; classtype:trojan-activity;sid:84692149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.67.103.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829048/; classtype:trojan-activity;sid:84692148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link6-switch.to2virex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829047/; classtype:trojan-activity;sid:84692147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"defenvoya.to2virex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829046/; classtype:trojan-activity;sid:84692146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"offharves.to2virex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829045/; classtype:trojan-activity;sid:84692145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hauinn.to2virex.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829044/; classtype:trojan-activity;sid:84692144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.122.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829043/; classtype:trojan-activity;sid:84692143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.73.110"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829042/; classtype:trojan-activity;sid:84692142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.77.224.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829041/; classtype:trojan-activity;sid:84692141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fall-ridg.to2virex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829040/; classtype:trojan-activity;sid:84692140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.77.224.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829039/; classtype:trojan-activity;sid:84692139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.67.103.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829038/; classtype:trojan-activity;sid:84692138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gr1d1-vector.to2virex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829037/; classtype:trojan-activity;sid:84692137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5565wep5.sylov3er.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829036/; classtype:trojan-activity;sid:84692136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultra-c4ny0n.sylov3er.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829035/; classtype:trojan-activity;sid:84692135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.122.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829034/; classtype:trojan-activity;sid:84692134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"portal-enc.sylov3er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829033/; classtype:trojan-activity;sid:84692133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arktidear7.sylov3er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829032/; classtype:trojan-activity;sid:84692132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.226.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829031/; classtype:trojan-activity;sid:84692131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"8rxhman.sylov3er.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829030/; classtype:trojan-activity;sid:84692130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.46.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829029/; classtype:trojan-activity;sid:84692129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flkqe.sylov3er.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829028/; classtype:trojan-activity;sid:84692128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gr4nd-vault.ra8ximel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829027/; classtype:trojan-activity;sid:84692127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.237.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829026/; classtype:trojan-activity;sid:84692126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.38.79.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829025/; classtype:trojan-activity;sid:84692125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-p.s-l.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829013/; classtype:trojan-activity;sid:84692113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-3.2-.sakura"; depth:14; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829014/; classtype:trojan-activity;sid:84692114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-6.8-k.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829015/; classtype:trojan-activity;sid:84692115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-5.8-6.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829016/; classtype:trojan-activity;sid:84692116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829017/; classtype:trojan-activity;sid:84692117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-7.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829018/; classtype:trojan-activity;sid:84692118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p-p.c-.sakura"; depth:14; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829019/; classtype:trojan-activity;sid:84692119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-4.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829020/; classtype:trojan-activity;sid:84692120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sakura.sh"; depth:10; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829021/; classtype:trojan-activity;sid:84692121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-8.6-.sakura"; depth:14; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829022/; classtype:trojan-activity;sid:84692122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-5.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829023/; classtype:trojan-activity;sid:84692123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-6.sakura"; depth:15; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829024/; classtype:trojan-activity;sid:84692124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmlunar.ra8ximel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829012/; classtype:trojan-activity;sid:84692112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s-h.4-.sakura"; depth:14; endswith; nocase; http.host; content:"195.238.123.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829011/; classtype:trojan-activity;sid:84692111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.209.76.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829010/; classtype:trojan-activity;sid:84692110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hubspruc.ra8ximel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829009/; classtype:trojan-activity;sid:84692109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.6.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829008/; classtype:trojan-activity;sid:84692108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.201.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829007/; classtype:trojan-activity;sid:84692107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"faithfulvector.ra8ximel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829006/; classtype:trojan-activity;sid:84692106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.48.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829005/; classtype:trojan-activity;sid:84692105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eufkpp.ra8ximel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829004/; classtype:trojan-activity;sid:84692104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.36.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829003/; classtype:trojan-activity;sid:84692103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oxhlrfs.ra8ximel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829002/; classtype:trojan-activity;sid:84692102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blzlet.5zorelin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829001/; classtype:trojan-activity;sid:84692101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.6.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829000/; classtype:trojan-activity;sid:84692100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.117.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828999/; classtype:trojan-activity;sid:84692099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"visualpure.5zorelin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828997/; classtype:trojan-activity;sid:84692097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"158.94.210.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828998/; classtype:trojan-activity;sid:84692098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.199.194.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828996/; classtype:trojan-activity;sid:84692096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.213.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828995/; classtype:trojan-activity;sid:84692095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"darktermi.5zorelin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828994/; classtype:trojan-activity;sid:84692094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.107.16.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828992/; classtype:trojan-activity;sid:84692092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.36.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828993/; classtype:trojan-activity;sid:84692093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c1ini-phase.5zorelin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828991/; classtype:trojan-activity;sid:84692091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yjbkbpa.5zorelin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828990/; classtype:trojan-activity;sid:84692090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips64el"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828981/; classtype:trojan-activity;sid:84692081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.riscv64"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828982/; classtype:trojan-activity;sid:84692082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828983/; classtype:trojan-activity;sid:84692083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.s390x"; depth:10; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828984/; classtype:trojan-activity;sid:84692084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828985/; classtype:trojan-activity;sid:84692085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828986/; classtype:trojan-activity;sid:84692086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips64"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828987/; classtype:trojan-activity;sid:84692087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828988/; classtype:trojan-activity;sid:84692088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x64"; depth:8; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828989/; classtype:trojan-activity;sid:84692089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gufnz2.5zorelin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828980/; classtype:trojan-activity;sid:84692080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"158.94.208.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828979/; classtype:trojan-activity;sid:84692079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_s390x"; depth:15; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828978/; classtype:trojan-activity;sid:84692078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mipsel"; depth:16; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828977/; classtype:trojan-activity;sid:84692077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rename_bots.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828973/; classtype:trojan-activity;sid:84692073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/check_bots.sh"; depth:19; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828974/; classtype:trojan-activity;sid:84692074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mips64el"; depth:18; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828975/; classtype:trojan-activity;sid:84692075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_ppc64el"; depth:17; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828976/; classtype:trojan-activity;sid:84692076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/selfupdater"; depth:16; endswith; nocase; http.host; content:"vanillamods.xyz"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828971/; classtype:trojan-activity;sid:84692071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cargoisle.svolota-player.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828972/; classtype:trojan-activity;sid:84692072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s.php"; depth:6; endswith; nocase; http.host; content:"lkgkdsjd.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828970/; classtype:trojan-activity;sid:84692070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/dps"; depth:8; endswith; nocase; http.host; content:"vanillamods.xyz"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828969/; classtype:trojan-activity;sid:84692069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/update.ps1"; depth:15; endswith; nocase; http.host; content:"107.173.143.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828962/; classtype:trojan-activity;sid:84692062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm64"; depth:15; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828963/; classtype:trojan-activity;sid:84692063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_linux_x86_64"; depth:22; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828964/; classtype:trojan-activity;sid:84692064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/ps"; depth:7; endswith; nocase; http.host; content:"vanillamods.xyz"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828965/; classtype:trojan-activity;sid:84692065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_i386"; depth:14; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828966/; classtype:trojan-activity;sid:84692066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_armv7"; depth:15; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828967/; classtype:trojan-activity;sid:84692067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828968/; classtype:trojan-activity;sid:84692068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpn.7z"; depth:7; endswith; nocase; http.host; content:"lkgkdsjd.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828960/; classtype:trojan-activity;sid:84692060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; endswith; nocase; http.host; content:"www.teslasuit.to"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828961/; classtype:trojan-activity;sid:84692061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/d/1svxkp_9kaxvi8z46pv5zkp3grc-i2ckq/view|3f|usp=sharing_eil|7c|26|7c|amp%3bts=69e7c6ac|7c|26|7c|amp%3bsh=u756kmhy4txtne3m|7c|26|7c|amp%3bca=1"; depth:147; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828959/; classtype:trojan-activity;sid:84692059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuu.exe"; depth:10; endswith; nocase; http.host; content:"www.teslasuit.to"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828956/; classtype:trojan-activity;sid:84692056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuu.exe"; depth:10; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828957/; classtype:trojan-activity;sid:84692057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuu.exe"; depth:10; endswith; nocase; http.host; content:"www.teslasuit.to"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828958/; classtype:trojan-activity;sid:84692058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuu.exe"; depth:10; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828955/; classtype:trojan-activity;sid:84692055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.54.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828954/; classtype:trojan-activity;sid:84692054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dn17wscb.svolota-player.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828953/; classtype:trojan-activity;sid:84692053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.213.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828952/; classtype:trojan-activity;sid:84692052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.199.194.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828951/; classtype:trojan-activity;sid:84692051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jewn.sh"; depth:13; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828950/; classtype:trojan-activity;sid:84692050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fierce-frame.svolota-player.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828949/; classtype:trojan-activity;sid:84692049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.219.14.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828948/; classtype:trojan-activity;sid:84692048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pkqwqx.svolota-player.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828947/; classtype:trojan-activity;sid:84692047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.32.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828946/; classtype:trojan-activity;sid:84692046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lqfrhvos.svolota-player.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828945/; classtype:trojan-activity;sid:84692045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t1ny-spool.svolota-player.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828944/; classtype:trojan-activity;sid:84692044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.7.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828943/; classtype:trojan-activity;sid:84692043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.219.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828942/; classtype:trojan-activity;sid:84692042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.87.167"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828941/; classtype:trojan-activity;sid:84692041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cach8-stack.histor5corching.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828940/; classtype:trojan-activity;sid:84692040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.234.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828939/; classtype:trojan-activity;sid:84692039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.99.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828938/; classtype:trojan-activity;sid:84692038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cliffcrims.histor5corching.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828937/; classtype:trojan-activity;sid:84692037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828931/; classtype:trojan-activity;sid:84692031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828932/; classtype:trojan-activity;sid:84692032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828933/; classtype:trojan-activity;sid:84692033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828934/; classtype:trojan-activity;sid:84692034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828935/; classtype:trojan-activity;sid:84692035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828936/; classtype:trojan-activity;sid:84692036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828928/; classtype:trojan-activity;sid:84692028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828929/; classtype:trojan-activity;sid:84692029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828930/; classtype:trojan-activity;sid:84692030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828927/; classtype:trojan-activity;sid:84692027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828925/; classtype:trojan-activity;sid:84692025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828926/; classtype:trojan-activity;sid:84692026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828923/; classtype:trojan-activity;sid:84692023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828924/; classtype:trojan-activity;sid:84692024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86.exe"; depth:12; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828921/; classtype:trojan-activity;sid:84692021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828922/; classtype:trojan-activity;sid:84692022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.93.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828920/; classtype:trojan-activity;sid:84692020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.46.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828919/; classtype:trojan-activity;sid:84692019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.219.14.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828918/; classtype:trojan-activity;sid:84692018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"a0uq.histor5corching.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828917/; classtype:trojan-activity;sid:84692017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"forg-scann.histor5corching.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828916/; classtype:trojan-activity;sid:84692016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thorneur.histor5corching.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828915/; classtype:trojan-activity;sid:84692015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vorlithum.histor5corching.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828914/; classtype:trojan-activity;sid:84692014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.87.167"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828913/; classtype:trojan-activity;sid:84692013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.219.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828912/; classtype:trojan-activity;sid:84692012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cxti.blackbirdr0ot.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828911/; classtype:trojan-activity;sid:84692011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.86.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828910/; classtype:trojan-activity;sid:84692010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"parcelmod.blackbirdr0ot.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828908/; classtype:trojan-activity;sid:84692008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"azureaud.blackbirdr0ot.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828909/; classtype:trojan-activity;sid:84692009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828906/; classtype:trojan-activity;sid:84692006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_32"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828907/; classtype:trojan-activity;sid:84692007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828903/; classtype:trojan-activity;sid:84692003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828904/; classtype:trojan-activity;sid:84692004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iz7v.blackbirdr0ot.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828905/; classtype:trojan-activity;sid:84692005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828900/; classtype:trojan-activity;sid:84692000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828901/; classtype:trojan-activity;sid:84692001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828902/; classtype:trojan-activity;sid:84692002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828899/; classtype:trojan-activity;sid:84691999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828896/; classtype:trojan-activity;sid:84691996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828897/; classtype:trojan-activity;sid:84691997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828898/; classtype:trojan-activity;sid:84691998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828895/; classtype:trojan-activity;sid:84691995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828893/; classtype:trojan-activity;sid:84691993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"madroxreborn.lol"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828894/; classtype:trojan-activity;sid:84691994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scann1-cast.blackbirdr0ot.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828892/; classtype:trojan-activity;sid:84691992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828891/; classtype:trojan-activity;sid:84691991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828890/; classtype:trojan-activity;sid:84691990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828889/; classtype:trojan-activity;sid:84691989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828880/; classtype:trojan-activity;sid:84691980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828881/; classtype:trojan-activity;sid:84691981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828882/; classtype:trojan-activity;sid:84691982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828883/; classtype:trojan-activity;sid:84691983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828884/; classtype:trojan-activity;sid:84691984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828885/; classtype:trojan-activity;sid:84691985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828886/; classtype:trojan-activity;sid:84691986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828887/; classtype:trojan-activity;sid:84691987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828888/; classtype:trojan-activity;sid:84691988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.224.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828879/; classtype:trojan-activity;sid:84691979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828877/; classtype:trojan-activity;sid:84691977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828878/; classtype:trojan-activity;sid:84691978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828876/; classtype:trojan-activity;sid:84691976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.175.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828875/; classtype:trojan-activity;sid:84691975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828872/; classtype:trojan-activity;sid:84691972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828873/; classtype:trojan-activity;sid:84691973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828874/; classtype:trojan-activity;sid:84691974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glossink.blackbirdr0ot.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828871/; classtype:trojan-activity;sid:84691971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828867/; classtype:trojan-activity;sid:84691967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828868/; classtype:trojan-activity;sid:84691968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828869/; classtype:trojan-activity;sid:84691969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828870/; classtype:trojan-activity;sid:84691970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828866/; classtype:trojan-activity;sid:84691966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828865/; classtype:trojan-activity;sid:84691965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828864/; classtype:trojan-activity;sid:84691964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828863/; classtype:trojan-activity;sid:84691963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828853/; classtype:trojan-activity;sid:84691953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i486"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828854/; classtype:trojan-activity;sid:84691954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828855/; classtype:trojan-activity;sid:84691955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828856/; classtype:trojan-activity;sid:84691956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828857/; classtype:trojan-activity;sid:84691957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828858/; classtype:trojan-activity;sid:84691958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828859/; classtype:trojan-activity;sid:84691959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828860/; classtype:trojan-activity;sid:84691960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828861/; classtype:trojan-activity;sid:84691961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828862/; classtype:trojan-activity;sid:84691962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828852/; classtype:trojan-activity;sid:84691952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828851/; classtype:trojan-activity;sid:84691951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"jbrj92scltrbtv7mzejvmovw.duckdns.org"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828850/; classtype:trojan-activity;sid:84691950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828847/; classtype:trojan-activity;sid:84691947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828848/; classtype:trojan-activity;sid:84691948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828849/; classtype:trojan-activity;sid:84691949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i486"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828845/; classtype:trojan-activity;sid:84691945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828846/; classtype:trojan-activity;sid:84691946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828844/; classtype:trojan-activity;sid:84691944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828843/; classtype:trojan-activity;sid:84691943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828842/; classtype:trojan-activity;sid:84691942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828837/; classtype:trojan-activity;sid:84691937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828838/; classtype:trojan-activity;sid:84691938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828839/; classtype:trojan-activity;sid:84691939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828840/; classtype:trojan-activity;sid:84691940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828841/; classtype:trojan-activity;sid:84691941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fkftn4.multi-machine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828836/; classtype:trojan-activity;sid:84691936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828835/; classtype:trojan-activity;sid:84691935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.13.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828834/; classtype:trojan-activity;sid:84691934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cinemapassive.multi-machine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828833/; classtype:trojan-activity;sid:84691933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.86.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828832/; classtype:trojan-activity;sid:84691932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828831/; classtype:trojan-activity;sid:84691931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828830/; classtype:trojan-activity;sid:84691930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828823/; classtype:trojan-activity;sid:84691923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828824/; classtype:trojan-activity;sid:84691924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828825/; classtype:trojan-activity;sid:84691925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828826/; classtype:trojan-activity;sid:84691926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828827/; classtype:trojan-activity;sid:84691927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828828/; classtype:trojan-activity;sid:84691928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828829/; classtype:trojan-activity;sid:84691929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb8ipc.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828822/; classtype:trojan-activity;sid:84691922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828821/; classtype:trojan-activity;sid:84691921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"176.65.139.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828820/; classtype:trojan-activity;sid:84691920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"indexwho.multi-machine.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828819/; classtype:trojan-activity;sid:84691919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828806/; classtype:trojan-activity;sid:84691906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828807/; classtype:trojan-activity;sid:84691907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828808/; classtype:trojan-activity;sid:84691908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828809/; classtype:trojan-activity;sid:84691909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828810/; classtype:trojan-activity;sid:84691910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828811/; classtype:trojan-activity;sid:84691911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828812/; classtype:trojan-activity;sid:84691912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828813/; classtype:trojan-activity;sid:84691913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828814/; classtype:trojan-activity;sid:84691914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828815/; classtype:trojan-activity;sid:84691915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828816/; classtype:trojan-activity;sid:84691916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828817/; classtype:trojan-activity;sid:84691917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828818/; classtype:trojan-activity;sid:84691918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ter8k.multi-machine.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828805/; classtype:trojan-activity;sid:84691905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.86.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828804/; classtype:trojan-activity;sid:84691904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ship-obser.multi-machine.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828803/; classtype:trojan-activity;sid:84691903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.216.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828802/; classtype:trojan-activity;sid:84691902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mme4po.multi-machine.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828801/; classtype:trojan-activity;sid:84691901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diicot.sh"; depth:10; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828800/; classtype:trojan-activity;sid:84691900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828799/; classtype:trojan-activity;sid:84691899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm"; depth:18; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828798/; classtype:trojan-activity;sid:84691898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_aarch64"; depth:22; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828797/; classtype:trojan-activity;sid:84691897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i486"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828795/; classtype:trojan-activity;sid:84691895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i586"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828796/; classtype:trojan-activity;sid:84691896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm7"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828792/; classtype:trojan-activity;sid:84691892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i686"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828793/; classtype:trojan-activity;sid:84691893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9871mi.idol-worship.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828794/; classtype:trojan-activity;sid:84691894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_x86"; depth:18; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828789/; classtype:trojan-activity;sid:84691889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mips64"; depth:21; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828790/; classtype:trojan-activity;sid:84691890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_ppc"; depth:18; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828791/; classtype:trojan-activity;sid:84691891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_sh4"; depth:18; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828785/; classtype:trojan-activity;sid:84691885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_m68k"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828786/; classtype:trojan-activity;sid:84691886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm5"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828787/; classtype:trojan-activity;sid:84691887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mips"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828788/; classtype:trojan-activity;sid:84691888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm6"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828784/; classtype:trojan-activity;sid:84691884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mpsl"; depth:19; endswith; nocase; http.host; content:"datasurge-bot.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828783/; classtype:trojan-activity;sid:84691883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_aarch64"; depth:22; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828780/; classtype:trojan-activity;sid:84691880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_sh4"; depth:18; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828781/; classtype:trojan-activity;sid:84691881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm7"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828782/; classtype:trojan-activity;sid:84691882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_m68k"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828778/; classtype:trojan-activity;sid:84691878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm5"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828779/; classtype:trojan-activity;sid:84691879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diicot.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828777/; classtype:trojan-activity;sid:84691877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm6"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828771/; classtype:trojan-activity;sid:84691871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i686"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828772/; classtype:trojan-activity;sid:84691872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i486"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828773/; classtype:trojan-activity;sid:84691873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm"; depth:18; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828774/; classtype:trojan-activity;sid:84691874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mpsl"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828775/; classtype:trojan-activity;sid:84691875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_ppc"; depth:18; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828776/; classtype:trojan-activity;sid:84691876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mips64"; depth:21; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828770/; classtype:trojan-activity;sid:84691870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_x86"; depth:18; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828769/; classtype:trojan-activity;sid:84691869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mips"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828768/; classtype:trojan-activity;sid:84691868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828766/; classtype:trojan-activity;sid:84691866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i586"; depth:19; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828767/; classtype:trojan-activity;sid:84691867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f0rm-mount.idol-worship.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828765/; classtype:trojan-activity;sid:84691865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.129.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828764/; classtype:trojan-activity;sid:84691864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828763/; classtype:trojan-activity;sid:84691863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828762/; classtype:trojan-activity;sid:84691862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quarryhaul.idol-worship.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828760/; classtype:trojan-activity;sid:84691860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828761/; classtype:trojan-activity;sid:84691861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828756/; classtype:trojan-activity;sid:84691856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828757/; classtype:trojan-activity;sid:84691857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828758/; classtype:trojan-activity;sid:84691858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"kernalstress.st"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828759/; classtype:trojan-activity;sid:84691859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828750/; classtype:trojan-activity;sid:84691850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828751/; classtype:trojan-activity;sid:84691851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828752/; classtype:trojan-activity;sid:84691852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828753/; classtype:trojan-activity;sid:84691853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828754/; classtype:trojan-activity;sid:84691854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828755/; classtype:trojan-activity;sid:84691855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828749/; classtype:trojan-activity;sid:84691849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"717mupv.idol-worship.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828748/; classtype:trojan-activity;sid:84691848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"n0de6-node.idol-worship.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828747/; classtype:trojan-activity;sid:84691847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.88.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828746/; classtype:trojan-activity;sid:84691846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828745/; classtype:trojan-activity;sid:84691845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.56.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828744/; classtype:trojan-activity;sid:84691844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"polatren.idol-worship.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828743/; classtype:trojan-activity;sid:84691843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.160.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828742/; classtype:trojan-activity;sid:84691842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.234.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828741/; classtype:trojan-activity;sid:84691841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sernex1al.greecesco7es.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828740/; classtype:trojan-activity;sid:84691840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828739/; classtype:trojan-activity;sid:84691839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coremount.greecesco7es.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828738/; classtype:trojan-activity;sid:84691838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"co1o-grid.greecesco7es.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828737/; classtype:trojan-activity;sid:84691837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.247.155.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828736/; classtype:trojan-activity;sid:84691836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solforge2ar.greecesco7es.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828735/; classtype:trojan-activity;sid:84691835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.56.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828734/; classtype:trojan-activity;sid:84691834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.85.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828733/; classtype:trojan-activity;sid:84691833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"agentdel.greecesco7es.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828732/; classtype:trojan-activity;sid:84691832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"primeambe.greecesco7es.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828731/; classtype:trojan-activity;sid:84691831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"revlogi.credibil-debauch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828730/; classtype:trojan-activity;sid:84691830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.247.155.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828729/; classtype:trojan-activity;sid:84691829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-1ce.credibil-debauch.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828728/; classtype:trojan-activity;sid:84691828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.201.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828727/; classtype:trojan-activity;sid:84691827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.183.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828726/; classtype:trojan-activity;sid:84691826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rnoun3-mesh.credibil-debauch.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828725/; classtype:trojan-activity;sid:84691825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4t0mi-core.credibil-debauch.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828724/; classtype:trojan-activity;sid:84691824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.162.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828723/; classtype:trojan-activity;sid:84691823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trusbyt.credibil-debauch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828722/; classtype:trojan-activity;sid:84691822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.183.196.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828721/; classtype:trojan-activity;sid:84691821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynlith7os.credibil-debauch.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828720/; classtype:trojan-activity;sid:84691820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.12.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828719/; classtype:trojan-activity;sid:84691819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.223.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828718/; classtype:trojan-activity;sid:84691818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9rg153d.decay5obes.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828717/; classtype:trojan-activity;sid:84691817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fre1ght-mark.decay5obes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828716/; classtype:trojan-activity;sid:84691816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sapdecode.decay5obes.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828715/; classtype:trojan-activity;sid:84691815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.135.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828714/; classtype:trojan-activity;sid:84691814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ifzyk85.decay5obes.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828713/; classtype:trojan-activity;sid:84691813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"72.29.46.195"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828712/; classtype:trojan-activity;sid:84691812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tensorextrac.decay5obes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828711/; classtype:trojan-activity;sid:84691811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.5.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828710/; classtype:trojan-activity;sid:84691810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.183.196.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828709/; classtype:trojan-activity;sid:84691809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tzlajh.decay5obes.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828708/; classtype:trojan-activity;sid:84691808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.32.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828707/; classtype:trojan-activity;sid:84691807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.36.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828706/; classtype:trojan-activity;sid:84691806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.223.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828705/; classtype:trojan-activity;sid:84691805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.5.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828704/; classtype:trojan-activity;sid:84691804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.26.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828703/; classtype:trojan-activity;sid:84691803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brookprime.diet-lanolin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828702/; classtype:trojan-activity;sid:84691802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"minor-mon.diet-lanolin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828701/; classtype:trojan-activity;sid:84691801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.135.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828700/; classtype:trojan-activity;sid:84691800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zxvy.diet-lanolin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828699/; classtype:trojan-activity;sid:84691799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.11.248.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828698/; classtype:trojan-activity;sid:84691798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"split-pulse.diet-lanolin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828697/; classtype:trojan-activity;sid:84691797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xg6xtld1.diet-lanolin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828696/; classtype:trojan-activity;sid:84691796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dmnoyvf.diet-lanolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828695/; classtype:trojan-activity;sid:84691795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.79.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828694/; classtype:trojan-activity;sid:84691794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.37.151.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828693/; classtype:trojan-activity;sid:84691793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"activeserver.infirmary5care.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828692/; classtype:trojan-activity;sid:84691792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1ayo-port.infirmary5care.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828691/; classtype:trojan-activity;sid:84691791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tri-markis.infirmary5care.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828690/; classtype:trojan-activity;sid:84691790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.171.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828689/; classtype:trojan-activity;sid:84691789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gfpb.infirmary5care.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828688/; classtype:trojan-activity;sid:84691788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snowsketc.infirmary5care.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828687/; classtype:trojan-activity;sid:84691787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sort5-logic.infirmary5care.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828686/; classtype:trojan-activity;sid:84691786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.5.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828685/; classtype:trojan-activity;sid:84691785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.5.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828684/; classtype:trojan-activity;sid:84691784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.24.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828683/; classtype:trojan-activity;sid:84691783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmprairie.protocave.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828682/; classtype:trojan-activity;sid:84691782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.171.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828681/; classtype:trojan-activity;sid:84691781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sc4nn-point.protocave.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828680/; classtype:trojan-activity;sid:84691780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.76.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828679/; classtype:trojan-activity;sid:84691779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.107.16.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828678/; classtype:trojan-activity;sid:84691778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quotaraven.protocave.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828677/; classtype:trojan-activity;sid:84691777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.101.181.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828676/; classtype:trojan-activity;sid:84691776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.177.21.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828675/; classtype:trojan-activity;sid:84691775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ays2jm.protocave.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828674/; classtype:trojan-activity;sid:84691774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3jms0.protocave.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828673/; classtype:trojan-activity;sid:84691773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"inde-fer.protocave.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828672/; classtype:trojan-activity;sid:84691772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.49.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828671/; classtype:trojan-activity;sid:84691771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.99.251.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828670/; classtype:trojan-activity;sid:84691770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"corhard.dashjore.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828669/; classtype:trojan-activity;sid:84691769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.58.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828668/; classtype:trojan-activity;sid:84691768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.131.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828667/; classtype:trojan-activity;sid:84691767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zencrest8et.dashjore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828666/; classtype:trojan-activity;sid:84691766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.249.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828665/; classtype:trojan-activity;sid:84691765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.101.181.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828664/; classtype:trojan-activity;sid:84691764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"skuj.dashjore.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828663/; classtype:trojan-activity;sid:84691763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wpckch.dashjore.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828662/; classtype:trojan-activity;sid:84691762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.229.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828661/; classtype:trojan-activity;sid:84691761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.60.224"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828660/; classtype:trojan-activity;sid:84691760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"loc46-cache.dashjore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828659/; classtype:trojan-activity;sid:84691759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.99.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828658/; classtype:trojan-activity;sid:84691758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.164.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828657/; classtype:trojan-activity;sid:84691757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ke3srk.dashjore.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828656/; classtype:trojan-activity;sid:84691756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.164.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828655/; classtype:trojan-activity;sid:84691755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-s1at.cloafade.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828654/; classtype:trojan-activity;sid:84691754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6tn0i.cloafade.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828653/; classtype:trojan-activity;sid:84691753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mudtidai1/adrmpt/releases/download/chi%cc%81nhphu%cc%8955/chinhph.55.apk"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828652/; classtype:trojan-activity;sid:84691752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velvepastu.cloafade.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828651/; classtype:trojan-activity;sid:84691751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"majorrapid.cloafade.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828650/; classtype:trojan-activity;sid:84691750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.49.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828649/; classtype:trojan-activity;sid:84691749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"echocanopy.cloafade.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828648/; classtype:trojan-activity;sid:84691748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828647/; classtype:trojan-activity;sid:84691747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828646/; classtype:trojan-activity;sid:84691746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pyj8st.cloafade.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828645/; classtype:trojan-activity;sid:84691745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.80.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828644/; classtype:trojan-activity;sid:84691744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.216.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828643/; classtype:trojan-activity;sid:84691743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynlineal8.wentreck.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828642/; classtype:trojan-activity;sid:84691742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chilinaskr.xtp"; depth:15; endswith; nocase; http.host; content:"192.3.176.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828640/; classtype:trojan-activity;sid:84691740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jphvudvlaxtn92.bin"; depth:19; endswith; nocase; http.host; content:"192.3.176.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828641/; classtype:trojan-activity;sid:84691741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6xsj.wentreck.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828639/; classtype:trojan-activity;sid:84691739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.229.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828638/; classtype:trojan-activity;sid:84691738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rl3xewp1.wentreck.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828637/; classtype:trojan-activity;sid:84691737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.229.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828636/; classtype:trojan-activity;sid:84691736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"haul-sheet.wentreck.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828635/; classtype:trojan-activity;sid:84691735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.113.148.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828634/; classtype:trojan-activity;sid:84691734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.176.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828633/; classtype:trojan-activity;sid:84691733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hillrain.wentreck.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828632/; classtype:trojan-activity;sid:84691732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.80.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828631/; classtype:trojan-activity;sid:84691731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"genom-node.wentreck.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828630/; classtype:trojan-activity;sid:84691730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828629/; classtype:trojan-activity;sid:84691729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lopamp4.6zoremax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828628/; classtype:trojan-activity;sid:84691728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.131.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828627/; classtype:trojan-activity;sid:84691727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.229.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828624/; classtype:trojan-activity;sid:84691724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.188.116.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828625/; classtype:trojan-activity;sid:84691725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.188.116.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828626/; classtype:trojan-activity;sid:84691726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tarra4.de1xorin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828623/; classtype:trojan-activity;sid:84691723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.45.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828622/; classtype:trojan-activity;sid:84691722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-point6.wi8sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828621/; classtype:trojan-activity;sid:84691721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quickmove5.wi8sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828620/; classtype:trojan-activity;sid:84691720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828619/; classtype:trojan-activity;sid:84691719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.246.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828618/; classtype:trojan-activity;sid:84691718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.36.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828617/; classtype:trojan-activity;sid:84691717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"empty-space4.wi8sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828616/; classtype:trojan-activity;sid:84691716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.199.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828614/; classtype:trojan-activity;sid:84691714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.229.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828615/; classtype:trojan-activity;sid:84691715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.229.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828613/; classtype:trojan-activity;sid:84691713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fullbox3.wi8sorel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828612/; classtype:trojan-activity;sid:84691712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.33.31"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828611/; classtype:trojan-activity;sid:84691711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.45.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828610/; classtype:trojan-activity;sid:84691710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lightp-ack2.wi8sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828609/; classtype:trojan-activity;sid:84691709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.176.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828608/; classtype:trojan-activity;sid:84691708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-load1.wi8sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828607/; classtype:trojan-activity;sid:84691707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.234.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828606/; classtype:trojan-activity;sid:84691706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.45.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828605/; classtype:trojan-activity;sid:84691705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lightmoon6.zom2lirex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828604/; classtype:trojan-activity;sid:84691704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828598/; classtype:trojan-activity;sid:84691698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tp"; depth:3; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828599/; classtype:trojan-activity;sid:84691699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828600/; classtype:trojan-activity;sid:84691700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssh.sh"; depth:7; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828601/; classtype:trojan-activity;sid:84691701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828602/; classtype:trojan-activity;sid:84691702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828603/; classtype:trojan-activity;sid:84691703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sep"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828597/; classtype:trojan-activity;sid:84691697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.60.224"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828596/; classtype:trojan-activity;sid:84691696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-fi-re5.zom2lirex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828595/; classtype:trojan-activity;sid:84691695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.172.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828594/; classtype:trojan-activity;sid:84691694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.246.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828593/; classtype:trojan-activity;sid:84691693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828589/; classtype:trojan-activity;sid:84691689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr.sh"; depth:7; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828590/; classtype:trojan-activity;sid:84691690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828591/; classtype:trojan-activity;sid:84691691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828592/; classtype:trojan-activity;sid:84691692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828588/; classtype:trojan-activity;sid:84691688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftpget.sh"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828587/; classtype:trojan-activity;sid:84691687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828583/; classtype:trojan-activity;sid:84691683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g"; depth:2; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828584/; classtype:trojan-activity;sid:84691684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828585/; classtype:trojan-activity;sid:84691685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn"; depth:3; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828586/; classtype:trojan-activity;sid:84691686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.177.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828582/; classtype:trojan-activity;sid:84691682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w.sh"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828580/; classtype:trojan-activity;sid:84691680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.199.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828581/; classtype:trojan-activity;sid:84691681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-snow4.zom2lirex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828579/; classtype:trojan-activity;sid:84691679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828575/; classtype:trojan-activity;sid:84691675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828576/; classtype:trojan-activity;sid:84691676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828577/; classtype:trojan-activity;sid:84691677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828578/; classtype:trojan-activity;sid:84691678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/c.sh"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828574/; classtype:trojan-activity;sid:84691674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wget.sh"; depth:13; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828569/; classtype:trojan-activity;sid:84691669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828570/; classtype:trojan-activity;sid:84691670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828571/; classtype:trojan-activity;sid:84691671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828572/; classtype:trojan-activity;sid:84691672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828573/; classtype:trojan-activity;sid:84691673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828566/; classtype:trojan-activity;sid:84691666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828567/; classtype:trojan-activity;sid:84691667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/amd64"; depth:11; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828568/; classtype:trojan-activity;sid:84691668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bee"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828565/; classtype:trojan-activity;sid:84691665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828564/; classtype:trojan-activity;sid:84691664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clearsky3.zom2lirex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828563/; classtype:trojan-activity;sid:84691663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.205.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828562/; classtype:trojan-activity;sid:84691662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rainy-ni-ght2.zom2lirex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828561/; classtype:trojan-activity;sid:84691661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunny-day1.zom2lirex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828560/; classtype:trojan-activity;sid:84691660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.172.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828559/; classtype:trojan-activity;sid:84691659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-look6.bovla5xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828558/; classtype:trojan-activity;sid:84691658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-style5.bovla5xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828557/; classtype:trojan-activity;sid:84691657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.41.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828556/; classtype:trojan-activity;sid:84691656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.205.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828555/; classtype:trojan-activity;sid:84691655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-co-at4.bovla5xel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828554/; classtype:trojan-activity;sid:84691654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.159.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828553/; classtype:trojan-activity;sid:84691653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-belt3.bovla5xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828552/; classtype:trojan-activity;sid:84691652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.93.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828551/; classtype:trojan-activity;sid:84691651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.aarch64"; depth:24; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828548/; classtype:trojan-activity;sid:84691648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828549/; classtype:trojan-activity;sid:84691649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828550/; classtype:trojan-activity;sid:84691650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828536/; classtype:trojan-activity;sid:84691636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828537/; classtype:trojan-activity;sid:84691637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mpsl"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828538/; classtype:trojan-activity;sid:84691638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828539/; classtype:trojan-activity;sid:84691639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828540/; classtype:trojan-activity;sid:84691640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828541/; classtype:trojan-activity;sid:84691641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/debug"; depth:16; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828542/; classtype:trojan-activity;sid:84691642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828543/; classtype:trojan-activity;sid:84691643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828544/; classtype:trojan-activity;sid:84691644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828545/; classtype:trojan-activity;sid:84691645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828546/; classtype:trojan-activity;sid:84691646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828547/; classtype:trojan-activity;sid:84691647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.220.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828535/; classtype:trojan-activity;sid:84691635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-shirt2.bovla5xel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828534/; classtype:trojan-activity;sid:84691634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.113.148.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828533/; classtype:trojan-activity;sid:84691633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro_stager.exe"; depth:15; endswith; nocase; http.host; content:"38.76.199.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828532/; classtype:trojan-activity;sid:84691632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro_payload.exe"; depth:16; endswith; nocase; http.host; content:"38.76.199.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828529/; classtype:trojan-activity;sid:84691629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload_exe"; depth:12; endswith; nocase; http.host; content:"38.76.199.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828530/; classtype:trojan-activity;sid:84691630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.exe"; depth:12; endswith; nocase; http.host; content:"38.76.199.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828531/; classtype:trojan-activity;sid:84691631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.elf"; depth:12; endswith; nocase; http.host; content:"38.76.199.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828528/; classtype:trojan-activity;sid:84691628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"black-hat1.bovla5xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828527/; classtype:trojan-activity;sid:84691627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2agent"; depth:8; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828526/; classtype:trojan-activity;sid:84691626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mips"; depth:9; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828523/; classtype:trojan-activity;sid:84691623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_bot.py"; depth:13; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828524/; classtype:trojan-activity;sid:84691624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toxnet.mips"; depth:12; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828525/; classtype:trojan-activity;sid:84691625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.86"; depth:7; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828522/; classtype:trojan-activity;sid:84691622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_linux_x86_64"; depth:17; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828519/; classtype:trojan-activity;sid:84691619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.x86"; depth:8; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828520/; classtype:trojan-activity;sid:84691620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.64"; depth:7; endswith; nocase; http.host; content:"54.36.117.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828521/; classtype:trojan-activity;sid:84691621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"144.91.86.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828517/; classtype:trojan-activity;sid:84691617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828518/; classtype:trojan-activity;sid:84691618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vision.sh"; depth:10; endswith; nocase; http.host; content:"77.68.99.77"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828516/; classtype:trojan-activity;sid:84691616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"2.26.84.151"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828515/; classtype:trojan-activity;sid:84691615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"purewater6.de1xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828514/; classtype:trojan-activity;sid:84691614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.65.240"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828513/; classtype:trojan-activity;sid:84691613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-mi-lk5.de1xorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828512/; classtype:trojan-activity;sid:84691612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.txt"; depth:6; endswith; nocase; http.host; content:"144.31.236.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828510/; classtype:trojan-activity;sid:84691610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.txt"; depth:6; endswith; nocase; http.host; content:"144.31.236.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828511/; classtype:trojan-activity;sid:84691611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-tea4.de1xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828509/; classtype:trojan-activity;sid:84691609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/putty.msi"; depth:13; endswith; nocase; http.host; content:"144.31.236.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828508/; classtype:trojan-activity;sid:84691608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/small.bat"; depth:13; endswith; nocase; http.host; content:"144.31.236.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828507/; classtype:trojan-activity;sid:84691607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828506/; classtype:trojan-activity;sid:84691606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"118.107.44.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828504/; classtype:trojan-activity;sid:84691604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828505/; classtype:trojan-activity;sid:84691605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828503/; classtype:trojan-activity;sid:84691603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"118.107.44.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828500/; classtype:trojan-activity;sid:84691600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828501/; classtype:trojan-activity;sid:84691601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828502/; classtype:trojan-activity;sid:84691602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.68.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828499/; classtype:trojan-activity;sid:84691599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828498/; classtype:trojan-activity;sid:84691598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"118.107.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828497/; classtype:trojan-activity;sid:84691597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828496/; classtype:trojan-activity;sid:84691596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/install.msi"; depth:15; endswith; nocase; http.host; content:"144.31.236.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828495/; classtype:trojan-activity;sid:84691595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.177.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828494/; classtype:trojan-activity;sid:84691594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-soup3.de1xorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828493/; classtype:trojan-activity;sid:84691593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828492/; classtype:trojan-activity;sid:84691592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.de1xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828491/; classtype:trojan-activity;sid:84691591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.140.44.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828490/; classtype:trojan-activity;sid:84691590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.175.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828489/; classtype:trojan-activity;sid:84691589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.22.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828487/; classtype:trojan-activity;sid:84691587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.216.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828488/; classtype:trojan-activity;sid:84691588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.204.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828486/; classtype:trojan-activity;sid:84691586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.253.129.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828485/; classtype:trojan-activity;sid:84691585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.253.129.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828484/; classtype:trojan-activity;sid:84691584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.136.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828467/; classtype:trojan-activity;sid:84691567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.200.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828468/; classtype:trojan-activity;sid:84691568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.47.120.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828469/; classtype:trojan-activity;sid:84691569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828470/; classtype:trojan-activity;sid:84691570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.6.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828471/; classtype:trojan-activity;sid:84691571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.152.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828472/; classtype:trojan-activity;sid:84691572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.246.110.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828473/; classtype:trojan-activity;sid:84691573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.191.47.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828474/; classtype:trojan-activity;sid:84691574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.110.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828475/; classtype:trojan-activity;sid:84691575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.26.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828476/; classtype:trojan-activity;sid:84691576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.149.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828477/; classtype:trojan-activity;sid:84691577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.38.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828478/; classtype:trojan-activity;sid:84691578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.149.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828479/; classtype:trojan-activity;sid:84691579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.108.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828480/; classtype:trojan-activity;sid:84691580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.215.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828481/; classtype:trojan-activity;sid:84691581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.108.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828482/; classtype:trojan-activity;sid:84691582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.109.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828483/; classtype:trojan-activity;sid:84691583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.147.100.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828465/; classtype:trojan-activity;sid:84691565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.158.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828466/; classtype:trojan-activity;sid:84691566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.238.27.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828464/; classtype:trojan-activity;sid:84691564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.37.212.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828463/; classtype:trojan-activity;sid:84691563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.191.47.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828462/; classtype:trojan-activity;sid:84691562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.180.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828452/; classtype:trojan-activity;sid:84691552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.26.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828453/; classtype:trojan-activity;sid:84691553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.47.120.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828454/; classtype:trojan-activity;sid:84691554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.177.32.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828455/; classtype:trojan-activity;sid:84691555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.139.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828456/; classtype:trojan-activity;sid:84691556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.215.185.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828457/; classtype:trojan-activity;sid:84691557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.172.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828458/; classtype:trojan-activity;sid:84691558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.37.212.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828459/; classtype:trojan-activity;sid:84691559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.249.250.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828460/; classtype:trojan-activity;sid:84691560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.249.250.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828461/; classtype:trojan-activity;sid:84691561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.102.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828448/; classtype:trojan-activity;sid:84691548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.220.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828449/; classtype:trojan-activity;sid:84691549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.87.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828450/; classtype:trojan-activity;sid:84691550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.197.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828451/; classtype:trojan-activity;sid:84691551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.127.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828446/; classtype:trojan-activity;sid:84691546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.119.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828447/; classtype:trojan-activity;sid:84691547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.35.126.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828442/; classtype:trojan-activity;sid:84691542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.119.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828443/; classtype:trojan-activity;sid:84691543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.246.110.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828444/; classtype:trojan-activity;sid:84691544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.187.36.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828445/; classtype:trojan-activity;sid:84691545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.223.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828433/; classtype:trojan-activity;sid:84691533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.216.120.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828434/; classtype:trojan-activity;sid:84691534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.25.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828435/; classtype:trojan-activity;sid:84691535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.5.58"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828436/; classtype:trojan-activity;sid:84691536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.58.211.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828437/; classtype:trojan-activity;sid:84691537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.206.205.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828438/; classtype:trojan-activity;sid:84691538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.37.151.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828439/; classtype:trojan-activity;sid:84691539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.25.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828440/; classtype:trojan-activity;sid:84691540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.180.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828441/; classtype:trojan-activity;sid:84691541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.163.187.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828432/; classtype:trojan-activity;sid:84691532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pie1.de1xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828431/; classtype:trojan-activity;sid:84691531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.233.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828427/; classtype:trojan-activity;sid:84691527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.158.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828428/; classtype:trojan-activity;sid:84691528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.192.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828429/; classtype:trojan-activity;sid:84691529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.59.82.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828430/; classtype:trojan-activity;sid:84691530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.227.255.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828416/; classtype:trojan-activity;sid:84691516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828417/; classtype:trojan-activity;sid:84691517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.152.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828418/; classtype:trojan-activity;sid:84691518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.102.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828419/; classtype:trojan-activity;sid:84691519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.136.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828420/; classtype:trojan-activity;sid:84691520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.177.32.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828421/; classtype:trojan-activity;sid:84691521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.2.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828422/; classtype:trojan-activity;sid:84691522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.210.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828423/; classtype:trojan-activity;sid:84691523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.210.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828424/; classtype:trojan-activity;sid:84691524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.254.120.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828425/; classtype:trojan-activity;sid:84691525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.226.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828426/; classtype:trojan-activity;sid:84691526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"109.236.46.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828415/; classtype:trojan-activity;sid:84691515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.204.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828414/; classtype:trojan-activity;sid:84691514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.197.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828404/; classtype:trojan-activity;sid:84691504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.72.30"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828405/; classtype:trojan-activity;sid:84691505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.110.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828406/; classtype:trojan-activity;sid:84691506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.72.30"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828407/; classtype:trojan-activity;sid:84691507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.241.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828408/; classtype:trojan-activity;sid:84691508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.125.60.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828409/; classtype:trojan-activity;sid:84691509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.76.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828410/; classtype:trojan-activity;sid:84691510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.129.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828411/; classtype:trojan-activity;sid:84691511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.227.255.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828412/; classtype:trojan-activity;sid:84691512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.159.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828413/; classtype:trojan-activity;sid:84691513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.117.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828394/; classtype:trojan-activity;sid:84691494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.210.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828395/; classtype:trojan-activity;sid:84691495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.83.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828396/; classtype:trojan-activity;sid:84691496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.220.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828397/; classtype:trojan-activity;sid:84691497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.22.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828398/; classtype:trojan-activity;sid:84691498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.154.118.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828399/; classtype:trojan-activity;sid:84691499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.46.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828400/; classtype:trojan-activity;sid:84691500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.58.211.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828401/; classtype:trojan-activity;sid:84691501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.6.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828402/; classtype:trojan-activity;sid:84691502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.129.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828403/; classtype:trojan-activity;sid:84691503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.163.187.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828393/; classtype:trojan-activity;sid:84691493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easy-task6.kymle9rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828392/; classtype:trojan-activity;sid:84691492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.180.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828391/; classtype:trojan-activity;sid:84691491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"just-ta-lk5.kymle9rax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828390/; classtype:trojan-activity;sid:84691490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.7.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828389/; classtype:trojan-activity;sid:84691489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.95.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828388/; classtype:trojan-activity;sid:84691488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nice-shot4.kymle9rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828387/; classtype:trojan-activity;sid:84691487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.2.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828386/; classtype:trojan-activity;sid:84691486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/oueia.txt"; depth:12; endswith; nocase; http.host; content:"46.151.182.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828384/; classtype:trojan-activity;sid:84691484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.204.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828385/; classtype:trojan-activity;sid:84691485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828383/; classtype:trojan-activity;sid:84691483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/win32.vbs"; depth:10; endswith; nocase; http.host; content:"46.151.182.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828382/; classtype:trojan-activity;sid:84691482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"realfact3.kymle9rax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828381/; classtype:trojan-activity;sid:84691481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config.txt"; depth:11; endswith; nocase; http.host; content:"46.151.182.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828380/; classtype:trojan-activity;sid:84691480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.180.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828379/; classtype:trojan-activity;sid:84691479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/win64.vbs"; depth:10; endswith; nocase; http.host; content:"46.151.182.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828378/; classtype:trojan-activity;sid:84691478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.42.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828377/; classtype:trojan-activity;sid:84691477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.110.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828376/; classtype:trojan-activity;sid:84691476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-ti-me2.kymle9rax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828375/; classtype:trojan-activity;sid:84691475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.134.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828374/; classtype:trojan-activity;sid:84691474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828372/; classtype:trojan-activity;sid:84691472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.215.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828373/; classtype:trojan-activity;sid:84691473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-news1.kymle9rax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828371/; classtype:trojan-activity;sid:84691471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nazoboje"; depth:9; endswith; nocase; http.host; content:"46.151.182.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828369/; classtype:trojan-activity;sid:84691469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cayuhi"; depth:7; endswith; nocase; http.host; content:"46.151.182.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828370/; classtype:trojan-activity;sid:84691470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.95.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828368/; classtype:trojan-activity;sid:84691468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sideview6.po3vaxil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828367/; classtype:trojan-activity;sid:84691467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gpasskey"; depth:9; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828366/; classtype:trojan-activity;sid:84691466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.204.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828365/; classtype:trojan-activity;sid:84691465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.60.77.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828364/; classtype:trojan-activity;sid:84691464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"backy-ard5.po3vaxil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828363/; classtype:trojan-activity;sid:84691463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dopafab"; depth:8; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828357/; classtype:trojan-activity;sid:84691457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sobese"; depth:7; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828358/; classtype:trojan-activity;sid:84691458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/biyubare"; depth:9; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828359/; classtype:trojan-activity;sid:84691459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lamimimi"; depth:9; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828360/; classtype:trojan-activity;sid:84691460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verole"; depth:7; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828361/; classtype:trojan-activity;sid:84691461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gonelijek"; depth:10; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828362/; classtype:trojan-activity;sid:84691462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggldataexport"; depth:14; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828356/; classtype:trojan-activity;sid:84691456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googlepasskeygood"; depth:18; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828353/; classtype:trojan-activity;sid:84691453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/appleexport"; depth:12; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828354/; classtype:trojan-activity;sid:84691454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledataexport"; depth:17; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828355/; classtype:trojan-activity;sid:84691455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aplexport"; depth:10; endswith; nocase; http.host; content:"64.89.160.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828352/; classtype:trojan-activity;sid:84691452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-room4.po3vaxil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828351/; classtype:trojan-activity;sid:84691451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.79.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828350/; classtype:trojan-activity;sid:84691450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nextdoor3.po3vaxil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828349/; classtype:trojan-activity;sid:84691449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/update.ps1"; depth:22; endswith; nocase; http.host; content:"acbcr.ro"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828348/; classtype:trojan-activity;sid:84691448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peton.zip"; depth:10; endswith; nocase; http.host; content:"vasijl-cloud.b-cdn.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828347/; classtype:trojan-activity;sid:84691447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ae228216-ad43-473f-94dd-b2c8616a2123/ck-dce6bcbb1a728ea8d871de6d169a2057.cloudflare"; depth:84; endswith; nocase; http.host; content:"indexsearchfindresult.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828346/; classtype:trojan-activity;sid:84691446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check.php"; depth:10; endswith; nocase; http.host; content:"indexsearchfindresult.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828345/; classtype:trojan-activity;sid:84691445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-wa-lk2.po3vaxil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828344/; classtype:trojan-activity;sid:84691444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.215.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828343/; classtype:trojan-activity;sid:84691443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.60.77.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828342/; classtype:trojan-activity;sid:84691442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-floor1.po3vaxil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828341/; classtype:trojan-activity;sid:84691441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"144.48.123.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828340/; classtype:trojan-activity;sid:84691440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usoshared.exe"; depth:14; endswith; nocase; http.host; content:"83.142.209.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828338/; classtype:trojan-activity;sid:84691438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sliver-client_linux-amd64"; depth:26; endswith; nocase; http.host; content:"83.142.209.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828339/; classtype:trojan-activity;sid:84691439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.122.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828337/; classtype:trojan-activity;sid:84691437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silverrain6.to7virel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828336/; classtype:trojan-activity;sid:84691436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.100.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828334/; classtype:trojan-activity;sid:84691434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.161.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828335/; classtype:trojan-activity;sid:84691435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"whitecl-oud5.to7virel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828333/; classtype:trojan-activity;sid:84691433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.239.210.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828332/; classtype:trojan-activity;sid:84691432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.42.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828331/; classtype:trojan-activity;sid:84691431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-fish4.to7virel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828330/; classtype:trojan-activity;sid:84691430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-ocean3.to7virel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828329/; classtype:trojan-activity;sid:84691429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.247.238.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828328/; classtype:trojan-activity;sid:84691428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xclient...exe"; depth:14; endswith; nocase; http.host; content:"206.245.165.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828327/; classtype:trojan-activity;sid:84691427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.157.23.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828326/; classtype:trojan-activity;sid:84691426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"darknight2.to7virel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828325/; classtype:trojan-activity;sid:84691425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-sky1.to7virel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828324/; classtype:trojan-activity;sid:84691424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.11.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828323/; classtype:trojan-activity;sid:84691423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coolstone6.sylom2er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828322/; classtype:trojan-activity;sid:84691422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.105.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828321/; classtype:trojan-activity;sid:84691421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.201.140.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828320/; classtype:trojan-activity;sid:84691420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmbr-ead5.sylom2er.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828319/; classtype:trojan-activity;sid:84691419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.234.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828318/; classtype:trojan-activity;sid:84691418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-tea4.sylom2er.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828317/; classtype:trojan-activity;sid:84691417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.11.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828316/; classtype:trojan-activity;sid:84691416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshmilk3.sylom2er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828315/; classtype:trojan-activity;sid:84691415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-pear2.sylom2er.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828314/; classtype:trojan-activity;sid:84691414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828313/; classtype:trojan-activity;sid:84691413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tastyapple1.sylom2er.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828312/; classtype:trojan-activity;sid:84691412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.105.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828311/; classtype:trojan-activity;sid:84691411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-page6.ra4xilen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828310/; classtype:trojan-activity;sid:84691410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.221.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828309/; classtype:trojan-activity;sid:84691409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"88.232.53.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828308/; classtype:trojan-activity;sid:84691408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bigwall5.ra4xilen.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828307/; classtype:trojan-activity;sid:84691407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldwa-ter4.ra4xilen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828306/; classtype:trojan-activity;sid:84691406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828305/; classtype:trojan-activity;sid:84691405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.78.95.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828304/; classtype:trojan-activity;sid:84691404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-mark3.ra4xilen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828303/; classtype:trojan-activity;sid:84691403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"softwind2.ra4xilen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828302/; classtype:trojan-activity;sid:84691402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.201.140.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828301/; classtype:trojan-activity;sid:84691401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-book1.ra4xilen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828300/; classtype:trojan-activity;sid:84691400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.148.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828299/; classtype:trojan-activity;sid:84691399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hight-ree6.6zoremax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828298/; classtype:trojan-activity;sid:84691398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clearview5.6zoremax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828297/; classtype:trojan-activity;sid:84691397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.78.95.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828296/; classtype:trojan-activity;sid:84691396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.163.91.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828295/; classtype:trojan-activity;sid:84691395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-lamp4.6zoremax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828294/; classtype:trojan-activity;sid:84691394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wallet.exe"; depth:11; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828293/; classtype:trojan-activity;sid:84691393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fastrun3.6zoremax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828292/; classtype:trojan-activity;sid:84691392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gre-enleaf2.6zoremax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828291/; classtype:trojan-activity;sid:84691391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.136.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828290/; classtype:trojan-activity;sid:84691390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.46.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828289/; classtype:trojan-activity;sid:84691389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-box1.6zoremax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828288/; classtype:trojan-activity;sid:84691388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-po-int6.buckishing-out.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828287/; classtype:trojan-activity;sid:84691387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quickmo-ve5.buckishing-out.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828286/; classtype:trojan-activity;sid:84691386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.99.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828285/; classtype:trojan-activity;sid:84691385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"empty-s-pac4.buckishing-out.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828284/; classtype:trojan-activity;sid:84691384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daimyoclorespect/roblox-bubblegum-simulator-script/releases/download/new/robloxbgs-1.2.0-win64.rar"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828283/; classtype:trojan-activity;sid:84691383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/studentreflect/roblox-da-hood-script/releases/download/new/robloxdahood-1.5.3-win64.rar"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828282/; classtype:trojan-activity;sid:84691382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-b-ox3.buckishing-out.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828281/; classtype:trojan-activity;sid:84691381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.197.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828280/; classtype:trojan-activity;sid:84691380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lightp-ack2.buckishing-out.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828279/; classtype:trojan-activity;sid:84691379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.151.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828278/; classtype:trojan-activity;sid:84691378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-lo-ad1.buckishing-out.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828277/; classtype:trojan-activity;sid:84691377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.135.177.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828276/; classtype:trojan-activity;sid:84691376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-mo-on6.sin8lebreasted.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828275/; classtype:trojan-activity;sid:84691375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.174.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828274/; classtype:trojan-activity;sid:84691374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.197.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828273/; classtype:trojan-activity;sid:84691373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmf-ire5.sin8lebreasted.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828272/; classtype:trojan-activity;sid:84691372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"76.49.31.147"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828271/; classtype:trojan-activity;sid:84691371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.140.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828270/; classtype:trojan-activity;sid:84691370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-sn-ow4.sin8lebreasted.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828269/; classtype:trojan-activity;sid:84691369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-sky3.sin8lebreasted.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828268/; classtype:trojan-activity;sid:84691368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828267/; classtype:trojan-activity;sid:84691367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rainy-ni-ght2.sin8lebreasted.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828266/; classtype:trojan-activity;sid:84691366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunny-d-ay1.sin8lebreasted.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828265/; classtype:trojan-activity;sid:84691365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828264/; classtype:trojan-activity;sid:84691364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.135.177.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828263/; classtype:trojan-activity;sid:84691363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.158.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828262/; classtype:trojan-activity;sid:84691362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.162.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828260/; classtype:trojan-activity;sid:84691360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.128.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828261/; classtype:trojan-activity;sid:84691361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-lo-ok6.arena-plug.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828259/; classtype:trojan-activity;sid:84691359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"72.255.19.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828258/; classtype:trojan-activity;sid:84691358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giga.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828256/; classtype:trojan-activity;sid:84691356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828257/; classtype:trojan-activity;sid:84691357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"72.255.33.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828255/; classtype:trojan-activity;sid:84691355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"206.135.170.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828254/; classtype:trojan-activity;sid:84691354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"94.26.106.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828252/; classtype:trojan-activity;sid:84691352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"///arm5"; depth:7; endswith; nocase; http.host; content:"94.26.106.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828253/; classtype:trojan-activity;sid:84691353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"newst-yle5.arena-plug.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828251/; classtype:trojan-activity;sid:84691351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.99.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828250/; classtype:trojan-activity;sid:84691350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x64.exe"; depth:12; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828249/; classtype:trojan-activity;sid:84691349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828248/; classtype:trojan-activity;sid:84691348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828247/; classtype:trojan-activity;sid:84691347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massload"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828245/; classtype:trojan-activity;sid:84691345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.130.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828246/; classtype:trojan-activity;sid:84691346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-co-at4.arena-plug.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828244/; classtype:trojan-activity;sid:84691344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"76.49.31.147"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828243/; classtype:trojan-activity;sid:84691343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-be-lt3.arena-plug.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828242/; classtype:trojan-activity;sid:84691342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-shir-t2.arena-plug.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828241/; classtype:trojan-activity;sid:84691341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.12.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828240/; classtype:trojan-activity;sid:84691340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.29.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828238/; classtype:trojan-activity;sid:84691338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.162.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828239/; classtype:trojan-activity;sid:84691339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.58.197.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828235/; classtype:trojan-activity;sid:84691335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.104.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828236/; classtype:trojan-activity;sid:84691336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.217.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828237/; classtype:trojan-activity;sid:84691337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.226.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828234/; classtype:trojan-activity;sid:84691334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.69.26"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828233/; classtype:trojan-activity;sid:84691333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"black-h-at1.arena-plug.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828232/; classtype:trojan-activity;sid:84691332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.23.80.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828231/; classtype:trojan-activity;sid:84691331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"purewa-ter6.import8ravitate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828230/; classtype:trojan-activity;sid:84691330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deermoment/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828228/; classtype:trojan-activity;sid:84691328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deermoment/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828229/; classtype:trojan-activity;sid:84691329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coolmi-lk5.import8ravitate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828227/; classtype:trojan-activity;sid:84691327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-tea4.import8ravitate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828226/; classtype:trojan-activity;sid:84691326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.91.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828225/; classtype:trojan-activity;sid:84691325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1ffeyn/roxxy/-/raw/main/api.exe"; depth:33; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828224/; classtype:trojan-activity;sid:84691324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/efewefwewfew342234423234feweefwwefewefweffewwefewf.php|3f|file=333.exe"; depth:185; endswith; nocase; http.host; content:"xs.bhaaratkeeshakti.vip"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828223/; classtype:trojan-activity;sid:84691323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.104.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828222/; classtype:trojan-activity;sid:84691322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.29.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828221/; classtype:trojan-activity;sid:84691321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-s-oup3.import8ravitate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828220/; classtype:trojan-activity;sid:84691320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.82.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828219/; classtype:trojan-activity;sid:84691319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.import8ravitate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828218/; classtype:trojan-activity;sid:84691318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.69.26"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828217/; classtype:trojan-activity;sid:84691317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pi-e1.import8ravitate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828216/; classtype:trojan-activity;sid:84691316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.140.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828215/; classtype:trojan-activity;sid:84691315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828211/; classtype:trojan-activity;sid:84691311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828212/; classtype:trojan-activity;sid:84691312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828213/; classtype:trojan-activity;sid:84691313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828214/; classtype:trojan-activity;sid:84691314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easy-ta-sk6.eighth-swollen.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828210/; classtype:trojan-activity;sid:84691310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828203/; classtype:trojan-activity;sid:84691303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828204/; classtype:trojan-activity;sid:84691304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828205/; classtype:trojan-activity;sid:84691305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828206/; classtype:trojan-activity;sid:84691306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828207/; classtype:trojan-activity;sid:84691307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828208/; classtype:trojan-activity;sid:84691308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"176.65.132.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828209/; classtype:trojan-activity;sid:84691309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"justta-lk5.eighth-swollen.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828202/; classtype:trojan-activity;sid:84691302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.91.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828201/; classtype:trojan-activity;sid:84691301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nice-sh-ot4.eighth-swollen.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828200/; classtype:trojan-activity;sid:84691300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.129.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828199/; classtype:trojan-activity;sid:84691299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.78.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828198/; classtype:trojan-activity;sid:84691298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"real-fact3.eighth-swollen.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828197/; classtype:trojan-activity;sid:84691297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.75.24"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828196/; classtype:trojan-activity;sid:84691296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.253.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828195/; classtype:trojan-activity;sid:84691295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-ti-me2.eighth-swollen.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828194/; classtype:trojan-activity;sid:84691294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.254.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828193/; classtype:trojan-activity;sid:84691293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-n-ews1.eighth-swollen.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828192/; classtype:trojan-activity;sid:84691292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.30.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828190/; classtype:trojan-activity;sid:84691290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.254.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828191/; classtype:trojan-activity;sid:84691291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.250.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828189/; classtype:trojan-activity;sid:84691289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"side-vi-ew6.cr2pskiing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828188/; classtype:trojan-activity;sid:84691288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"backy-ard5.cr2pskiing.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828187/; classtype:trojan-activity;sid:84691287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.7.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828186/; classtype:trojan-activity;sid:84691286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.75.24"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828185/; classtype:trojan-activity;sid:84691285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fullr-oom4.cr2pskiing.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828184/; classtype:trojan-activity;sid:84691284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"next-door3.cr2pskiing.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828183/; classtype:trojan-activity;sid:84691283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.80.140.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828182/; classtype:trojan-activity;sid:84691282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-wa-lk2.cr2pskiing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828181/; classtype:trojan-activity;sid:84691281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.30.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828180/; classtype:trojan-activity;sid:84691280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.250.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828179/; classtype:trojan-activity;sid:84691279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-f-loor1.cr2pskiing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828178/; classtype:trojan-activity;sid:84691278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silver-ra-in6.basis-embankment.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828177/; classtype:trojan-activity;sid:84691277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.61.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828176/; classtype:trojan-activity;sid:84691276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"whitecl-oud5.basis-embankment.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828175/; classtype:trojan-activity;sid:84691275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.209.76.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828174/; classtype:trojan-activity;sid:84691274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goldfi-sh4.basis-embankment.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828173/; classtype:trojan-activity;sid:84691273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.80.140.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828172/; classtype:trojan-activity;sid:84691272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.241.223.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828171/; classtype:trojan-activity;sid:84691271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh4"; depth:13; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828169/; classtype:trojan-activity;sid:84691269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.252.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828170/; classtype:trojan-activity;sid:84691270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.ppc"; depth:13; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828166/; classtype:trojan-activity;sid:84691266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mpsl"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828167/; classtype:trojan-activity;sid:84691267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828168/; classtype:trojan-activity;sid:84691268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-ocean3.basis-embankment.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828165/; classtype:trojan-activity;sid:84691265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.m68k"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828163/; classtype:trojan-activity;sid:84691263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm6"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828164/; classtype:trojan-activity;sid:84691264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm5"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828159/; classtype:trojan-activity;sid:84691259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm"; depth:13; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828160/; classtype:trojan-activity;sid:84691260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm7"; depth:14; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828161/; classtype:trojan-activity;sid:84691261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.spc"; depth:13; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828162/; classtype:trojan-activity;sid:84691262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"5.134.246.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828158/; classtype:trojan-activity;sid:84691258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828157/; classtype:trojan-activity;sid:84691257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.27.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828156/; classtype:trojan-activity;sid:84691256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-ni-ght2.basis-embankment.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828155/; classtype:trojan-activity;sid:84691255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-sk-y1.basis-embankment.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828154/; classtype:trojan-activity;sid:84691254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-ca-se6.jemannik5helma.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828153/; classtype:trojan-activity;sid:84691253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.243.8.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828152/; classtype:trojan-activity;sid:84691252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828151/; classtype:trojan-activity;sid:84691251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-stone5.jemannik5helma.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828150/; classtype:trojan-activity;sid:84691250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-m-ilk4.jemannik5helma.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828149/; classtype:trojan-activity;sid:84691249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hottea3.jemannik5helma.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828148/; classtype:trojan-activity;sid:84691248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.jemannik5helma.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828147/; classtype:trojan-activity;sid:84691247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-app-l1.jemannik5helma.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828146/; classtype:trojan-activity;sid:84691246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"redbook6.aperitif-form.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828145/; classtype:trojan-activity;sid:84691245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.252.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828144/; classtype:trojan-activity;sid:84691244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.201.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828143/; classtype:trojan-activity;sid:84691243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldwa-ter5.aperitif-form.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828142/; classtype:trojan-activity;sid:84691242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-vi-ew4.aperitif-form.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828141/; classtype:trojan-activity;sid:84691241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.183.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828140/; classtype:trojan-activity;sid:84691240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bigwall3.aperitif-form.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828139/; classtype:trojan-activity;sid:84691239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.100.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828138/; classtype:trojan-activity;sid:84691238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-cha-ir2.aperitif-form.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828137/; classtype:trojan-activity;sid:84691237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.243.8.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828136/; classtype:trojan-activity;sid:84691236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-wind1.aperitif-form.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828135/; classtype:trojan-activity;sid:84691235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cle-arbox6.mi5demeanwork.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828134/; classtype:trojan-activity;sid:84691234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"faststep5.mi5demeanwork.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828132/; classtype:trojan-activity;sid:84691232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-pa-per4.mi5demeanwork.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828131/; classtype:trojan-activity;sid:84691231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.183.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828130/; classtype:trojan-activity;sid:84691230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smalllamp3.mi5demeanwork.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828129/; classtype:trojan-activity;sid:84691229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.246.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828127/; classtype:trojan-activity;sid:84691227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.100.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828128/; classtype:trojan-activity;sid:84691228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.242.152.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828126/; classtype:trojan-activity;sid:84691226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glassb-otl2.mi5demeanwork.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828125/; classtype:trojan-activity;sid:84691225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.77.12.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828124/; classtype:trojan-activity;sid:84691224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"204.76.203.196.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828123/; classtype:trojan-activity;sid:84691223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-tray1.mi5demeanwork.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828122/; classtype:trojan-activity;sid:84691222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ew6.kymle2rix.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828121/; classtype:trojan-activity;sid:84691221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dfsgg.de8xapil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828120/; classtype:trojan-activity;sid:84691220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.114.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828119/; classtype:trojan-activity;sid:84691219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0tt37-graph.mongol-replace.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828118/; classtype:trojan-activity;sid:84691218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-1llu.mongol-replace.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828117/; classtype:trojan-activity;sid:84691217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tri-draa.mongol-replace.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828116/; classtype:trojan-activity;sid:84691216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.156.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828115/; classtype:trojan-activity;sid:84691215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.198.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828114/; classtype:trojan-activity;sid:84691214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"handlerequi.mongol-replace.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828113/; classtype:trojan-activity;sid:84691213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.185.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828112/; classtype:trojan-activity;sid:84691212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"7afu.mongol-replace.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828111/; classtype:trojan-activity;sid:84691211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.185.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828110/; classtype:trojan-activity;sid:84691210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.114.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828109/; classtype:trojan-activity;sid:84691209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.246.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828108/; classtype:trojan-activity;sid:84691208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4mber2-flow.mongol-replace.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828107/; classtype:trojan-activity;sid:84691207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828106/; classtype:trojan-activity;sid:84691206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.77.12.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828105/; classtype:trojan-activity;sid:84691205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wwyik.dependint7amur.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828104/; classtype:trojan-activity;sid:84691204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.198.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828103/; classtype:trojan-activity;sid:84691203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.156.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828102/; classtype:trojan-activity;sid:84691202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828100/; classtype:trojan-activity;sid:84691200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828101/; classtype:trojan-activity;sid:84691201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828092/; classtype:trojan-activity;sid:84691192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828093/; classtype:trojan-activity;sid:84691193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828094/; classtype:trojan-activity;sid:84691194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828095/; classtype:trojan-activity;sid:84691195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828096/; classtype:trojan-activity;sid:84691196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828097/; classtype:trojan-activity;sid:84691197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828098/; classtype:trojan-activity;sid:84691198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828099/; classtype:trojan-activity;sid:84691199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"openshi.dependint7amur.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828091/; classtype:trojan-activity;sid:84691191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rzeusijc.dependint7amur.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828090/; classtype:trojan-activity;sid:84691190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"383aosc.dependint7amur.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828089/; classtype:trojan-activity;sid:84691189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ymqzqwf.dependint7amur.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828088/; classtype:trojan-activity;sid:84691188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828086/; classtype:trojan-activity;sid:84691186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.138.4.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828087/; classtype:trojan-activity;sid:84691187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.226.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828085/; classtype:trojan-activity;sid:84691185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"luna-nod.dependint7amur.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828084/; classtype:trojan-activity;sid:84691184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.143.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828083/; classtype:trojan-activity;sid:84691183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.228.241.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828082/; classtype:trojan-activity;sid:84691182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.156.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828081/; classtype:trojan-activity;sid:84691181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t1ny-branch.over-resweat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828080/; classtype:trojan-activity;sid:84691180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qjdc65n.over-resweat.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828079/; classtype:trojan-activity;sid:84691179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828078/; classtype:trojan-activity;sid:84691178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.121.199.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828077/; classtype:trojan-activity;sid:84691177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fabr2-path.over-resweat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828076/; classtype:trojan-activity;sid:84691176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.138.4.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828075/; classtype:trojan-activity;sid:84691175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.238.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828074/; classtype:trojan-activity;sid:84691174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkmark8um.over-resweat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828073/; classtype:trojan-activity;sid:84691173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.x64"; depth:12; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828062/; classtype:trojan-activity;sid:84691162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.s390x"; depth:19; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828063/; classtype:trojan-activity;sid:84691163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.riscv64"; depth:21; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828064/; classtype:trojan-activity;sid:84691164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.riscv64"; depth:16; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828065/; classtype:trojan-activity;sid:84691165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.s390x"; depth:15; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828066/; classtype:trojan-activity;sid:84691166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.arm"; depth:13; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828067/; classtype:trojan-activity;sid:84691167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.s390x"; depth:14; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828068/; classtype:trojan-activity;sid:84691168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mips64el"; depth:22; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828069/; classtype:trojan-activity;sid:84691169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.x86"; depth:12; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828070/; classtype:trojan-activity;sid:84691170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828071/; classtype:trojan-activity;sid:84691171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828072/; classtype:trojan-activity;sid:84691172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828057/; classtype:trojan-activity;sid:84691157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.riscv64"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828058/; classtype:trojan-activity;sid:84691158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.x86"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828059/; classtype:trojan-activity;sid:84691159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.x64"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828060/; classtype:trojan-activity;sid:84691160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.aarch64"; depth:16; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828061/; classtype:trojan-activity;sid:84691161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mips64el"; depth:18; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828055/; classtype:trojan-activity;sid:84691155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mips64"; depth:15; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828056/; classtype:trojan-activity;sid:84691156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.ppc"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828054/; classtype:trojan-activity;sid:84691154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mips64"; depth:16; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828045/; classtype:trojan-activity;sid:84691145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.ppc"; depth:13; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828046/; classtype:trojan-activity;sid:84691146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mips"; depth:18; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828047/; classtype:trojan-activity;sid:84691147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mipsel"; depth:20; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828048/; classtype:trojan-activity;sid:84691148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.mipsel"; depth:16; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828049/; classtype:trojan-activity;sid:84691149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.arm"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828050/; classtype:trojan-activity;sid:84691150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.mips64"; depth:20; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828051/; classtype:trojan-activity;sid:84691151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mips64el"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828052/; classtype:trojan-activity;sid:84691152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.mipsel"; depth:15; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828053/; classtype:trojan-activity;sid:84691153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2rapidreset.aarch64"; depth:21; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828042/; classtype:trojan-activity;sid:84691142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.aarch64"; depth:17; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828043/; classtype:trojan-activity;sid:84691143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.x64"; depth:13; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828044/; classtype:trojan-activity;sid:84691144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.s390x"; depth:10; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828038/; classtype:trojan-activity;sid:84691138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3flood.ppc"; depth:12; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828039/; classtype:trojan-activity;sid:84691139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2stream.x86"; depth:13; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828040/; classtype:trojan-activity;sid:84691140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828041/; classtype:trojan-activity;sid:84691141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828037/; classtype:trojan-activity;sid:84691137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.riscv64"; depth:12; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828036/; classtype:trojan-activity;sid:84691136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips64"; depth:11; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828035/; classtype:trojan-activity;sid:84691135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828028/; classtype:trojan-activity;sid:84691128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips64el"; depth:13; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828029/; classtype:trojan-activity;sid:84691129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828030/; classtype:trojan-activity;sid:84691130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x64"; depth:8; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828031/; classtype:trojan-activity;sid:84691131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828032/; classtype:trojan-activity;sid:84691132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828033/; classtype:trojan-activity;sid:84691133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828034/; classtype:trojan-activity;sid:84691134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumcrest0is.over-resweat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828027/; classtype:trojan-activity;sid:84691127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"closedsun.over-resweat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828026/; classtype:trojan-activity;sid:84691126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.134.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828025/; classtype:trojan-activity;sid:84691125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828020/; classtype:trojan-activity;sid:84691120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828021/; classtype:trojan-activity;sid:84691121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828022/; classtype:trojan-activity;sid:84691122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828023/; classtype:trojan-activity;sid:84691123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828024/; classtype:trojan-activity;sid:84691124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zty3nf.autovete7an.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828019/; classtype:trojan-activity;sid:84691119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828016/; classtype:trojan-activity;sid:84691116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828017/; classtype:trojan-activity;sid:84691117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828018/; classtype:trojan-activity;sid:84691118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828012/; classtype:trojan-activity;sid:84691112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828013/; classtype:trojan-activity;sid:84691113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828014/; classtype:trojan-activity;sid:84691114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828015/; classtype:trojan-activity;sid:84691115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828010/; classtype:trojan-activity;sid:84691110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ciabins.sh"; depth:11; endswith; nocase; http.host; content:"176.65.139.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828011/; classtype:trojan-activity;sid:84691111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clean"; depth:6; endswith; nocase; http.host; content:"204.76.203.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828009/; classtype:trojan-activity;sid:84691109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"204.76.203.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828007/; classtype:trojan-activity;sid:84691107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"204.76.203.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828008/; classtype:trojan-activity;sid:84691108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"204.76.203.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828005/; classtype:trojan-activity;sid:84691105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"z7wb.autovete7an.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828006/; classtype:trojan-activity;sid:84691106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"204.76.203.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828004/; classtype:trojan-activity;sid:84691104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"204.76.203.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828003/; classtype:trojan-activity;sid:84691103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d4rk-panel.autovete7an.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828002/; classtype:trojan-activity;sid:84691102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tofk4.autovete7an.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828001/; classtype:trojan-activity;sid:84691101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.89.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828000/; classtype:trojan-activity;sid:84691100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827998/; classtype:trojan-activity;sid:84691098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grow9-craft.autovete7an.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827999/; classtype:trojan-activity;sid:84691099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827996/; classtype:trojan-activity;sid:84691096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827997/; classtype:trojan-activity;sid:84691097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827995/; classtype:trojan-activity;sid:84691095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827987/; classtype:trojan-activity;sid:84691087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827988/; classtype:trojan-activity;sid:84691088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827989/; classtype:trojan-activity;sid:84691089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827990/; classtype:trojan-activity;sid:84691090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827991/; classtype:trojan-activity;sid:84691091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827992/; classtype:trojan-activity;sid:84691092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827993/; classtype:trojan-activity;sid:84691093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827994/; classtype:trojan-activity;sid:84691094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827984/; classtype:trojan-activity;sid:84691084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827985/; classtype:trojan-activity;sid:84691085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"176.65.148.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827986/; classtype:trojan-activity;sid:84691086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"splitorche.autovete7an.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827983/; classtype:trojan-activity;sid:84691083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.98.69.33"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827982/; classtype:trojan-activity;sid:84691082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.134.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827981/; classtype:trojan-activity;sid:84691081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.68.250.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827980/; classtype:trojan-activity;sid:84691080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827979/; classtype:trojan-activity;sid:84691079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-c4rri.junkie-talker.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827978/; classtype:trojan-activity;sid:84691078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.134.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827977/; classtype:trojan-activity;sid:84691077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4mbe-wave.junkie-talker.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827976/; classtype:trojan-activity;sid:84691076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.196.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827975/; classtype:trojan-activity;sid:84691075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"m46v.junkie-talker.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827974/; classtype:trojan-activity;sid:84691074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6347.junkie-talker.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827973/; classtype:trojan-activity;sid:84691073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.89.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827972/; classtype:trojan-activity;sid:84691072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.11.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827971/; classtype:trojan-activity;sid:84691071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1aqmr.junkie-talker.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827970/; classtype:trojan-activity;sid:84691070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"decode-fac.junkie-talker.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827969/; classtype:trojan-activity;sid:84691069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.68.250.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827968/; classtype:trojan-activity;sid:84691068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"delihyp.ant5pender.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827967/; classtype:trojan-activity;sid:84691067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.89.103"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827966/; classtype:trojan-activity;sid:84691066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.88.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827965/; classtype:trojan-activity;sid:84691065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dawn-route.ant5pender.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827964/; classtype:trojan-activity;sid:84691064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rural-drive.ant5pender.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827963/; classtype:trojan-activity;sid:84691063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827962/; classtype:trojan-activity;sid:84691062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.226.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827961/; classtype:trojan-activity;sid:84691061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.226.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827960/; classtype:trojan-activity;sid:84691060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.82.87.38"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827958/; classtype:trojan-activity;sid:84691058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xeeeto.ant5pender.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827959/; classtype:trojan-activity;sid:84691059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.196.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827957/; classtype:trojan-activity;sid:84691057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0n6rt.ant5pender.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827956/; classtype:trojan-activity;sid:84691056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.82.87.38"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827955/; classtype:trojan-activity;sid:84691055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5he1l-sheet.ant5pender.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827954/; classtype:trojan-activity;sid:84691054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.216.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827953/; classtype:trojan-activity;sid:84691053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.206.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827952/; classtype:trojan-activity;sid:84691052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyncoreis3.pepper-reprint.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827951/; classtype:trojan-activity;sid:84691051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.89.103"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827950/; classtype:trojan-activity;sid:84691050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"narcore.pepper-reprint.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827949/; classtype:trojan-activity;sid:84691049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"655f.pepper-reprint.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827948/; classtype:trojan-activity;sid:84691048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p9hda.pepper-reprint.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827947/; classtype:trojan-activity;sid:84691047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.23.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827946/; classtype:trojan-activity;sid:84691046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hblrl.pepper-reprint.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827945/; classtype:trojan-activity;sid:84691045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.140.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827944/; classtype:trojan-activity;sid:84691044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.87.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827943/; classtype:trojan-activity;sid:84691043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"channe1-hold.pepper-reprint.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827942/; classtype:trojan-activity;sid:84691042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"notiflame.matri2rchyor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827941/; classtype:trojan-activity;sid:84691041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.2.62"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827940/; classtype:trojan-activity;sid:84691040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"winttra.matri2rchyor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827939/; classtype:trojan-activity;sid:84691039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-c4pita.matri2rchyor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827938/; classtype:trojan-activity;sid:84691038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.13.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827937/; classtype:trojan-activity;sid:84691037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.172.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827936/; classtype:trojan-activity;sid:84691036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/ndzksnl.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827934/; classtype:trojan-activity;sid:84691034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/wb9hw4y.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827935/; classtype:trojan-activity;sid:84691035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/zxgr0l8.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827933/; classtype:trojan-activity;sid:84691033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guidelocal.matri2rchyor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827932/; classtype:trojan-activity;sid:84691032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.224.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827931/; classtype:trojan-activity;sid:84691031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"v3lvet-core.matri2rchyor.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827930/; classtype:trojan-activity;sid:84691030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"split-mesh.matri2rchyor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827929/; classtype:trojan-activity;sid:84691029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nr76.mess-laboratory.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827928/; classtype:trojan-activity;sid:84691028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.2.62"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827927/; classtype:trojan-activity;sid:84691027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.148.198.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827926/; classtype:trojan-activity;sid:84691026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ujv18y.mess-laboratory.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827925/; classtype:trojan-activity;sid:84691025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sol-spireix.mess-laboratory.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827924/; classtype:trojan-activity;sid:84691024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.172.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827923/; classtype:trojan-activity;sid:84691023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"profitconvo.mess-laboratory.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827922/; classtype:trojan-activity;sid:84691022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.247.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827921/; classtype:trojan-activity;sid:84691021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.224.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827920/; classtype:trojan-activity;sid:84691020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pack3-frame.mess-laboratory.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827919/; classtype:trojan-activity;sid:84691019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xvy42z.mess-laboratory.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827918/; classtype:trojan-activity;sid:84691018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talline5ix.dis1iketerrit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827917/; classtype:trojan-activity;sid:84691017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-illurn.dis1iketerrit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827916/; classtype:trojan-activity;sid:84691016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wagcrate.dis1iketerrit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827915/; classtype:trojan-activity;sid:84691015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827914/; classtype:trojan-activity;sid:84691014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silverspecimen.dis1iketerrit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827913/; classtype:trojan-activity;sid:84691013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.223.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827912/; classtype:trojan-activity;sid:84691012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.177.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827911/; classtype:trojan-activity;sid:84691011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827910/; classtype:trojan-activity;sid:84691010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorvale0os.dis1iketerrit.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827909/; classtype:trojan-activity;sid:84691009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.207.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827908/; classtype:trojan-activity;sid:84691008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sh4d-logic.dis1iketerrit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827907/; classtype:trojan-activity;sid:84691007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultra-5ort.qi7mavel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827906/; classtype:trojan-activity;sid:84691006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827905/; classtype:trojan-activity;sid:84691005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.177.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827904/; classtype:trojan-activity;sid:84691004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"colorcast.qi7mavel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827903/; classtype:trojan-activity;sid:84691003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.223.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827902/; classtype:trojan-activity;sid:84691002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.158.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827901/; classtype:trojan-activity;sid:84691001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ggtqa.qi7mavel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827900/; classtype:trojan-activity;sid:84691000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.140.248.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827899/; classtype:trojan-activity;sid:84690999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0jw813sl.qi7mavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827898/; classtype:trojan-activity;sid:84690998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.207.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827897/; classtype:trojan-activity;sid:84690997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oifwmo.qi7mavel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827896/; classtype:trojan-activity;sid:84690996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sub-p4tt.qi7mavel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827895/; classtype:trojan-activity;sid:84690995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827894/; classtype:trojan-activity;sid:84690994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"retanetwo.bovla1xel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827893/; classtype:trojan-activity;sid:84690993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyntide0al.bovla1xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827892/; classtype:trojan-activity;sid:84690992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.51.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827891/; classtype:trojan-activity;sid:84690991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.51.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827890/; classtype:trojan-activity;sid:84690990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-lithet.bovla1xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827889/; classtype:trojan-activity;sid:84690989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pr1rne-plate.bovla1xel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827888/; classtype:trojan-activity;sid:84690988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.75.236"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827887/; classtype:trojan-activity;sid:84690987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.240.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827886/; classtype:trojan-activity;sid:84690986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kelven9et.bovla1xel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827885/; classtype:trojan-activity;sid:84690985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kelmarkis.bovla1xel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827884/; classtype:trojan-activity;sid:84690984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.111.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827883/; classtype:trojan-activity;sid:84690983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.216.49.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827882/; classtype:trojan-activity;sid:84690982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool5-chain.de5xorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827881/; classtype:trojan-activity;sid:84690981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.97.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827880/; classtype:trojan-activity;sid:84690980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.169.104.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827879/; classtype:trojan-activity;sid:84690979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crat-mark.de5xorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827878/; classtype:trojan-activity;sid:84690978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vel-markal.de5xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827877/; classtype:trojan-activity;sid:84690977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"extendvia.de5xorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827876/; classtype:trojan-activity;sid:84690976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erzurumyoresel.zip"; depth:19; endswith; nocase; http.host; content:"erzurumyoresel.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827875/; classtype:trojan-activity;sid:84690975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"974xwaj.de5xorin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827874/; classtype:trojan-activity;sid:84690974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qjhle.de5xorin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827873/; classtype:trojan-activity;sid:84690973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.216.49.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827872/; classtype:trojan-activity;sid:84690972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.75.236"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827871/; classtype:trojan-activity;sid:84690971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tqeibj.wi3sorel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827870/; classtype:trojan-activity;sid:84690970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.46.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827869/; classtype:trojan-activity;sid:84690969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-gran.wi3sorel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827868/; classtype:trojan-activity;sid:84690968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.177.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827867/; classtype:trojan-activity;sid:84690967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.240.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827866/; classtype:trojan-activity;sid:84690966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1ich-track.wi3sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827865/; classtype:trojan-activity;sid:84690965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827864/; classtype:trojan-activity;sid:84690964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"granitcuriou.wi3sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827863/; classtype:trojan-activity;sid:84690963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grab.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827862/; classtype:trojan-activity;sid:84690962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grabb.exe"; depth:10; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827861/; classtype:trojan-activity;sid:84690961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rebate-spe.wi3sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827860/; classtype:trojan-activity;sid:84690960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.111.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827859/; classtype:trojan-activity;sid:84690959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.46.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827858/; classtype:trojan-activity;sid:84690958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fgeyw.wi3sorel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827857/; classtype:trojan-activity;sid:84690957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.150"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827856/; classtype:trojan-activity;sid:84690956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.213.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827855/; classtype:trojan-activity;sid:84690955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.177.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827854/; classtype:trojan-activity;sid:84690954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0udhnpx.po8vaxen.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827853/; classtype:trojan-activity;sid:84690953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.72.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827852/; classtype:trojan-activity;sid:84690952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.228.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827851/; classtype:trojan-activity;sid:84690951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"uxld.po8vaxen.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827850/; classtype:trojan-activity;sid:84690950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.92.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827849/; classtype:trojan-activity;sid:84690949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fier-cany.po8vaxen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827848/; classtype:trojan-activity;sid:84690948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.122.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827847/; classtype:trojan-activity;sid:84690947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.150"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827846/; classtype:trojan-activity;sid:84690946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pyjq05.po8vaxen.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827845/; classtype:trojan-activity;sid:84690945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827844/; classtype:trojan-activity;sid:84690944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"777am.po8vaxen.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827843/; classtype:trojan-activity;sid:84690943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.228.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827842/; classtype:trojan-activity;sid:84690942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moderntransit.po8vaxen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827841/; classtype:trojan-activity;sid:84690941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1yqev.kymli6rex.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827840/; classtype:trojan-activity;sid:84690940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"w2poohjf.kymli6rex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827839/; classtype:trojan-activity;sid:84690939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.92.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827838/; classtype:trojan-activity;sid:84690938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.138.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827837/; classtype:trojan-activity;sid:84690937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zmxbt7t.kymli6rex.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827836/; classtype:trojan-activity;sid:84690936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stabiliz-watch.kymli6rex.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827835/; classtype:trojan-activity;sid:84690935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node-ult.kymli6rex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827834/; classtype:trojan-activity;sid:84690934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eqov17u.kymli6rex.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827833/; classtype:trojan-activity;sid:84690933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.225.44.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827832/; classtype:trojan-activity;sid:84690932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumvenex2.to4ramel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827831/; classtype:trojan-activity;sid:84690931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.163.91.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827830/; classtype:trojan-activity;sid:84690930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.12.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827829/; classtype:trojan-activity;sid:84690929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.37.81.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827828/; classtype:trojan-activity;sid:84690928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827827/; classtype:trojan-activity;sid:84690927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vorfluxor1.to4ramel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827826/; classtype:trojan-activity;sid:84690926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"st3r-dock.to4ramel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827825/; classtype:trojan-activity;sid:84690925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=nkorzqkrypjmidhv"; depth:27; endswith; nocase; http.host; content:"ob1phqqu.degassing-mould.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827824/; classtype:trojan-activity;sid:84690924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talmeshis7.to4ramel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827823/; classtype:trojan-activity;sid:84690923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.225.44.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827822/; classtype:trojan-activity;sid:84690922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"63teisp.to4ramel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827821/; classtype:trojan-activity;sid:84690921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyperpul.to4ramel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827820/; classtype:trojan-activity;sid:84690920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.177.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827819/; classtype:trojan-activity;sid:84690919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.177.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827818/; classtype:trojan-activity;sid:84690918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"norspireum6.sylov9er.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827817/; classtype:trojan-activity;sid:84690917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.123.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827816/; classtype:trojan-activity;sid:84690916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"repa1-zone.sylov9er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827815/; classtype:trojan-activity;sid:84690915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827814/; classtype:trojan-activity;sid:84690914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eihf.sylov9er.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827813/; classtype:trojan-activity;sid:84690913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.37.81.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827812/; classtype:trojan-activity;sid:84690912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.221.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827811/; classtype:trojan-activity;sid:84690911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.75.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827810/; classtype:trojan-activity;sid:84690910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qilzefl.sylov9er.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827809/; classtype:trojan-activity;sid:84690909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827808/; classtype:trojan-activity;sid:84690908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"querprair.sylov9er.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827807/; classtype:trojan-activity;sid:84690907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.205.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827806/; classtype:trojan-activity;sid:84690906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.115.92"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827805/; classtype:trojan-activity;sid:84690905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sup64h.sylov9er.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827804/; classtype:trojan-activity;sid:84690904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.78.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827803/; classtype:trojan-activity;sid:84690903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.66.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827801/; classtype:trojan-activity;sid:84690901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.11.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827802/; classtype:trojan-activity;sid:84690902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qkxqry9b.ra2xemil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827800/; classtype:trojan-activity;sid:84690900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"validatorgus.ra2xemil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827799/; classtype:trojan-activity;sid:84690899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.215.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827798/; classtype:trojan-activity;sid:84690898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.75.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827797/; classtype:trojan-activity;sid:84690897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"equscript.ra2xemil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827796/; classtype:trojan-activity;sid:84690896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.79.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827795/; classtype:trojan-activity;sid:84690895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"uoovxa.ra2xemil.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827794/; classtype:trojan-activity;sid:84690894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.115.92"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827792/; classtype:trojan-activity;sid:84690892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.205.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827793/; classtype:trojan-activity;sid:84690893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.225.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827791/; classtype:trojan-activity;sid:84690891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.214.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827790/; classtype:trojan-activity;sid:84690890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shal0-mount.ra2xemil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827789/; classtype:trojan-activity;sid:84690889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easmb.ra2xemil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827788/; classtype:trojan-activity;sid:84690888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.66.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827787/; classtype:trojan-activity;sid:84690887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"formatsol.7zoralix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827786/; classtype:trojan-activity;sid:84690886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.79.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827785/; classtype:trojan-activity;sid:84690885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.225.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827784/; classtype:trojan-activity;sid:84690884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyn-lineor.7zoralix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827783/; classtype:trojan-activity;sid:84690883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.200.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827782/; classtype:trojan-activity;sid:84690882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.188.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827781/; classtype:trojan-activity;sid:84690881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumlinea.7zoralix.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827780/; classtype:trojan-activity;sid:84690880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827779/; classtype:trojan-activity;sid:84690879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"secure-forge.7zoralix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827778/; classtype:trojan-activity;sid:84690878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.146.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827777/; classtype:trojan-activity;sid:84690877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ik63uk.7zoralix.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827776/; classtype:trojan-activity;sid:84690876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.45.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827775/; classtype:trojan-activity;sid:84690875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cvw05my.7zoralix.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827774/; classtype:trojan-activity;sid:84690874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.200.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827773/; classtype:trojan-activity;sid:84690873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-po-int6.ra5xorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827772/; classtype:trojan-activity;sid:84690872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.78.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827770/; classtype:trojan-activity;sid:84690870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.47.190.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827771/; classtype:trojan-activity;sid:84690871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quickmove5.ra5xorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827769/; classtype:trojan-activity;sid:84690869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"199.16.59.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827768/; classtype:trojan-activity;sid:84690868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"empty-sp-ac4.ra5xorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827767/; classtype:trojan-activity;sid:84690867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.144.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827766/; classtype:trojan-activity;sid:84690866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fullbox3.ra5xorel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827765/; classtype:trojan-activity;sid:84690865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.128.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827764/; classtype:trojan-activity;sid:84690864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.128.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827763/; classtype:trojan-activity;sid:84690863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-pa-ck2.ra5xorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827762/; classtype:trojan-activity;sid:84690862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.47.190.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827761/; classtype:trojan-activity;sid:84690861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavyload1.ra5xorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827760/; classtype:trojan-activity;sid:84690860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-mo-on6.qi9maren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827759/; classtype:trojan-activity;sid:84690859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.188.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827758/; classtype:trojan-activity;sid:84690858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmfire5.qi9maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827757/; classtype:trojan-activity;sid:84690857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.231.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827756/; classtype:trojan-activity;sid:84690856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-sn-ow4.qi9maren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827755/; classtype:trojan-activity;sid:84690855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.249.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827754/; classtype:trojan-activity;sid:84690854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.144.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827753/; classtype:trojan-activity;sid:84690853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clearsky3.qi9maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827752/; classtype:trojan-activity;sid:84690852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.179.150.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827751/; classtype:trojan-activity;sid:84690851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.241.223.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827750/; classtype:trojan-activity;sid:84690850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.236.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827749/; classtype:trojan-activity;sid:84690849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rainy-ni-ght2.qi9maren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827748/; classtype:trojan-activity;sid:84690848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"156.229.118.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827747/; classtype:trojan-activity;sid:84690847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.2.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827746/; classtype:trojan-activity;sid:84690846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunny-day1.qi9maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827745/; classtype:trojan-activity;sid:84690845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.223.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827744/; classtype:trojan-activity;sid:84690844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.59.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827743/; classtype:trojan-activity;sid:84690843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-lo-ok6.de8xapil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827742/; classtype:trojan-activity;sid:84690842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"newstyle5.de8xapil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827741/; classtype:trojan-activity;sid:84690841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-co-at4.de8xapil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827740/; classtype:trojan-activity;sid:84690840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.179.150.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827739/; classtype:trojan-activity;sid:84690839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"longbelt3.de8xapil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827738/; classtype:trojan-activity;sid:84690838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.204.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827737/; classtype:trojan-activity;sid:84690837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-shi-rt2.de8xapil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827736/; classtype:trojan-activity;sid:84690836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blackhat1.de8xapil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827735/; classtype:trojan-activity;sid:84690835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.232.142.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827734/; classtype:trojan-activity;sid:84690834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"purewater6.po7vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827733/; classtype:trojan-activity;sid:84690833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.224.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827732/; classtype:trojan-activity;sid:84690832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.204.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827730/; classtype:trojan-activity;sid:84690830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.158.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827731/; classtype:trojan-activity;sid:84690831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-mi-lk5.po7vaten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827729/; classtype:trojan-activity;sid:84690829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827728/; classtype:trojan-activity;sid:84690828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827727/; classtype:trojan-activity;sid:84690827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshtea4.po7vaten.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827726/; classtype:trojan-activity;sid:84690826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.169.66.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827724/; classtype:trojan-activity;sid:84690824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-so-up3.po7vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827725/; classtype:trojan-activity;sid:84690825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.po7vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827723/; classtype:trojan-activity;sid:84690823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.226.64.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827722/; classtype:trojan-activity;sid:84690822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827721/; classtype:trojan-activity;sid:84690821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.126.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827720/; classtype:trojan-activity;sid:84690820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pie1.po7vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827719/; classtype:trojan-activity;sid:84690819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.158.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827718/; classtype:trojan-activity;sid:84690818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easytask6.wi3sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827717/; classtype:trojan-activity;sid:84690817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.83.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827716/; classtype:trojan-activity;sid:84690816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.126.86.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827715/; classtype:trojan-activity;sid:84690815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"just-ta-lk5.wi3sorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827714/; classtype:trojan-activity;sid:84690814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.232.142.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827713/; classtype:trojan-activity;sid:84690813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.126.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827712/; classtype:trojan-activity;sid:84690812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"niceshot4.wi3sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827711/; classtype:trojan-activity;sid:84690811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"realfa-ct3.wi3sorim.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827710/; classtype:trojan-activity;sid:84690810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.158.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827709/; classtype:trojan-activity;sid:84690809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-time2.wi3sorim.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827708/; classtype:trojan-activity;sid:84690808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.202.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827707/; classtype:trojan-activity;sid:84690807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.83.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827706/; classtype:trojan-activity;sid:84690806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goodnews1.wi3sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827705/; classtype:trojan-activity;sid:84690805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.126.86.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827704/; classtype:trojan-activity;sid:84690804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"side-vi-ew6.kymle2rix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827703/; classtype:trojan-activity;sid:84690803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.44.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827702/; classtype:trojan-activity;sid:84690802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"backyard5.kymle2rix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827701/; classtype:trojan-activity;sid:84690801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.125.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827700/; classtype:trojan-activity;sid:84690800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-ro-om4.kymle2rix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827699/; classtype:trojan-activity;sid:84690799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.219.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827698/; classtype:trojan-activity;sid:84690798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nextdoor3.kymle2rix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827697/; classtype:trojan-activity;sid:84690797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.87.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827696/; classtype:trojan-activity;sid:84690796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.26.100.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827695/; classtype:trojan-activity;sid:84690795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cityli-fe2.kymle2rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827694/; classtype:trojan-activity;sid:84690794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.202.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827693/; classtype:trojan-activity;sid:84690793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"144.48.123.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827692/; classtype:trojan-activity;sid:84690792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-base1.kymle2rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827691/; classtype:trojan-activity;sid:84690791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-fi-sh6.to6vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827690/; classtype:trojan-activity;sid:84690790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.45.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827689/; classtype:trojan-activity;sid:84690789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-sun5.to6vamil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827688/; classtype:trojan-activity;sid:84690788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"darkwood4.to6vamil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827687/; classtype:trojan-activity;sid:84690787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.87.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827686/; classtype:trojan-activity;sid:84690786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827685/; classtype:trojan-activity;sid:84690785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.116.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827684/; classtype:trojan-activity;sid:84690784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-hi-ll3.to6vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827683/; classtype:trojan-activity;sid:84690783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-sky2.to6vamil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827682/; classtype:trojan-activity;sid:84690782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.45.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827681/; classtype:trojan-activity;sid:84690781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deepsea1.to6vamil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827680/; classtype:trojan-activity;sid:84690780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.13.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827679/; classtype:trojan-activity;sid:84690779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.116.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827678/; classtype:trojan-activity;sid:84690778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.7.51"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827676/; classtype:trojan-activity;sid:84690776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-ba-g6.sylom5er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827677/; classtype:trojan-activity;sid:84690777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hardbox5.sylom5er.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827675/; classtype:trojan-activity;sid:84690775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"redma-rk4.sylom5er.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827674/; classtype:trojan-activity;sid:84690774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thin-pen3.sylom5er.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827673/; classtype:trojan-activity;sid:84690773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.184.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827672/; classtype:trojan-activity;sid:84690772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.92.154.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827671/; classtype:trojan-activity;sid:84690771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lastpa-ge2.sylom5er.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827670/; classtype:trojan-activity;sid:84690770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"openbook1.sylom5er.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827669/; classtype:trojan-activity;sid:84690769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-town6.ra1xorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827668/; classtype:trojan-activity;sid:84690768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.207.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827667/; classtype:trojan-activity;sid:84690767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"newtrip5.ra1xorin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827666/; classtype:trojan-activity;sid:84690766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"longro-ad4.ra1xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827665/; classtype:trojan-activity;sid:84690765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.112.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827664/; classtype:trojan-activity;sid:84690764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.184.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827663/; classtype:trojan-activity;sid:84690763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bigjump3.ra1xorin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827662/; classtype:trojan-activity;sid:84690762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.48.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827661/; classtype:trojan-activity;sid:84690761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.240.175.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827660/; classtype:trojan-activity;sid:84690760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827659/; classtype:trojan-activity;sid:84690759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slowwa-lk2.ra1xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827658/; classtype:trojan-activity;sid:84690758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-run1.ra1xorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827657/; classtype:trojan-activity;sid:84690757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.207.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827656/; classtype:trojan-activity;sid:84690756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"highstep6.9zoravel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827655/; classtype:trojan-activity;sid:84690755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.142.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827654/; classtype:trojan-activity;sid:84690754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldwind5.9zoravel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827653/; classtype:trojan-activity;sid:84690753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.12.132"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827652/; classtype:trojan-activity;sid:84690752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-wa-ll4.9zoravel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827651/; classtype:trojan-activity;sid:84690751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.253.80.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827650/; classtype:trojan-activity;sid:84690750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-cup3.9zoravel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827649/; classtype:trojan-activity;sid:84690749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827648/; classtype:trojan-activity;sid:84690748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827645/; classtype:trojan-activity;sid:84690745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827646/; classtype:trojan-activity;sid:84690746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827647/; classtype:trojan-activity;sid:84690747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"greenlamp2.9zoravel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827644/; classtype:trojan-activity;sid:84690744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827636/; classtype:trojan-activity;sid:84690736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827637/; classtype:trojan-activity;sid:84690737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827638/; classtype:trojan-activity;sid:84690738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827639/; classtype:trojan-activity;sid:84690739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.i686"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827640/; classtype:trojan-activity;sid:84690740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827641/; classtype:trojan-activity;sid:84690741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86_64"; depth:17; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827642/; classtype:trojan-activity;sid:84690742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827643/; classtype:trojan-activity;sid:84690743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.i468"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827629/; classtype:trojan-activity;sid:84690729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sparc"; depth:22; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827630/; classtype:trojan-activity;sid:84690730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips64"; depth:23; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827631/; classtype:trojan-activity;sid:84690731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc440fp"; depth:19; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827632/; classtype:trojan-activity;sid:84690732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm4"; depth:15; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827633/; classtype:trojan-activity;sid:84690733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827634/; classtype:trojan-activity;sid:84690734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827635/; classtype:trojan-activity;sid:84690735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blu-etable1.9zoravel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827627/; classtype:trojan-activity;sid:84690727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-po-int6.tarny-tsedilka.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827626/; classtype:trojan-activity;sid:84690726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.92.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827625/; classtype:trojan-activity;sid:84690725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jwhxzz.bin"; depth:11; endswith; nocase; http.host; content:"files.catbox.moe"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827624/; classtype:trojan-activity;sid:84690724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quickmo-ve5.tarny-tsedilka.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827623/; classtype:trojan-activity;sid:84690723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827622/; classtype:trojan-activity;sid:84690722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"empty-s-pac4.tarny-tsedilka.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827621/; classtype:trojan-activity;sid:84690721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/april_staff_appraisal_4qsk_pdf.arj"; depth:35; endswith; nocase; http.host; content:"mosselnet.co.za"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827620/; classtype:trojan-activity;sid:84690720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-b-ox3.tarny-tsedilka.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827619/; classtype:trojan-activity;sid:84690719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wpveerus/vojgnkowobxsy180.bin"; depth:30; endswith; nocase; http.host; content:"metotmimarlik.com.tr"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827618/; classtype:trojan-activity;sid:84690718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wpveerus/endevrdiernes.pfm"; depth:27; endswith; nocase; http.host; content:"metotmimarlik.com.tr"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827617/; classtype:trojan-activity;sid:84690717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.sh"; depth:7; endswith; nocase; http.host; content:"axodoyin.alwaysdata.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827616/; classtype:trojan-activity;sid:84690716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vps-agent-linux-amd64"; depth:22; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827612/; classtype:trojan-activity;sid:84690712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/bdcf186ab_vexaim-rust.exe"; depth:101; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827613/; classtype:trojan-activity;sid:84690713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setup.zip"; depth:10; endswith; nocase; http.host; content:"markway.ru"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827614/; classtype:trojan-activity;sid:84690714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/4e78a8b89_vexaim-valorant.exe"; depth:105; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827611/; classtype:trojan-activity;sid:84690711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/0092d6c39_vexaim-fivem.exe"; depth:102; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827608/; classtype:trojan-activity;sid:84690708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/449e8790f_vexaim-callofduty.exe"; depth:107; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827609/; classtype:trojan-activity;sid:84690709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/d101f069e_vexaim-roblox.exe"; depth:103; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827610/; classtype:trojan-activity;sid:84690710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/0b1e3a8e8_vexaim-hwidspoofer.exe"; depth:108; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827606/; classtype:trojan-activity;sid:84690706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/c1dd75655_vexaim-fortnite.exe"; depth:105; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827607/; classtype:trojan-activity;sid:84690707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sora.sh"; depth:8; endswith; nocase; http.host; content:"156.226.174.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827605/; classtype:trojan-activity;sid:84690705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2.sh"; depth:6; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827596/; classtype:trojan-activity;sid:84690696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827597/; classtype:trojan-activity;sid:84690697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simple_agent.py"; depth:16; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827598/; classtype:trojan-activity;sid:84690698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.sh"; depth:11; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827599/; classtype:trojan-activity;sid:84690699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/2976463be_vexaim-r6.exe"; depth:99; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827600/; classtype:trojan-activity;sid:84690700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh_test.sh"; depth:11; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827601/; classtype:trojan-activity;sid:84690701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.sh"; depth:11; endswith; nocase; http.host; content:"45.135.194.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827602/; classtype:trojan-activity;sid:84690702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/5e29793e1_vexaim-apexlegends.exe"; depth:108; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827603/; classtype:trojan-activity;sid:84690703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"2.26.84.151"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827604/; classtype:trojan-activity;sid:84690704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.125.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827595/; classtype:trojan-activity;sid:84690695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lightp-ack2.tarny-tsedilka.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827594/; classtype:trojan-activity;sid:84690694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-lo-ad1.tarny-tsedilka.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827593/; classtype:trojan-activity;sid:84690693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827592/; classtype:trojan-activity;sid:84690692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-mo-on6.championincomp.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827591/; classtype:trojan-activity;sid:84690691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.23.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827590/; classtype:trojan-activity;sid:84690690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827589/; classtype:trojan-activity;sid:84690689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmf-ire5.championincomp.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827588/; classtype:trojan-activity;sid:84690688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-sn-ow4.championincomp.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827587/; classtype:trojan-activity;sid:84690687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.93.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827586/; classtype:trojan-activity;sid:84690686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.169.104.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827585/; classtype:trojan-activity;sid:84690685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-sky3.championincomp.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827584/; classtype:trojan-activity;sid:84690684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rainy-ni-ght2.championincomp.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827583/; classtype:trojan-activity;sid:84690683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.23.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827582/; classtype:trojan-activity;sid:84690682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunny-d-ay1.championincomp.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827581/; classtype:trojan-activity;sid:84690681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-lo-ok6.water-wagged.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827580/; classtype:trojan-activity;sid:84690680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"newst-yle5.water-wagged.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827579/; classtype:trojan-activity;sid:84690679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827577/; classtype:trojan-activity;sid:84690677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.40.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827578/; classtype:trojan-activity;sid:84690678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.206.205.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827576/; classtype:trojan-activity;sid:84690676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-co-at4.water-wagged.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827575/; classtype:trojan-activity;sid:84690675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.88.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827574/; classtype:trojan-activity;sid:84690674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-be-lt3.water-wagged.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827573/; classtype:trojan-activity;sid:84690673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-shir-t2.water-wagged.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827572/; classtype:trojan-activity;sid:84690672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.40.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827571/; classtype:trojan-activity;sid:84690671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.136.46.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827570/; classtype:trojan-activity;sid:84690670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"black-h-at1.water-wagged.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827569/; classtype:trojan-activity;sid:84690669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.88.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827568/; classtype:trojan-activity;sid:84690668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.148.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827567/; classtype:trojan-activity;sid:84690667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"purewa-ter6.deer5talagmite.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827566/; classtype:trojan-activity;sid:84690666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coolmi-lk5.deer5talagmite.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827565/; classtype:trojan-activity;sid:84690665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-tea4.deer5talagmite.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827564/; classtype:trojan-activity;sid:84690664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-s-oup3.deer5talagmite.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827563/; classtype:trojan-activity;sid:84690663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.234.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827562/; classtype:trojan-activity;sid:84690662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.deer5talagmite.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827561/; classtype:trojan-activity;sid:84690661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.148.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827560/; classtype:trojan-activity;sid:84690660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.92.154.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827559/; classtype:trojan-activity;sid:84690659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pi-e1.deer5talagmite.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827558/; classtype:trojan-activity;sid:84690658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.103.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827557/; classtype:trojan-activity;sid:84690657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easy-ta-sk6.bag-senior.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827556/; classtype:trojan-activity;sid:84690656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"justta-lk5.bag-senior.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827555/; classtype:trojan-activity;sid:84690655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.27.180"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827554/; classtype:trojan-activity;sid:84690654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nice-sh-ot4.bag-senior.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827553/; classtype:trojan-activity;sid:84690653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.219.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827552/; classtype:trojan-activity;sid:84690652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.219.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827551/; classtype:trojan-activity;sid:84690651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"real-fact3.bag-senior.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827550/; classtype:trojan-activity;sid:84690650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.7.51"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827549/; classtype:trojan-activity;sid:84690649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-ti-me2.bag-senior.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827548/; classtype:trojan-activity;sid:84690648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.245.107.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827547/; classtype:trojan-activity;sid:84690647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-n-ews1.bag-senior.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827546/; classtype:trojan-activity;sid:84690646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.39.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827545/; classtype:trojan-activity;sid:84690645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.3.27.180"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827543/; classtype:trojan-activity;sid:84690643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"side-vi-ew6.guardiansti1l.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827544/; classtype:trojan-activity;sid:84690644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.150.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827542/; classtype:trojan-activity;sid:84690642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"backy-ard5.guardiansti1l.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827541/; classtype:trojan-activity;sid:84690641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.123.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827540/; classtype:trojan-activity;sid:84690640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.204.211.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827539/; classtype:trojan-activity;sid:84690639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.158.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827538/; classtype:trojan-activity;sid:84690638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fullr-oom4.guardiansti1l.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827537/; classtype:trojan-activity;sid:84690637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.116.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827536/; classtype:trojan-activity;sid:84690636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.219.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827535/; classtype:trojan-activity;sid:84690635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"next-door3.guardiansti1l.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827534/; classtype:trojan-activity;sid:84690634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.0.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827533/; classtype:trojan-activity;sid:84690633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-wa-lk2.guardiansti1l.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827532/; classtype:trojan-activity;sid:84690632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.227.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827531/; classtype:trojan-activity;sid:84690631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.243.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827530/; classtype:trojan-activity;sid:84690630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-f-loor1.guardiansti1l.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827529/; classtype:trojan-activity;sid:84690629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.150.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827528/; classtype:trojan-activity;sid:84690628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silver-ra-in6.condit-rearrange.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827527/; classtype:trojan-activity;sid:84690627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.225.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827526/; classtype:trojan-activity;sid:84690626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.114.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827525/; classtype:trojan-activity;sid:84690625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.241.191.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827524/; classtype:trojan-activity;sid:84690624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"whitecl-oud5.condit-rearrange.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827523/; classtype:trojan-activity;sid:84690623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.57.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827522/; classtype:trojan-activity;sid:84690622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goldfi-sh4.condit-rearrange.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827521/; classtype:trojan-activity;sid:84690621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-ocean3.condit-rearrange.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827519/; classtype:trojan-activity;sid:84690619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.16.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827520/; classtype:trojan-activity;sid:84690620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.105.58"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827518/; classtype:trojan-activity;sid:84690618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-ni-ght2.condit-rearrange.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827517/; classtype:trojan-activity;sid:84690617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.83.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827516/; classtype:trojan-activity;sid:84690616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-sk-y1.condit-rearrange.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827515/; classtype:trojan-activity;sid:84690615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.164.69.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827514/; classtype:trojan-activity;sid:84690614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-ca-se6.grabs5tatus.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827513/; classtype:trojan-activity;sid:84690613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"49.70.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827512/; classtype:trojan-activity;sid:84690612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.114.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827511/; classtype:trojan-activity;sid:84690611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.x86"; depth:13; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827510/; classtype:trojan-activity;sid:84690610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.0.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827509/; classtype:trojan-activity;sid:84690609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-stone5.grabs5tatus.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827508/; classtype:trojan-activity;sid:84690608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-m-ilk4.grabs5tatus.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827507/; classtype:trojan-activity;sid:84690607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hottea3.grabs5tatus.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827506/; classtype:trojan-activity;sid:84690606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.78.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827505/; classtype:trojan-activity;sid:84690605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.grabs5tatus.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827504/; classtype:trojan-activity;sid:84690604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-app-l1.grabs5tatus.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827503/; classtype:trojan-activity;sid:84690603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.175.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827502/; classtype:trojan-activity;sid:84690602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"49.70.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827501/; classtype:trojan-activity;sid:84690601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"redbook6.overfeed-social.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827500/; classtype:trojan-activity;sid:84690600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.26.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827499/; classtype:trojan-activity;sid:84690599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.216.120.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827498/; classtype:trojan-activity;sid:84690598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldwa-ter5.overfeed-social.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827497/; classtype:trojan-activity;sid:84690597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.199.74.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827496/; classtype:trojan-activity;sid:84690596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.195.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827495/; classtype:trojan-activity;sid:84690595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-vi-ew4.overfeed-social.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827494/; classtype:trojan-activity;sid:84690594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.48.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827492/; classtype:trojan-activity;sid:84690592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.78.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827493/; classtype:trojan-activity;sid:84690593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.149.31.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827491/; classtype:trojan-activity;sid:84690591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.53.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827490/; classtype:trojan-activity;sid:84690590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.214.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827489/; classtype:trojan-activity;sid:84690589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.67.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827477/; classtype:trojan-activity;sid:84690577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.73.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827478/; classtype:trojan-activity;sid:84690578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827479/; classtype:trojan-activity;sid:84690579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.157.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827480/; classtype:trojan-activity;sid:84690580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.49.26.178"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827481/; classtype:trojan-activity;sid:84690581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827482/; classtype:trojan-activity;sid:84690582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.233.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827483/; classtype:trojan-activity;sid:84690583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.235.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827484/; classtype:trojan-activity;sid:84690584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.147.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827485/; classtype:trojan-activity;sid:84690585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.152.232.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827486/; classtype:trojan-activity;sid:84690586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.94.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827487/; classtype:trojan-activity;sid:84690587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.127.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827488/; classtype:trojan-activity;sid:84690588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"68.235.251.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827476/; classtype:trojan-activity;sid:84690576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"68.235.251.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827475/; classtype:trojan-activity;sid:84690575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.224.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827474/; classtype:trojan-activity;sid:84690574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.233.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827470/; classtype:trojan-activity;sid:84690570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.69.13.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827471/; classtype:trojan-activity;sid:84690571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.49.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827472/; classtype:trojan-activity;sid:84690572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.175.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827473/; classtype:trojan-activity;sid:84690573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.110.28.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827452/; classtype:trojan-activity;sid:84690552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.32.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827453/; classtype:trojan-activity;sid:84690553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.7.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827454/; classtype:trojan-activity;sid:84690554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.7.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827455/; classtype:trojan-activity;sid:84690555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.81.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827456/; classtype:trojan-activity;sid:84690556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.229.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827457/; classtype:trojan-activity;sid:84690557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.38.149.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827458/; classtype:trojan-activity;sid:84690558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.202.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827459/; classtype:trojan-activity;sid:84690559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.71.169.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827460/; classtype:trojan-activity;sid:84690560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.15.56.127"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827461/; classtype:trojan-activity;sid:84690561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.153.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827462/; classtype:trojan-activity;sid:84690562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.129.110.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827463/; classtype:trojan-activity;sid:84690563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.229.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827464/; classtype:trojan-activity;sid:84690564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.159.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827465/; classtype:trojan-activity;sid:84690565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.105.58"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827466/; classtype:trojan-activity;sid:84690566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.40.220"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827467/; classtype:trojan-activity;sid:84690567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.206.110.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827468/; classtype:trojan-activity;sid:84690568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.69.227.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827469/; classtype:trojan-activity;sid:84690569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.9.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827451/; classtype:trojan-activity;sid:84690551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.10.44.142"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827450/; classtype:trojan-activity;sid:84690550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.235.109.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827449/; classtype:trojan-activity;sid:84690549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.121.199.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827447/; classtype:trojan-activity;sid:84690547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"151.42.171.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827448/; classtype:trojan-activity;sid:84690548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.98.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827443/; classtype:trojan-activity;sid:84690543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.234.30.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827444/; classtype:trojan-activity;sid:84690544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.229.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827445/; classtype:trojan-activity;sid:84690545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.173.54.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827446/; classtype:trojan-activity;sid:84690546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.55.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827422/; classtype:trojan-activity;sid:84690522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.55.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827423/; classtype:trojan-activity;sid:84690523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.127.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827424/; classtype:trojan-activity;sid:84690524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827425/; classtype:trojan-activity;sid:84690525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.63.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827426/; classtype:trojan-activity;sid:84690526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.200.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827427/; classtype:trojan-activity;sid:84690527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.98.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827428/; classtype:trojan-activity;sid:84690528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.70.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827429/; classtype:trojan-activity;sid:84690529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.152.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827430/; classtype:trojan-activity;sid:84690530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.173.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827431/; classtype:trojan-activity;sid:84690531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.189.30.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827432/; classtype:trojan-activity;sid:84690532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.52.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827433/; classtype:trojan-activity;sid:84690533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.162.161.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827434/; classtype:trojan-activity;sid:84690534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"156.229.118.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827435/; classtype:trojan-activity;sid:84690535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.110.28.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827436/; classtype:trojan-activity;sid:84690536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.152.232.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827437/; classtype:trojan-activity;sid:84690537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.148.197.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827438/; classtype:trojan-activity;sid:84690538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.153.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827439/; classtype:trojan-activity;sid:84690539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.32.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827440/; classtype:trojan-activity;sid:84690540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.173.54.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827441/; classtype:trojan-activity;sid:84690541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.9.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827442/; classtype:trojan-activity;sid:84690542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.245.195.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827421/; classtype:trojan-activity;sid:84690521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.52.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827420/; classtype:trojan-activity;sid:84690520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.173.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827416/; classtype:trojan-activity;sid:84690516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.71.169.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827417/; classtype:trojan-activity;sid:84690517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.129.110.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827418/; classtype:trojan-activity;sid:84690518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bigwall3.overfeed-social.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827419/; classtype:trojan-activity;sid:84690519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.225.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827408/; classtype:trojan-activity;sid:84690508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.80.179"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827409/; classtype:trojan-activity;sid:84690509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.81.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827410/; classtype:trojan-activity;sid:84690510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.158.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827411/; classtype:trojan-activity;sid:84690511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.161.192.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827412/; classtype:trojan-activity;sid:84690512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.28.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827413/; classtype:trojan-activity;sid:84690513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.147.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827414/; classtype:trojan-activity;sid:84690514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.28.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827415/; classtype:trojan-activity;sid:84690515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.11.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827399/; classtype:trojan-activity;sid:84690499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.187.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827400/; classtype:trojan-activity;sid:84690500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.206.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827401/; classtype:trojan-activity;sid:84690501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.88.221"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827402/; classtype:trojan-activity;sid:84690502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.45.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827403/; classtype:trojan-activity;sid:84690503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.165.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827404/; classtype:trojan-activity;sid:84690504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.94.107"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827405/; classtype:trojan-activity;sid:84690505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.202.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827406/; classtype:trojan-activity;sid:84690506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.109.219.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827407/; classtype:trojan-activity;sid:84690507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.165.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827398/; classtype:trojan-activity;sid:84690498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.113.53.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827395/; classtype:trojan-activity;sid:84690495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.232.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827396/; classtype:trojan-activity;sid:84690496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.191.25.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827397/; classtype:trojan-activity;sid:84690497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.91.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827381/; classtype:trojan-activity;sid:84690481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.229.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827382/; classtype:trojan-activity;sid:84690482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.122.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827383/; classtype:trojan-activity;sid:84690483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.14.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827384/; classtype:trojan-activity;sid:84690484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.152.157.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827385/; classtype:trojan-activity;sid:84690485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.181.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827386/; classtype:trojan-activity;sid:84690486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.98.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827387/; classtype:trojan-activity;sid:84690487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.55.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827388/; classtype:trojan-activity;sid:84690488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.187.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827389/; classtype:trojan-activity;sid:84690489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.152.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827390/; classtype:trojan-activity;sid:84690490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.52.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827391/; classtype:trojan-activity;sid:84690491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.163.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827392/; classtype:trojan-activity;sid:84690492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.214.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827393/; classtype:trojan-activity;sid:84690493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.235.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827394/; classtype:trojan-activity;sid:84690494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.197.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827377/; classtype:trojan-activity;sid:84690477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.219.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827378/; classtype:trojan-activity;sid:84690478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.210.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827379/; classtype:trojan-activity;sid:84690479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.219.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827380/; classtype:trojan-activity;sid:84690480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.253.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827375/; classtype:trojan-activity;sid:84690475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.169.66.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827376/; classtype:trojan-activity;sid:84690476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.149.31.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827374/; classtype:trojan-activity;sid:84690474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.162.161.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827373/; classtype:trojan-activity;sid:84690473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.231.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827359/; classtype:trojan-activity;sid:84690459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.96.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827360/; classtype:trojan-activity;sid:84690460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.191.25.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827361/; classtype:trojan-activity;sid:84690461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.12.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827362/; classtype:trojan-activity;sid:84690462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.136.96.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827363/; classtype:trojan-activity;sid:84690463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.73.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827364/; classtype:trojan-activity;sid:84690464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.157.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827365/; classtype:trojan-activity;sid:84690465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.70.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827366/; classtype:trojan-activity;sid:84690466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.23.74.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827367/; classtype:trojan-activity;sid:84690467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.94.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827368/; classtype:trojan-activity;sid:84690468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.189.30.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827369/; classtype:trojan-activity;sid:84690469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.45.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827370/; classtype:trojan-activity;sid:84690470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.91.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827371/; classtype:trojan-activity;sid:84690471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.152.157.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827372/; classtype:trojan-activity;sid:84690472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.109.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827353/; classtype:trojan-activity;sid:84690453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.243.65.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827354/; classtype:trojan-activity;sid:84690454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827355/; classtype:trojan-activity;sid:84690455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.218.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827356/; classtype:trojan-activity;sid:84690456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.63.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827357/; classtype:trojan-activity;sid:84690457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.138.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827358/; classtype:trojan-activity;sid:84690458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.206.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827352/; classtype:trojan-activity;sid:84690452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-cha-ir2.overfeed-social.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827351/; classtype:trojan-activity;sid:84690451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.0.32"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827350/; classtype:trojan-activity;sid:84690450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-wind1.overfeed-social.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827349/; classtype:trojan-activity;sid:84690449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cle-arbox6.wate7pugnac.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827348/; classtype:trojan-activity;sid:84690448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.68.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827347/; classtype:trojan-activity;sid:84690447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.89.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827346/; classtype:trojan-activity;sid:84690446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.79.85.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827343/; classtype:trojan-activity;sid:84690443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.200.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827344/; classtype:trojan-activity;sid:84690444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.218.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827345/; classtype:trojan-activity;sid:84690445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.231.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827342/; classtype:trojan-activity;sid:84690442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.192.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827341/; classtype:trojan-activity;sid:84690441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.244.36.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827334/; classtype:trojan-activity;sid:84690434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.65.240"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827335/; classtype:trojan-activity;sid:84690435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.91.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827336/; classtype:trojan-activity;sid:84690436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.229.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827337/; classtype:trojan-activity;sid:84690437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.229.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827338/; classtype:trojan-activity;sid:84690438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.89.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827339/; classtype:trojan-activity;sid:84690439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.91.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827340/; classtype:trojan-activity;sid:84690440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.244.36.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827326/; classtype:trojan-activity;sid:84690426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.53.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827327/; classtype:trojan-activity;sid:84690427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.159.74.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827328/; classtype:trojan-activity;sid:84690428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.46.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827329/; classtype:trojan-activity;sid:84690429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.131.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827330/; classtype:trojan-activity;sid:84690430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.92.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827331/; classtype:trojan-activity;sid:84690431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.14.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827332/; classtype:trojan-activity;sid:84690432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.228.109.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827333/; classtype:trojan-activity;sid:84690433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.131.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827325/; classtype:trojan-activity;sid:84690425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"faststep5.wate7pugnac.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827324/; classtype:trojan-activity;sid:84690424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.46.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827319/; classtype:trojan-activity;sid:84690419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.48.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827320/; classtype:trojan-activity;sid:84690420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"153.3.11.210"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827321/; classtype:trojan-activity;sid:84690421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.140.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827322/; classtype:trojan-activity;sid:84690422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.140.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827323/; classtype:trojan-activity;sid:84690423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.35.228.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827318/; classtype:trojan-activity;sid:84690418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.118.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827317/; classtype:trojan-activity;sid:84690417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.249.251.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827316/; classtype:trojan-activity;sid:84690416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.164.98.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827313/; classtype:trojan-activity;sid:84690413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.62.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827314/; classtype:trojan-activity;sid:84690414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.14.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827315/; classtype:trojan-activity;sid:84690415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.12.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827312/; classtype:trojan-activity;sid:84690412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827307/; classtype:trojan-activity;sid:84690407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.114.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827308/; classtype:trojan-activity;sid:84690408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.192.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827309/; classtype:trojan-activity;sid:84690409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.213.235.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827310/; classtype:trojan-activity;sid:84690410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.218.57.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827311/; classtype:trojan-activity;sid:84690411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.53.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827303/; classtype:trojan-activity;sid:84690403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.241.74.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827304/; classtype:trojan-activity;sid:84690404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.23.80.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827305/; classtype:trojan-activity;sid:84690405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"139.213.32.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827306/; classtype:trojan-activity;sid:84690406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"90.2.25.142"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827299/; classtype:trojan-activity;sid:84690399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"181.79.85.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827300/; classtype:trojan-activity;sid:84690400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827301/; classtype:trojan-activity;sid:84690401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.44.153.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827302/; classtype:trojan-activity;sid:84690402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.34.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827298/; classtype:trojan-activity;sid:84690398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.44.153.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827297/; classtype:trojan-activity;sid:84690397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.205.195.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827293/; classtype:trojan-activity;sid:84690393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.213.235.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827294/; classtype:trojan-activity;sid:84690394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.164.98.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827295/; classtype:trojan-activity;sid:84690395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.232.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827296/; classtype:trojan-activity;sid:84690396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"75.118.179.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827291/; classtype:trojan-activity;sid:84690391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.125.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827292/; classtype:trojan-activity;sid:84690392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-pa-per4.wate7pugnac.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827290/; classtype:trojan-activity;sid:84690390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.68.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827289/; classtype:trojan-activity;sid:84690389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.67.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827288/; classtype:trojan-activity;sid:84690388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"88.84.222.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827287/; classtype:trojan-activity;sid:84690387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smalllamp3.wate7pugnac.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827286/; classtype:trojan-activity;sid:84690386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.127.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827285/; classtype:trojan-activity;sid:84690385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.127.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827284/; classtype:trojan-activity;sid:84690384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.165.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827283/; classtype:trojan-activity;sid:84690383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glassb-otl2.wate7pugnac.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827282/; classtype:trojan-activity;sid:84690382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.21.70.189"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827281/; classtype:trojan-activity;sid:84690381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-tray1.wate7pugnac.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827280/; classtype:trojan-activity;sid:84690380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.236.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827279/; classtype:trojan-activity;sid:84690379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.21.70.189"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827278/; classtype:trojan-activity;sid:84690378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-point6.kymle6rix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827277/; classtype:trojan-activity;sid:84690377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.197.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827276/; classtype:trojan-activity;sid:84690376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quickmove5.kymle6rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827275/; classtype:trojan-activity;sid:84690375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.29.46.195"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827274/; classtype:trojan-activity;sid:84690374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.123.253"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827273/; classtype:trojan-activity;sid:84690373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.37.212.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827272/; classtype:trojan-activity;sid:84690372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.127.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827271/; classtype:trojan-activity;sid:84690371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.236.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827270/; classtype:trojan-activity;sid:84690370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"emptys-pace4.kymle6rix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827269/; classtype:trojan-activity;sid:84690369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.165.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827268/; classtype:trojan-activity;sid:84690368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fullbox3.kymle6rix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827267/; classtype:trojan-activity;sid:84690367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.23.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827265/; classtype:trojan-activity;sid:84690365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.23.135.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827266/; classtype:trojan-activity;sid:84690366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lightp-ack2.kymle6rix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827264/; classtype:trojan-activity;sid:84690364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-load1.kymle6rix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827263/; classtype:trojan-activity;sid:84690363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.123.253"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827262/; classtype:trojan-activity;sid:84690362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827261/; classtype:trojan-activity;sid:84690361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827260/; classtype:trojan-activity;sid:84690360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-moon6.sylo8ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827259/; classtype:trojan-activity;sid:84690359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.23.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827258/; classtype:trojan-activity;sid:84690358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmfire5.sylo8ren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827257/; classtype:trojan-activity;sid:84690357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldsn-ow4.sylo8ren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827256/; classtype:trojan-activity;sid:84690356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.135.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827255/; classtype:trojan-activity;sid:84690355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.234.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827254/; classtype:trojan-activity;sid:84690354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-sky3.sylo8ren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827253/; classtype:trojan-activity;sid:84690353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827252/; classtype:trojan-activity;sid:84690352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rainynight2.sylo8ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827251/; classtype:trojan-activity;sid:84690351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.128.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827250/; classtype:trojan-activity;sid:84690350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunnyd-ay1.sylo8ren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827249/; classtype:trojan-activity;sid:84690349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-look6.ra4xovin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827248/; classtype:trojan-activity;sid:84690348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.127.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827247/; classtype:trojan-activity;sid:84690347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827245/; classtype:trojan-activity;sid:84690345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"newst-yle5.ra4xovin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827246/; classtype:trojan-activity;sid:84690346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.44.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827244/; classtype:trojan-activity;sid:84690344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.84.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827243/; classtype:trojan-activity;sid:84690343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmcoat4.ra4xovin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827242/; classtype:trojan-activity;sid:84690342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.179.230.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827241/; classtype:trojan-activity;sid:84690341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-belt3.ra4xovin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827240/; classtype:trojan-activity;sid:84690340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"whites-hirt2.ra4xovin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827239/; classtype:trojan-activity;sid:84690339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.2.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827238/; classtype:trojan-activity;sid:84690338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.84.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827237/; classtype:trojan-activity;sid:84690337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.180.17.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827236/; classtype:trojan-activity;sid:84690336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blackhat1.ra4xovin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827235/; classtype:trojan-activity;sid:84690335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-water6.7zorimel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827234/; classtype:trojan-activity;sid:84690334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827233/; classtype:trojan-activity;sid:84690333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.85.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827232/; classtype:trojan-activity;sid:84690332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.92.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827231/; classtype:trojan-activity;sid:84690331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.52.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827230/; classtype:trojan-activity;sid:84690330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coolmilk5.7zorimel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827229/; classtype:trojan-activity;sid:84690329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresht-ea4.7zorimel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827228/; classtype:trojan-activity;sid:84690328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.197.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827227/; classtype:trojan-activity;sid:84690327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827226/; classtype:trojan-activity;sid:84690326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827220/; classtype:trojan-activity;sid:84690320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827221/; classtype:trojan-activity;sid:84690321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827222/; classtype:trojan-activity;sid:84690322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827223/; classtype:trojan-activity;sid:84690323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827224/; classtype:trojan-activity;sid:84690324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827225/; classtype:trojan-activity;sid:84690325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827216/; classtype:trojan-activity;sid:84690316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827217/; classtype:trojan-activity;sid:84690317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827218/; classtype:trojan-activity;sid:84690318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827219/; classtype:trojan-activity;sid:84690319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827215/; classtype:trojan-activity;sid:84690315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-soup3.7zorimel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827214/; classtype:trojan-activity;sid:84690314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.180.17.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827213/; classtype:trojan-activity;sid:84690313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.7zorimel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827212/; classtype:trojan-activity;sid:84690312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.85.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827211/; classtype:trojan-activity;sid:84690311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pie1.7zorimel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827210/; classtype:trojan-activity;sid:84690310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.227.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827209/; classtype:trojan-activity;sid:84690309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easy-task6.qi8maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827208/; classtype:trojan-activity;sid:84690308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"justtalk5.qi8maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827207/; classtype:trojan-activity;sid:84690307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nice-shot4.qi8maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827206/; classtype:trojan-activity;sid:84690306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.78.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827205/; classtype:trojan-activity;sid:84690305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"real-fact3.qi8maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827204/; classtype:trojan-activity;sid:84690304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.251.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827203/; classtype:trojan-activity;sid:84690303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"besttime2.qi8maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827202/; classtype:trojan-activity;sid:84690302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goodn-ews1.qi8maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827201/; classtype:trojan-activity;sid:84690301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.146.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827200/; classtype:trojan-activity;sid:84690300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.228.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827199/; classtype:trojan-activity;sid:84690299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.99.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827198/; classtype:trojan-activity;sid:84690298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.59.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827197/; classtype:trojan-activity;sid:84690297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sideview6.bovla4ren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827196/; classtype:trojan-activity;sid:84690296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"backy-ard5.bovla4ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827195/; classtype:trojan-activity;sid:84690295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.59.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827193/; classtype:trojan-activity;sid:84690293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.16.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827194/; classtype:trojan-activity;sid:84690294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-room4.bovla4ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827192/; classtype:trojan-activity;sid:84690292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.76.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827191/; classtype:trojan-activity;sid:84690291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nextdoor3.bovla4ren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827190/; classtype:trojan-activity;sid:84690290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827189/; classtype:trojan-activity;sid:84690289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.210.199.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827188/; classtype:trojan-activity;sid:84690288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cityli-fe2.bovla4ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827187/; classtype:trojan-activity;sid:84690287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-base1.bovla4ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827186/; classtype:trojan-activity;sid:84690286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.211.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827185/; classtype:trojan-activity;sid:84690285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.59.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827184/; classtype:trojan-activity;sid:84690284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silver-rain6.de7xapil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827183/; classtype:trojan-activity;sid:84690283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"whitecloud5.de7xapil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827182/; classtype:trojan-activity;sid:84690282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.76.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827181/; classtype:trojan-activity;sid:84690281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-fish4.de7xapil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827180/; classtype:trojan-activity;sid:84690280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.62.200.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827179/; classtype:trojan-activity;sid:84690279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deepocean3.de7xapil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827178/; classtype:trojan-activity;sid:84690278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.211.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827177/; classtype:trojan-activity;sid:84690277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"darkn-ight2.de7xapil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827176/; classtype:trojan-activity;sid:84690276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.247.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827175/; classtype:trojan-activity;sid:84690275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.210.199.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827174/; classtype:trojan-activity;sid:84690274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-sky1.de7xapil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827173/; classtype:trojan-activity;sid:84690273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.255.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827172/; classtype:trojan-activity;sid:84690272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coolstone6.wi2sorim.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827171/; classtype:trojan-activity;sid:84690271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhombus"; depth:8; endswith; nocase; http.host; content:"94.26.106.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827170/; classtype:trojan-activity;sid:84690270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmbr-ead5.wi2sorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827169/; classtype:trojan-activity;sid:84690269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-tea4.wi2sorim.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827168/; classtype:trojan-activity;sid:84690268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshmilk3.wi2sorim.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827167/; classtype:trojan-activity;sid:84690267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-pear2.wi2sorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827166/; classtype:trojan-activity;sid:84690266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.255.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827165/; classtype:trojan-activity;sid:84690265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.229.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827164/; classtype:trojan-activity;sid:84690264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.234.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827162/; classtype:trojan-activity;sid:84690262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.226.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827163/; classtype:trojan-activity;sid:84690263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-apple1.wi2sorim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827161/; classtype:trojan-activity;sid:84690261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.132.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827160/; classtype:trojan-activity;sid:84690260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-page6.to1varin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827159/; classtype:trojan-activity;sid:84690259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"139.218.43.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827158/; classtype:trojan-activity;sid:84690258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bigwall5.to1varin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827157/; classtype:trojan-activity;sid:84690257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldw-ater4.to1varin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827156/; classtype:trojan-activity;sid:84690256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.229.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827155/; classtype:trojan-activity;sid:84690255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.62.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827154/; classtype:trojan-activity;sid:84690254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-mark3.to1varin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827153/; classtype:trojan-activity;sid:84690253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.94.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827152/; classtype:trojan-activity;sid:84690252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.88.7.48"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827151/; classtype:trojan-activity;sid:84690251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"softwind2.to1varin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827150/; classtype:trojan-activity;sid:84690250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827149/; classtype:trojan-activity;sid:84690249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-book1.to1varin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827148/; classtype:trojan-activity;sid:84690248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.251.21.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827147/; classtype:trojan-activity;sid:84690247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.132.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827146/; classtype:trojan-activity;sid:84690246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"highstep6.6zoravel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827145/; classtype:trojan-activity;sid:84690245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.205.195.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827144/; classtype:trojan-activity;sid:84690244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cle-arview5.6zoravel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827143/; classtype:trojan-activity;sid:84690243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-cup4.6zoravel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827142/; classtype:trojan-activity;sid:84690242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.150.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827141/; classtype:trojan-activity;sid:84690241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.94.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827140/; classtype:trojan-activity;sid:84690240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fastrun3.6zoravel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827139/; classtype:trojan-activity;sid:84690239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gre-enleaf2.6zoravel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827138/; classtype:trojan-activity;sid:84690238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-lamp1.6zoravel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827137/; classtype:trojan-activity;sid:84690237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easydone6.qi5maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827136/; classtype:trojan-activity;sid:84690236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"justplay5.qi5maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827135/; classtype:trojan-activity;sid:84690235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.251.21.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827134/; classtype:trojan-activity;sid:84690234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smartchoice4.qi5maren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827133/; classtype:trojan-activity;sid:84690233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.180.150.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827132/; classtype:trojan-activity;sid:84690232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.149.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827131/; classtype:trojan-activity;sid:84690231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.29.39.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827130/; classtype:trojan-activity;sid:84690230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.200.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827129/; classtype:trojan-activity;sid:84690229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"reallife3.qi5maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827128/; classtype:trojan-activity;sid:84690228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gooditem2.qi5maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827127/; classtype:trojan-activity;sid:84690227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.208.112.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827126/; classtype:trojan-activity;sid:84690226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"homeshop1.qi5maren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827125/; classtype:trojan-activity;sid:84690225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fasttime6.wi8sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827124/; classtype:trojan-activity;sid:84690224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.253.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827123/; classtype:trojan-activity;sid:84690223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"besttrip5.wi8sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827122/; classtype:trojan-activity;sid:84690222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.140.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827121/; classtype:trojan-activity;sid:84690221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.149.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827120/; classtype:trojan-activity;sid:84690220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.29.39.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827119/; classtype:trojan-activity;sid:84690219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nextstep4.wi8sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827118/; classtype:trojan-activity;sid:84690218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.18.30"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827117/; classtype:trojan-activity;sid:84690217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oldmap3.wi8sorim.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827116/; classtype:trojan-activity;sid:84690216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.87.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827115/; classtype:trojan-activity;sid:84690215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.93.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827113/; classtype:trojan-activity;sid:84690213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.33.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827114/; classtype:trojan-activity;sid:84690214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shortway2.wi8sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827112/; classtype:trojan-activity;sid:84690212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.93.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827111/; classtype:trojan-activity;sid:84690211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.126.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827110/; classtype:trojan-activity;sid:84690210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.108.38.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827109/; classtype:trojan-activity;sid:84690209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mainroad1.wi8sorim.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827108/; classtype:trojan-activity;sid:84690208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.33.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827107/; classtype:trojan-activity;sid:84690207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silverrain6.po3vaten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827106/; classtype:trojan-activity;sid:84690206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.140.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827105/; classtype:trojan-activity;sid:84690205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.126.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827104/; classtype:trojan-activity;sid:84690204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.140.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827102/; classtype:trojan-activity;sid:84690202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.200.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827103/; classtype:trojan-activity;sid:84690203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"whitecloud5.po3vaten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827101/; classtype:trojan-activity;sid:84690201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goldfish4.po3vaten.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827100/; classtype:trojan-activity;sid:84690200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deepocean3.po3vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827099/; classtype:trojan-activity;sid:84690199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.247.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827098/; classtype:trojan-activity;sid:84690198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"109.108.38.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827097/; classtype:trojan-activity;sid:84690197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"darknight2.po3vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827096/; classtype:trojan-activity;sid:84690196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.247.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827095/; classtype:trojan-activity;sid:84690195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brightsky1.po3vaten.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827094/; classtype:trojan-activity;sid:84690194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.204.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827093/; classtype:trojan-activity;sid:84690193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coolstone6.kymle5rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827092/; classtype:trojan-activity;sid:84690192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.200.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827090/; classtype:trojan-activity;sid:84690190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.246.111.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827091/; classtype:trojan-activity;sid:84690191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warmbread5.kymle5rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827089/; classtype:trojan-activity;sid:84690189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.18.30"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827088/; classtype:trojan-activity;sid:84690188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hottea4.kymle5rix.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827087/; classtype:trojan-activity;sid:84690187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.88.183"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827086/; classtype:trojan-activity;sid:84690186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshmilk3.kymle5rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827085/; classtype:trojan-activity;sid:84690185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.200.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827084/; classtype:trojan-activity;sid:84690184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.109.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827083/; classtype:trojan-activity;sid:84690183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.148.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827082/; classtype:trojan-activity;sid:84690182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.161.142.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827081/; classtype:trojan-activity;sid:84690181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweetpear2.kymle5rix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827080/; classtype:trojan-activity;sid:84690180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.249.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827079/; classtype:trojan-activity;sid:84690179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tastyapple1.kymle5rix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827078/; classtype:trojan-activity;sid:84690178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.246.111.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827077/; classtype:trojan-activity;sid:84690177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827076/; classtype:trojan-activity;sid:84690176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"newpage6.to7ramil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827075/; classtype:trojan-activity;sid:84690175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827074/; classtype:trojan-activity;sid:84690174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.199.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827073/; classtype:trojan-activity;sid:84690173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.199.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827072/; classtype:trojan-activity;sid:84690172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.208.242.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827071/; classtype:trojan-activity;sid:84690171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.148.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827070/; classtype:trojan-activity;sid:84690170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bigwall5.to7ramil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827069/; classtype:trojan-activity;sid:84690169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.75.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827068/; classtype:trojan-activity;sid:84690168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coldwater4.to7ramil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827067/; classtype:trojan-activity;sid:84690167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.125.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827066/; classtype:trojan-activity;sid:84690166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.109.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827065/; classtype:trojan-activity;sid:84690165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827064/; classtype:trojan-activity;sid:84690164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.165.69.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827063/; classtype:trojan-activity;sid:84690163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"redmark3.to7ramil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827062/; classtype:trojan-activity;sid:84690162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.28.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827061/; classtype:trojan-activity;sid:84690161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.142.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827060/; classtype:trojan-activity;sid:84690160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827059/; classtype:trojan-activity;sid:84690159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.26.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827058/; classtype:trojan-activity;sid:84690158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"softwind2.to7ramil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827057/; classtype:trojan-activity;sid:84690157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"openbook1.to7ramil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827056/; classtype:trojan-activity;sid:84690156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.246.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827055/; classtype:trojan-activity;sid:84690155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.75.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827054/; classtype:trojan-activity;sid:84690154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hightree6.ra9ximer.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827053/; classtype:trojan-activity;sid:84690153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clearview5.ra9ximer.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827052/; classtype:trojan-activity;sid:84690152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smalllamp4.ra9ximer.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827051/; classtype:trojan-activity;sid:84690151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.25.51.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827050/; classtype:trojan-activity;sid:84690150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fastrun3.ra9ximer.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827049/; classtype:trojan-activity;sid:84690149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.26.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827048/; classtype:trojan-activity;sid:84690148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"greenleaf2.ra9ximer.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827047/; classtype:trojan-activity;sid:84690147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bluebox1.ra9ximer.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827046/; classtype:trojan-activity;sid:84690146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.25.51.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827045/; classtype:trojan-activity;sid:84690145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sc9t.pulp-turquoise.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827044/; classtype:trojan-activity;sid:84690144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qeeebs40.pulp-turquoise.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827043/; classtype:trojan-activity;sid:84690143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gene-mod.hai1owhiten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827042/; classtype:trojan-activity;sid:84690142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lum-spireos.hai1owhiten.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827041/; classtype:trojan-activity;sid:84690141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"apparelgate.co.uk"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827040/; classtype:trojan-activity;sid:84690140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wwww.png"; depth:9; endswith; nocase; http.host; content:"homecaremovers.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827039/; classtype:trojan-activity;sid:84690139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/45/goodpeoplesneedformebest.hta"; depth:32; endswith; nocase; http.host; content:"66.63.170.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827038/; classtype:trojan-activity;sid:84690138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorlith3is.resolut-revening.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827037/; classtype:trojan-activity;sid:84690137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/theme-compat/higzbol/nstyjrw/rszqlut/fgeekpk.txt"; depth:61; endswith; nocase; http.host; content:"crypto-corexchange.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827036/; classtype:trojan-activity;sid:84690136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h3y7duh1nift0yd"; depth:16; endswith; nocase; http.host; content:"hasteb.in"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827035/; classtype:trojan-activity;sid:84690135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c0nv-panel.resolut-revening.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827034/; classtype:trojan-activity;sid:84690134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.204.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827033/; classtype:trojan-activity;sid:84690133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.204.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827032/; classtype:trojan-activity;sid:84690132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"covstri.rus5icabreast.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827031/; classtype:trojan-activity;sid:84690131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/theme-compat/higzbol/nstyjrw/rszqlut/mfsrkdn.txt"; depth:61; endswith; nocase; http.host; content:"crypto-corexchange.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827029/; classtype:trojan-activity;sid:84690129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uil2nsnx9vagassxj2zofkjuv1rdrbwd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827030/; classtype:trojan-activity;sid:84690130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1-wxstiaw3yx5iivzt5av5h7adiumofly"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827028/; classtype:trojan-activity;sid:84690128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/pmstaa4s"; depth:13; endswith; nocase; http.host; content:"yaso.su"; depth:7; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827027/; classtype:trojan-activity;sid:84690127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/whotyjbs"; depth:11; endswith; nocase; http.host; content:"pastee.dev"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827026/; classtype:trojan-activity;sid:84690126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woow.dat"; depth:9; endswith; nocase; http.host; content:"ensions.xyz"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827025/; classtype:trojan-activity;sid:84690125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.txt"; depth:6; endswith; nocase; http.host; content:"md.ccsuquk.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827024/; classtype:trojan-activity;sid:84690124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvtwhwzaqj_06_04_meus_arquivosdetexto/01.txt"; depth:45; endswith; nocase; http.host; content:"andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br"; depth:65; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827023/; classtype:trojan-activity;sid:84690123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lw.txt"; depth:7; endswith; nocase; http.host; content:"md.ccsuquk.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827021/; classtype:trojan-activity;sid:84690121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvtwhwzaqj_06_04_meus_arquivosdetexto/03.txt"; depth:45; endswith; nocase; http.host; content:"andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br"; depth:65; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827022/; classtype:trojan-activity;sid:84690122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvtwhwzaqj_06_04_meus_arquivosdetexto/02.txt"; depth:45; endswith; nocase; http.host; content:"andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br"; depth:65; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827020/; classtype:trojan-activity;sid:84690120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gxsjc-nwkjtqpbfr2ec4vxpmnalb3d5e"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827018/; classtype:trojan-activity;sid:84690118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/vv/update.ps1"; depth:23; endswith; nocase; http.host; content:"wisdomheart.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827019/; classtype:trojan-activity;sid:84690119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ptfvltlvgtx_0qtc2dhpi-atjnhubyyo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827017/; classtype:trojan-activity;sid:84690117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ktfxyu6.rus5icabreast.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827016/; classtype:trojan-activity;sid:84690116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qfw0.blasph-nimalo.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827015/; classtype:trojan-activity;sid:84690115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/src/file3025.mp3"; depth:24; endswith; nocase; http.host; content:"www.maxpower01.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827014/; classtype:trojan-activity;sid:84690114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syncroinstaller.msi"; depth:20; endswith; nocase; http.host; content:"pub-ec5d868d10f548e792c0fd1c080190aa.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827013/; classtype:trojan-activity;sid:84690113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new-geta-marin-site/20426.exe"; depth:30; endswith; nocase; http.host; content:"getamarin.ro"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827012/; classtype:trojan-activity;sid:84690112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rumpaid.png"; depth:12; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827010/; classtype:trojan-activity;sid:84690110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yupaidnew.png"; depth:14; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827011/; classtype:trojan-activity;sid:84690111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obo20th.png"; depth:12; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827009/; classtype:trojan-activity;sid:84690109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0tter7-gate.blasph-nimalo.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827008/; classtype:trojan-activity;sid:84690108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.200.227.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827007/; classtype:trojan-activity;sid:84690107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wffd/update.ps1"; depth:16; endswith; nocase; http.host; content:"www.vame.be"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827006/; classtype:trojan-activity;sid:84690106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.28.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827005/; classtype:trojan-activity;sid:84690105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rebatesouth.big2mychild.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827004/; classtype:trojan-activity;sid:84690104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.211.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827003/; classtype:trojan-activity;sid:84690103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"roya-node.big2mychild.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827002/; classtype:trojan-activity;sid:84690102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.228.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827001/; classtype:trojan-activity;sid:84690101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"52rgfkcr.sizar-sniffy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3827000/; classtype:trojan-activity;sid:84690100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.26.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826999/; classtype:trojan-activity;sid:84690099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/plugin/szjbfluytwpr252.bin"; depth:46; endswith; nocase; http.host; content:"draalineverzignassi.com.br"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826998/; classtype:trojan-activity;sid:84690098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.128.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826997/; classtype:trojan-activity;sid:84690097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deco-spe.sizar-sniffy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826996/; classtype:trojan-activity;sid:84690096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1-bn5mspz_jeiez9ciwxuqgvc6hgqjfvh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826995/; classtype:trojan-activity;sid:84690095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"89.200.227.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826994/; classtype:trojan-activity;sid:84690094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0liwtqxp.deser8othic.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826993/; classtype:trojan-activity;sid:84690093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20/img_213647.png"; depth:18; endswith; nocase; http.host; content:"192.210.186.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826992/; classtype:trojan-activity;sid:84690092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40/img_180818.png"; depth:18; endswith; nocase; http.host; content:"66.63.170.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826991/; classtype:trojan-activity;sid:84690091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fieldsun.deser8othic.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826990/; classtype:trojan-activity;sid:84690090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.25.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826989/; classtype:trojan-activity;sid:84690089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.211.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826988/; classtype:trojan-activity;sid:84690088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ya72oy.firs-tachycardia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826987/; classtype:trojan-activity;sid:84690087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slowcivi.firs-tachycardia.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826986/; classtype:trojan-activity;sid:84690086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.26.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826985/; classtype:trojan-activity;sid:84690085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.128.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826984/; classtype:trojan-activity;sid:84690084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms64gw.vsix"; depth:12; endswith; nocase; http.host; content:"kronos.bot.nu"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826983/; classtype:trojan-activity;sid:84690083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tbgqldre.artichf1atly.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826982/; classtype:trojan-activity;sid:84690082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25/wegivenbestthinkgsformebest.hta"; depth:35; endswith; nocase; http.host; content:"107.172.135.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826981/; classtype:trojan-activity;sid:84690081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"66.179.248.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826980/; classtype:trojan-activity;sid:84690080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30/seemybestfeeelingformebest.hta"; depth:34; endswith; nocase; http.host; content:"192.3.136.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826978/; classtype:trojan-activity;sid:84690078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36/goodthingswithbestpfer.hta"; depth:30; endswith; nocase; http.host; content:"198.46.173.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826979/; classtype:trojan-activity;sid:84690079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3ik31.artichf1atly.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826977/; classtype:trojan-activity;sid:84690077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"west-layer.4zoralin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826976/; classtype:trojan-activity;sid:84690076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.47.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826975/; classtype:trojan-activity;sid:84690075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/plugin/resubjecti.csv"; depth:41; endswith; nocase; http.host; content:"draalineverzignassi.com.br"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826974/; classtype:trojan-activity;sid:84690074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resubjecti.csv"; depth:15; endswith; nocase; http.host; content:"dlvryintl.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826973/; classtype:trojan-activity;sid:84690073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szjbfluytwpr252.bin"; depth:20; endswith; nocase; http.host; content:"dlvryintl.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826972/; classtype:trojan-activity;sid:84690072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.40.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826971/; classtype:trojan-activity;sid:84690071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.229.195.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826970/; classtype:trojan-activity;sid:84690070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.251.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826969/; classtype:trojan-activity;sid:84690069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.174.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826968/; classtype:trojan-activity;sid:84690068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.12.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826967/; classtype:trojan-activity;sid:84690067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.229.195.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826966/; classtype:trojan-activity;sid:84690066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.246.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826965/; classtype:trojan-activity;sid:84690065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.98.231.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826963/; classtype:trojan-activity;sid:84690063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.26.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826964/; classtype:trojan-activity;sid:84690064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.255.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826962/; classtype:trojan-activity;sid:84690062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826961/; classtype:trojan-activity;sid:84690061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.200.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826960/; classtype:trojan-activity;sid:84690060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.90.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826959/; classtype:trojan-activity;sid:84690059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.166.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826958/; classtype:trojan-activity;sid:84690058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.177.67.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826957/; classtype:trojan-activity;sid:84690057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.23.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826956/; classtype:trojan-activity;sid:84690056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.94.107"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826955/; classtype:trojan-activity;sid:84690055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.174.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826954/; classtype:trojan-activity;sid:84690054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826953/; classtype:trojan-activity;sid:84690053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.179.230.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826951/; classtype:trojan-activity;sid:84690051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.39.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826952/; classtype:trojan-activity;sid:84690052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.247.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826950/; classtype:trojan-activity;sid:84690050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.255.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826949/; classtype:trojan-activity;sid:84690049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.206.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826948/; classtype:trojan-activity;sid:84690048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826947/; classtype:trojan-activity;sid:84690047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826946/; classtype:trojan-activity;sid:84690046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826945/; classtype:trojan-activity;sid:84690045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826938/; classtype:trojan-activity;sid:84690038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826939/; classtype:trojan-activity;sid:84690039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826940/; classtype:trojan-activity;sid:84690040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826941/; classtype:trojan-activity;sid:84690041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826942/; classtype:trojan-activity;sid:84690042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826943/; classtype:trojan-activity;sid:84690043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826944/; classtype:trojan-activity;sid:84690044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826935/; classtype:trojan-activity;sid:84690035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826936/; classtype:trojan-activity;sid:84690036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.148.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826937/; classtype:trojan-activity;sid:84690037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.23.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826934/; classtype:trojan-activity;sid:84690034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20/verycleaneffectivethingscoming.hta"; depth:38; endswith; nocase; http.host; content:"192.210.186.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826933/; classtype:trojan-activity;sid:84690033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%92%d0%be%d0%betstappe%d0%b3ulx64.zip"; depth:41; endswith; nocase; http.host; content:"rizvedevelop.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826932/; classtype:trojan-activity;sid:84690032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25/goodnewsformegood.hta"; depth:25; endswith; nocase; http.host; content:"192.3.122.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826931/; classtype:trojan-activity;sid:84690031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.90.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826930/; classtype:trojan-activity;sid:84690030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fhkfephsusiunonqcukuuu63.bin"; depth:29; endswith; nocase; http.host; content:"45.225.135.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826929/; classtype:trojan-activity;sid:84690029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opndzua3.bin"; depth:13; endswith; nocase; http.host; content:"45.225.135.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826925/; classtype:trojan-activity;sid:84690025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xunbtlnvkdylmr54.bin"; depth:21; endswith; nocase; http.host; content:"45.225.135.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826926/; classtype:trojan-activity;sid:84690026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yhdtw67.bin"; depth:12; endswith; nocase; http.host; content:"45.225.135.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826927/; classtype:trojan-activity;sid:84690027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cuqaownq46.bin"; depth:15; endswith; nocase; http.host; content:"45.225.135.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826928/; classtype:trojan-activity;sid:84690028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.139.62.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826924/; classtype:trojan-activity;sid:84690024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.117.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826923/; classtype:trojan-activity;sid:84690023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.ppc"; depth:14; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826922/; classtype:trojan-activity;sid:84690022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm"; depth:14; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826920/; classtype:trojan-activity;sid:84690020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.sh4"; depth:14; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826921/; classtype:trojan-activity;sid:84690021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.mips"; depth:15; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826916/; classtype:trojan-activity;sid:84690016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.spc"; depth:14; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826917/; classtype:trojan-activity;sid:84690017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krane_linux_x64"; depth:16; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826918/; classtype:trojan-activity;sid:84690018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krane_mipsle"; depth:13; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826919/; classtype:trojan-activity;sid:84690019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.x86"; depth:14; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826910/; classtype:trojan-activity;sid:84690010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.m68k"; depth:15; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826911/; classtype:trojan-activity;sid:84690011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm5"; depth:15; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826912/; classtype:trojan-activity;sid:84690012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm6"; depth:15; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826913/; classtype:trojan-activity;sid:84690013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.mpsl"; depth:15; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826914/; classtype:trojan-activity;sid:84690014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm7"; depth:15; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826915/; classtype:trojan-activity;sid:84690015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.220.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826909/; classtype:trojan-activity;sid:84690009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.235.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826908/; classtype:trojan-activity;sid:84690008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.219.44.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826907/; classtype:trojan-activity;sid:84690007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.25.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826906/; classtype:trojan-activity;sid:84690006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"139.218.43.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826905/; classtype:trojan-activity;sid:84690005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.23.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826904/; classtype:trojan-activity;sid:84690004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.131.92.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826903/; classtype:trojan-activity;sid:84690003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.131.92.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826902/; classtype:trojan-activity;sid:84690002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.220.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826901/; classtype:trojan-activity;sid:84690001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.206.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826900/; classtype:trojan-activity;sid:84690000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.248.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826899/; classtype:trojan-activity;sid:84689999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.161.100.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826898/; classtype:trojan-activity;sid:84689998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.94.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826897/; classtype:trojan-activity;sid:84689997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.224.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826896/; classtype:trojan-activity;sid:84689996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-milk5.zore9varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826895/; classtype:trojan-activity;sid:84689995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.114.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826894/; classtype:trojan-activity;sid:84689994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.248.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826893/; classtype:trojan-activity;sid:84689993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-tea4.zore9varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826892/; classtype:trojan-activity;sid:84689992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-soup3.zore9varin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826891/; classtype:trojan-activity;sid:84689991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.161.100.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826890/; classtype:trojan-activity;sid:84689990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.224.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826889/; classtype:trojan-activity;sid:84689989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-bun2.zore9varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826888/; classtype:trojan-activity;sid:84689988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pie1.zore9varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826887/; classtype:trojan-activity;sid:84689987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.114.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826886/; classtype:trojan-activity;sid:84689986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easy-task6.po3vaxkyml.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826885/; classtype:trojan-activity;sid:84689985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.93.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826884/; classtype:trojan-activity;sid:84689984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"just-talk5.po3vaxkyml.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826883/; classtype:trojan-activity;sid:84689983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.18.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826882/; classtype:trojan-activity;sid:84689982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nice-shot4.po3vaxkyml.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826881/; classtype:trojan-activity;sid:84689981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"real-fact3.po3vaxkyml.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826880/; classtype:trojan-activity;sid:84689980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-time2.po3vaxkyml.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826879/; classtype:trojan-activity;sid:84689979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.243.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826878/; classtype:trojan-activity;sid:84689978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-news1.po3vaxkyml.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826877/; classtype:trojan-activity;sid:84689977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.18.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826876/; classtype:trojan-activity;sid:84689976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"side-view6.de8trevarm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826875/; classtype:trojan-activity;sid:84689975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826874/; classtype:trojan-activity;sid:84689974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.93.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826873/; classtype:trojan-activity;sid:84689973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.8.152"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826872/; classtype:trojan-activity;sid:84689972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826871/; classtype:trojan-activity;sid:84689971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"back-yard5.de8trevarm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826870/; classtype:trojan-activity;sid:84689970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.253.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826869/; classtype:trojan-activity;sid:84689969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826867/; classtype:trojan-activity;sid:84689967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.253.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826868/; classtype:trojan-activity;sid:84689968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-base1.de8trevarm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826865/; classtype:trojan-activity;sid:84689965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-room4.de8trevarm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826866/; classtype:trojan-activity;sid:84689966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"hub0-hinge.nelma-report.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826863/; classtype:trojan-activity;sid:84689963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"30urtlmu.nelma-report.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826864/; classtype:trojan-activity;sid:84689964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-life2.de8trevarm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826862/; classtype:trojan-activity;sid:84689962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"next-door3.de8trevarm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826861/; classtype:trojan-activity;sid:84689961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"meta-5har.nelma-report.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826858/; classtype:trojan-activity;sid:84689958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"good1.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826859/; classtype:trojan-activity;sid:84689959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tridraix5.gypsyw0od.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826860/; classtype:trojan-activity;sid:84689960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"c3dar-sync.dax8sovel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826856/; classtype:trojan-activity;sid:84689956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"spot2.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826857/; classtype:trojan-activity;sid:84689957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"densefro.chain-sinusit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826849/; classtype:trojan-activity;sid:84689949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tal-forgeal.nelma-report.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826850/; classtype:trojan-activity;sid:84689950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"geo-4uth.savor-woman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826851/; classtype:trojan-activity;sid:84689951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"photo-frame1.kym7sarel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826852/; classtype:trojan-activity;sid:84689952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"repair-work3.tov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826853/; classtype:trojan-activity;sid:84689953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"roughengine.dredg8asman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826854/; classtype:trojan-activity;sid:84689954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"peakree.dredg8asman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826855/; classtype:trojan-activity;sid:84689955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"echoblend.red-sticker.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826835/; classtype:trojan-activity;sid:84689935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"global-site6.lax8dorim.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826836/; classtype:trojan-activity;sid:84689936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"civillabel.qyx7darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826837/; classtype:trojan-activity;sid:84689937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"class-report5.mox3terin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826838/; classtype:trojan-activity;sid:84689938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"qu4nt-panel.chain-sinusit.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826839/; classtype:trojan-activity;sid:84689939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sxbrp.bri1laxon.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826840/; classtype:trojan-activity;sid:84689940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zsj7xqo.qen7tavil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826841/; classtype:trojan-activity;sid:84689941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"routerwago.tul2qorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826842/; classtype:trojan-activity;sid:84689942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"bay-banne.tul7morax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826843/; classtype:trojan-activity;sid:84689943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"public-help5.domna-replenish.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826844/; classtype:trojan-activity;sid:84689944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"office-paper1.syl5peran.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826845/; classtype:trojan-activity;sid:84689945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pa5tu-drive.multi5ardina.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826846/; classtype:trojan-activity;sid:84689946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"dynamicsoun.red-sticker.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826847/; classtype:trojan-activity;sid:84689947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"main-street5.lax8dorim.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826848/; classtype:trojan-activity;sid:84689948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"proto-dynam1.kry3qelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826834/; classtype:trojan-activity;sid:84689934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"driv3-array.dredg8asman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826827/; classtype:trojan-activity;sid:84689927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"torr3nt-layer.fortene7vous.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826828/; classtype:trojan-activity;sid:84689928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"local-event6.rav8doxel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826829/; classtype:trojan-activity;sid:84689929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"hotel-booking2.rav8doxel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826830/; classtype:trojan-activity;sid:84689930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"guest-portal2.domna-replenish.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826831/; classtype:trojan-activity;sid:84689931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"world-press2.dex6laper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826832/; classtype:trojan-activity;sid:84689932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vialstr.prax9vitor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826833/; classtype:trojan-activity;sid:84689933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"scalesign.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826815/; classtype:trojan-activity;sid:84689915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"flovv-chain.vex1laxon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826816/; classtype:trojan-activity;sid:84689916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"flovv-chain.vex1laxon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826817/; classtype:trojan-activity;sid:84689917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"livel-sou.nelma-report.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826818/; classtype:trojan-activity;sid:84689918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"arraynotifier.chain-sinusit.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826819/; classtype:trojan-activity;sid:84689919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"birdout.tul7morax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826820/; classtype:trojan-activity;sid:84689920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"study-material4.mox3terin.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826821/; classtype:trojan-activity;sid:84689921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"t0mbk.xel5navin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826822/; classtype:trojan-activity;sid:84689922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ovumpg.racersta7ving.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826823/; classtype:trojan-activity;sid:84689923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"b1oo9-hold.racersta7ving.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826824/; classtype:trojan-activity;sid:84689924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"central-market1.domna-replenish.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826825/; classtype:trojan-activity;sid:84689925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tlnsb.zor2laven.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826826/; classtype:trojan-activity;sid:84689926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"help5.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826804/; classtype:trojan-activity;sid:84689904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"item4.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826805/; classtype:trojan-activity;sid:84689905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"jdqn.gypsyw0od.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826806/; classtype:trojan-activity;sid:84689906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"beach-resort4.rav8doxel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826807/; classtype:trojan-activity;sid:84689907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"bay-banne.tul7morax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826808/; classtype:trojan-activity;sid:84689908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"spli1-watch.zex3piral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826809/; classtype:trojan-activity;sid:84689909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ice-mark.xel5navin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826810/; classtype:trojan-activity;sid:84689910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"valu-span.dredg8asman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826811/; classtype:trojan-activity;sid:84689911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zme1roui.expans-homeland.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826812/; classtype:trojan-activity;sid:84689912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"njf8.wex1miran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826813/; classtype:trojan-activity;sid:84689913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ar2ymo.bri1laxon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826814/; classtype:trojan-activity;sid:84689914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"m0ss5-watch.nor3liven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826792/; classtype:trojan-activity;sid:84689892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"travel-blog5.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826793/; classtype:trojan-activity;sid:84689893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fernretai.multi5ardina.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826794/; classtype:trojan-activity;sid:84689894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"quick-cash5.pyn9sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826795/; classtype:trojan-activity;sid:84689895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"rtrr.bo2rdreluct.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826796/; classtype:trojan-activity;sid:84689896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zdjine7o.nor8tavil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826797/; classtype:trojan-activity;sid:84689897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"syxnh65t.nor8tavil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826798/; classtype:trojan-activity;sid:84689898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"p14sm-grid.racersta7ving.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826799/; classtype:trojan-activity;sid:84689899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zenmark1a.bri1laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826800/; classtype:trojan-activity;sid:84689900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mnwgjp.bo2rdreluct.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826801/; classtype:trojan-activity;sid:84689901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"gathe-tri.tix9sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826802/; classtype:trojan-activity;sid:84689902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"street-view6.kro2vilen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826803/; classtype:trojan-activity;sid:84689903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826784/; classtype:trojan-activity;sid:84689884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zme1roui.expans-homeland.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826785/; classtype:trojan-activity;sid:84689885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vtdlwy.kry6navex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826786/; classtype:trojan-activity;sid:84689886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"va11-route.nelma-report.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826787/; classtype:trojan-activity;sid:84689887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"491ptjh.multi5ardina.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826788/; classtype:trojan-activity;sid:84689888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"solmeshos.qen8lorix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826789/; classtype:trojan-activity;sid:84689889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"good-luck5.kro2vilen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826790/; classtype:trojan-activity;sid:84689890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"weather-post4.dex6laper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826791/; classtype:trojan-activity;sid:84689891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"talfluxen3.nor8tavil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826775/; classtype:trojan-activity;sid:84689875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"area1.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826776/; classtype:trojan-activity;sid:84689876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"il2l4822.vex8talin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826777/; classtype:trojan-activity;sid:84689877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mnwgjp.bo2rdreluct.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826778/; classtype:trojan-activity;sid:84689878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"soft-cov.fortene7vous.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826779/; classtype:trojan-activity;sid:84689879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"167lo.fortene7vous.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826780/; classtype:trojan-activity;sid:84689880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"auth7-core.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826781/; classtype:trojan-activity;sid:84689881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"qpp9.fortene7vous.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826782/; classtype:trojan-activity;sid:84689882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"daily-news1.dex6laper.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826783/; classtype:trojan-activity;sid:84689883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"media-player6.kym7sarel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826759/; classtype:trojan-activity;sid:84689859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"castexport.red-sticker.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826760/; classtype:trojan-activity;sid:84689860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"393llqb.savor-woman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826761/; classtype:trojan-activity;sid:84689861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mernexen6.gypsyw0od.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826762/; classtype:trojan-activity;sid:84689862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"glue-stick5.syl5peran.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826763/; classtype:trojan-activity;sid:84689863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"authsnapshot.invert-manner.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826764/; classtype:trojan-activity;sid:84689864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"main6.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826765/; classtype:trojan-activity;sid:84689865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zen-nexos.bo2rdreluct.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826766/; classtype:trojan-activity;sid:84689866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ind3-spool.xel7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826767/; classtype:trojan-activity;sid:84689867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"167lo.fortene7vous.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826768/; classtype:trojan-activity;sid:84689868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sharpsummit.multi5ardina.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826769/; classtype:trojan-activity;sid:84689869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vor-coreum.xel5navin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826770/; classtype:trojan-activity;sid:84689870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fbhi02d.photot-sudok.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826771/; classtype:trojan-activity;sid:84689871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"lummesh8or.dredg8asman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826772/; classtype:trojan-activity;sid:84689872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vtdlwy.kry6navex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826773/; classtype:trojan-activity;sid:84689873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"velspire3on.expans-homeland.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826774/; classtype:trojan-activity;sid:84689874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fernretai.multi5ardina.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826757/; classtype:trojan-activity;sid:84689857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"soft-cov.fortene7vous.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826758/; classtype:trojan-activity;sid:84689858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"kel-venor.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826750/; classtype:trojan-activity;sid:84689850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"shop1.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826751/; classtype:trojan-activity;sid:84689851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"d43mon-field.bo2rdreluct.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826752/; classtype:trojan-activity;sid:84689852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tourist-map3.rav8doxel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826753/; classtype:trojan-activity;sid:84689853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"wilpol.tul7morax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826754/; classtype:trojan-activity;sid:84689854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"nnid.prax9vitor.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826755/; classtype:trojan-activity;sid:84689855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"echo-span.qyx7darem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826756/; classtype:trojan-activity;sid:84689856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"image-zoom2.kym7sarel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826744/; classtype:trojan-activity;sid:84689844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"5ync-lab.tul7morax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826745/; classtype:trojan-activity;sid:84689845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"freshstorage.kry3qelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826746/; classtype:trojan-activity;sid:84689846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vel-spireex.bri4talin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826747/; classtype:trojan-activity;sid:84689847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"d43mon-field.bo2rdreluct.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826748/; classtype:trojan-activity;sid:84689848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"student-form2.mox3terin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826749/; classtype:trojan-activity;sid:84689849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"t1de-vault.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826732/; classtype:trojan-activity;sid:84689832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"5and-stack.marinmort8ager.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826733/; classtype:trojan-activity;sid:84689833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"total-summary4.rol1erspeeding.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826734/; classtype:trojan-activity;sid:84689834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"xoqairj.zor4melax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826735/; classtype:trojan-activity;sid:84689835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zzx2x3.quant-splashes.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826736/; classtype:trojan-activity;sid:84689836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ae5z56.red-sticker.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826737/; classtype:trojan-activity;sid:84689837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"norlithix3.savor-woman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826738/; classtype:trojan-activity;sid:84689838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"queu-crest.photot-sudok.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826739/; classtype:trojan-activity;sid:84689839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"star-ring.fortene7vous.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826740/; classtype:trojan-activity;sid:84689840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vaq4sdju.red-sticker.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826741/; classtype:trojan-activity;sid:84689841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"breezscrip.qyx7darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826742/; classtype:trojan-activity;sid:84689842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pwmyu.zor4melax.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826743/; classtype:trojan-activity;sid:84689843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"alt-nirnbl.bo2rdreluct.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826727/; classtype:trojan-activity;sid:84689827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"geo-4uth.savor-woman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826728/; classtype:trojan-activity;sid:84689828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vera.qen7tavil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826729/; classtype:trojan-activity;sid:84689829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"scenic-spot2.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826730/; classtype:trojan-activity;sid:84689830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mruyas.tix9sorel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826731/; classtype:trojan-activity;sid:84689831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"velvenor9.expans-homeland.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826722/; classtype:trojan-activity;sid:84689822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"travel-guide1.rav8doxel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826723/; classtype:trojan-activity;sid:84689823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sound-track5.kym7sarel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826724/; classtype:trojan-activity;sid:84689824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"inn35-dock.tul2qorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826725/; classtype:trojan-activity;sid:84689825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"castexport.red-sticker.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826726/; classtype:trojan-activity;sid:84689826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"opt1-phase.dredg8asman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826712/; classtype:trojan-activity;sid:84689812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"qpp9.fortene7vous.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826713/; classtype:trojan-activity;sid:84689813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"registryfaithful.kry3qelin.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826714/; classtype:trojan-activity;sid:84689814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"valleydispatcher.nor8tavil.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826715/; classtype:trojan-activity;sid:84689815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"dyndraex.expect-runes.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826716/; classtype:trojan-activity;sid:84689816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"abzxcp.gypsyw0od.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826717/; classtype:trojan-activity;sid:84689817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"motmolecu.xel5navin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826718/; classtype:trojan-activity;sid:84689818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sport-match3.dex6laper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826719/; classtype:trojan-activity;sid:84689819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"geo-dec0d.expect-runes.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826720/; classtype:trojan-activity;sid:84689820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"media-gallery3.domna-replenish.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826721/; classtype:trojan-activity;sid:84689821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"hfjivor0.go0duntenable.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826702/; classtype:trojan-activity;sid:84689802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"hpryikjw.dru9vexon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826703/; classtype:trojan-activity;sid:84689803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"m0ss5-watch.nor3liven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826704/; classtype:trojan-activity;sid:84689804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"online-course3.mox3terin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826705/; classtype:trojan-activity;sid:84689805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"h4rve5-loop.zor2laven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826706/; classtype:trojan-activity;sid:84689806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"spedus.fortene7vous.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826707/; classtype:trojan-activity;sid:84689807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"op3n-cast.go0duntenable.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826708/; classtype:trojan-activity;sid:84689808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"guest2.puremarket.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826709/; classtype:trojan-activity;sid:84689809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"listeshap.red-sticker.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826710/; classtype:trojan-activity;sid:84689810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"spedus.fortene7vous.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826711/; classtype:trojan-activity;sid:84689811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"final-grade6.mox3terin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826688/; classtype:trojan-activity;sid:84689788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"smart-point2.tix7marel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826689/; classtype:trojan-activity;sid:84689789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pa5tu-drive.multi5ardina.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826690/; classtype:trojan-activity;sid:84689790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"water-pipe5.tov2liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826691/; classtype:trojan-activity;sid:84689791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"car-rental1.pov4daren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826692/; classtype:trojan-activity;sid:84689792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"byteash.chain-sinusit.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826693/; classtype:trojan-activity;sid:84689793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"trip-advisor5.rav8doxel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826694/; classtype:trojan-activity;sid:84689794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"dynamicsoun.red-sticker.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826695/; classtype:trojan-activity;sid:84689795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"white-board4.syl5peran.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826696/; classtype:trojan-activity;sid:84689796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"jhknytxr.chain-sinusit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826697/; classtype:trojan-activity;sid:84689797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"9waxfs6b.multi5ardina.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826698/; classtype:trojan-activity;sid:84689798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"smart-door6.tov2liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826699/; classtype:trojan-activity;sid:84689799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fast-drive2.pov4daren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826700/; classtype:trojan-activity;sid:84689800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"latest-news3.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826701/; classtype:trojan-activity;sid:84689801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"small-team1.dax6porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826679/; classtype:trojan-activity;sid:84689779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media3.puremarket.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826680/; classtype:trojan-activity;sid:84689780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"star-ring.fortene7vous.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826681/; classtype:trojan-activity;sid:84689781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"queryguard.tul7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826682/; classtype:trojan-activity;sid:84689782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"small-map4.vyr3solen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826683/; classtype:trojan-activity;sid:84689783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"solcore0ix.expans-homeland.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826684/; classtype:trojan-activity;sid:84689784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"torr3nt-layer.fortene7vous.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826685/; classtype:trojan-activity;sid:84689785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"specapi.racersta7ving.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826686/; classtype:trojan-activity;sid:84689786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"video-clip4.kym7sarel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826687/; classtype:trojan-activity;sid:84689787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"public-lesson1.mox3terin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826671/; classtype:trojan-activity;sid:84689771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"dynflux6al.xel5navin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826672/; classtype:trojan-activity;sid:84689772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"b1rd-panel.lix7morav.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826673/; classtype:trojan-activity;sid:84689773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"listeshap.red-sticker.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826674/; classtype:trojan-activity;sid:84689774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"alt-nirnbl.bo2rdreluct.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826675/; classtype:trojan-activity;sid:84689775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vscoj.invert-manner.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826676/; classtype:trojan-activity;sid:84689776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"open-source6.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826677/; classtype:trojan-activity;sid:84689777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"4cti-pulse.photot-sudok.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826678/; classtype:trojan-activity;sid:84689778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"plasm-spool.qyx7darem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826666/; classtype:trojan-activity;sid:84689766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"m0ti9-route.parchm-susyuka.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826667/; classtype:trojan-activity;sid:84689767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"echoblend.red-sticker.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826668/; classtype:trojan-activity;sid:84689768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ae5z56.red-sticker.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826669/; classtype:trojan-activity;sid:84689769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"item-details4.domna-replenish.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826670/; classtype:trojan-activity;sid:84689770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"local-office3.rol1erspeeding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826653/; classtype:trojan-activity;sid:84689753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"solnex0ex.kry3qelin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826654/; classtype:trojan-activity;sid:84689754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ychgg.vex1laxon.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826655/; classtype:trojan-activity;sid:84689755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"solcorear.bo2rdreluct.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826656/; classtype:trojan-activity;sid:84689756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"auth7-core.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826657/; classtype:trojan-activity;sid:84689757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"scalesign.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826658/; classtype:trojan-activity;sid:84689758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"large-parcel2.rol1erspeeding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826659/; classtype:trojan-activity;sid:84689759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"unitecres.qen8lorix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826660/; classtype:trojan-activity;sid:84689760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"velvenor9.expans-homeland.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826661/; classtype:trojan-activity;sid:84689761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"box2.fast-delivery.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826662/; classtype:trojan-activity;sid:84689762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"order1.fast-delivery.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826663/; classtype:trojan-activity;sid:84689763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"491ptjh.multi5ardina.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826664/; classtype:trojan-activity;sid:84689764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sketchneuron.nor8tavil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826665/; classtype:trojan-activity;sid:84689765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vaq4sdju.red-sticker.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826632/; classtype:trojan-activity;sid:84689732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"black-marker3.syl5peran.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826633/; classtype:trojan-activity;sid:84689733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"labeltheory.expans-homeland.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826634/; classtype:trojan-activity;sid:84689734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"brand-mark6.pyn9sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826635/; classtype:trojan-activity;sid:84689735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fi3rce7-watch.nor8tavil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826636/; classtype:trojan-activity;sid:84689736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"media3.puremarket.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826637/; classtype:trojan-activity;sid:84689737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"9adl.racersta7ving.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826638/; classtype:trojan-activity;sid:84689738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sercore2or.tul7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826639/; classtype:trojan-activity;sid:84689739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"picture-book3.kym7sarel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826640/; classtype:trojan-activity;sid:84689740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zen-nexos.bo2rdreluct.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826641/; classtype:trojan-activity;sid:84689741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fr0st-branch.dru6moxin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826642/; classtype:trojan-activity;sid:84689742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"arrayshore.prax9vitor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826643/; classtype:trojan-activity;sid:84689743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"desk-folder6.syl5peran.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826644/; classtype:trojan-activity;sid:84689744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"geo-r0ut.kry6navex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826645/; classtype:trojan-activity;sid:84689745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"prime-list3.tix7marel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826646/; classtype:trojan-activity;sid:84689746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pencil-case2.syl5peran.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826647/; classtype:trojan-activity;sid:84689747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"lps08.zor2laven.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826648/; classtype:trojan-activity;sid:84689748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"xxvxsk4x.zor2laven.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826649/; classtype:trojan-activity;sid:84689749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vvood-forge.savor-woman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826650/; classtype:trojan-activity;sid:84689750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"par5e-array.prax9vitor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826651/; classtype:trojan-activity;sid:84689751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"povv3r3-sheet.photot-sudok.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826652/; classtype:trojan-activity;sid:84689752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"hibcn.factpre5ent.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826608/; classtype:trojan-activity;sid:84689708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-link.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826609/; classtype:trojan-activity;sid:84689709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"streambreeze.vex1laxon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826610/; classtype:trojan-activity;sid:84689710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"9waxfs6b.multi5ardina.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826611/; classtype:trojan-activity;sid:84689711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"87phs.invert-manner.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826612/; classtype:trojan-activity;sid:84689712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"gutyx.invert-manner.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826613/; classtype:trojan-activity;sid:84689713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"home-section6.domna-replenish.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826614/; classtype:trojan-activity;sid:84689714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"massivespectra.kry3qelin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826615/; classtype:trojan-activity;sid:84689715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"urban-vision1.vyr3solen.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826616/; classtype:trojan-activity;sid:84689716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"snow-ass.vyr2dalen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826617/; classtype:trojan-activity;sid:84689717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"neo-tok3.kry3qelin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826618/; classtype:trojan-activity;sid:84689718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sharpsummit.multi5ardina.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826619/; classtype:trojan-activity;sid:84689719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scalesign.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826620/; classtype:trojan-activity;sid:84689720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mervaleon1.prax9vitor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826621/; classtype:trojan-activity;sid:84689721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"lnrjp.prax9vitor.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826622/; classtype:trojan-activity;sid:84689722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"1ndex2-gate.bri1laxon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826623/; classtype:trojan-activity;sid:84689723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"28mp.chain-sinusit.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826624/; classtype:trojan-activity;sid:84689724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"t1de-vault.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826625/; classtype:trojan-activity;sid:84689725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"shiftcascade.vex1laxon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826626/; classtype:trojan-activity;sid:84689726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"solcorear.bo2rdreluct.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826627/; classtype:trojan-activity;sid:84689727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fundoasis.xel5navin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826628/; classtype:trojan-activity;sid:84689728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"clean-house2.tov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826629/; classtype:trojan-activity;sid:84689729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"rtrr.bo2rdreluct.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826630/; classtype:trojan-activity;sid:84689730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"best-choice1.tix7marel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826631/; classtype:trojan-activity;sid:84689731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"garden-view4.tov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826583/; classtype:trojan-activity;sid:84689683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"order-status1.rol1erspeeding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826584/; classtype:trojan-activity;sid:84689684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"densefro.chain-sinusit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826585/; classtype:trojan-activity;sid:84689685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"velline0os.vex1laxon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826586/; classtype:trojan-activity;sid:84689686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"norlithix3.savor-woman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826587/; classtype:trojan-activity;sid:84689687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"bm1rtmr.zor2laven.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826588/; classtype:trojan-activity;sid:84689688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fabricpayload.wex1miran.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826589/; classtype:trojan-activity;sid:84689689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"jhknytxr.chain-sinusit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826590/; classtype:trojan-activity;sid:84689690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"casualquant.vex8talin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826591/; classtype:trojan-activity;sid:84689691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vvood-forge.savor-woman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826592/; classtype:trojan-activity;sid:84689692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"iijbe.racersta7ving.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826593/; classtype:trojan-activity;sid:84689693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sketc-gate.multi5ardina.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826594/; classtype:trojan-activity;sid:84689694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"gate6-link.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826595/; classtype:trojan-activity;sid:84689695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"fsefumza.expans-homeland.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826596/; classtype:trojan-activity;sid:84689696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"11q31v.invert-manner.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826597/; classtype:trojan-activity;sid:84689697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"kel-venor.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826598/; classtype:trojan-activity;sid:84689698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sketc-gate.multi5ardina.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826599/; classtype:trojan-activity;sid:84689699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"s0ck-spool.qen8lorix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826600/; classtype:trojan-activity;sid:84689700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"home-service1.tov2liren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826601/; classtype:trojan-activity;sid:84689701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"columnapi.dru9vexon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826602/; classtype:trojan-activity;sid:84689702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tshev.quant-splashes.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826603/; classtype:trojan-activity;sid:84689703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"encodersensor.vex1laxon.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826604/; classtype:trojan-activity;sid:84689704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"393llqb.savor-woman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826605/; classtype:trojan-activity;sid:84689705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"39rd.factpre5ent.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826606/; classtype:trojan-activity;sid:84689706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"du5t3-forge.xel7morax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826607/; classtype:trojan-activity;sid:84689707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.74.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826582/; classtype:trojan-activity;sid:84689682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826581/; classtype:trojan-activity;sid:84689681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826580/; classtype:trojan-activity;sid:84689680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.31.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826579/; classtype:trojan-activity;sid:84689679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-fish6.wi5sarpo1v.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826578/; classtype:trojan-activity;sid:84689678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-sun5.wi5sarpo1v.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826577/; classtype:trojan-activity;sid:84689677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.36.203.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826576/; classtype:trojan-activity;sid:84689676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-wood4.wi5sarpo1v.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826575/; classtype:trojan-activity;sid:84689675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-hill3.wi5sarpo1v.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826574/; classtype:trojan-activity;sid:84689674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826573/; classtype:trojan-activity;sid:84689673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-sky2.wi5sarpo1v.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826572/; classtype:trojan-activity;sid:84689672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.56.232.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826571/; classtype:trojan-activity;sid:84689671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.229.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826570/; classtype:trojan-activity;sid:84689670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-sea1.wi5sarpo1v.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826569/; classtype:trojan-activity;sid:84689669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.190.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826568/; classtype:trojan-activity;sid:84689668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-bag6.ra2telsylo.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826567/; classtype:trojan-activity;sid:84689667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hard-box5.ra2telsylo.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826566/; classtype:trojan-activity;sid:84689666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826565/; classtype:trojan-activity;sid:84689665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.225.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826564/; classtype:trojan-activity;sid:84689664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-mark4.ra2telsylo.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826563/; classtype:trojan-activity;sid:84689663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thin-pen3.ra2telsylo.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826562/; classtype:trojan-activity;sid:84689662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.190.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826561/; classtype:trojan-activity;sid:84689661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.56.232.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826560/; classtype:trojan-activity;sid:84689660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.193.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826559/; classtype:trojan-activity;sid:84689659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"last-page2.ra2telsylo.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826558/; classtype:trojan-activity;sid:84689658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826557/; classtype:trojan-activity;sid:84689657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-book1.ra2telsylo.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826556/; classtype:trojan-activity;sid:84689656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.210.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826555/; classtype:trojan-activity;sid:84689655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.147.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826554/; classtype:trojan-activity;sid:84689654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.222.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826553/; classtype:trojan-activity;sid:84689653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-town6.kymlo7zore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826552/; classtype:trojan-activity;sid:84689652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-trip5.kymlo7zore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826551/; classtype:trojan-activity;sid:84689651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.214.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826550/; classtype:trojan-activity;sid:84689650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.217.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826549/; classtype:trojan-activity;sid:84689649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-road4.kymlo7zore.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826548/; classtype:trojan-activity;sid:84689648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"big-jump3.kymlo7zore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826547/; classtype:trojan-activity;sid:84689647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826546/; classtype:trojan-activity;sid:84689646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.147.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826545/; classtype:trojan-activity;sid:84689645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slow-walk2.kymlo7zore.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826544/; classtype:trojan-activity;sid:84689644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.214.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826543/; classtype:trojan-activity;sid:84689643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.217.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826541/; classtype:trojan-activity;sid:84689641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-run1.kymlo7zore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826542/; classtype:trojan-activity;sid:84689642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-step6.corex4varm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826540/; classtype:trojan-activity;sid:84689640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.75.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826539/; classtype:trojan-activity;sid:84689639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826538/; classtype:trojan-activity;sid:84689638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-wind5.corex4varm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826537/; classtype:trojan-activity;sid:84689637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.96.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826536/; classtype:trojan-activity;sid:84689636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-wall4.corex4varm.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826535/; classtype:trojan-activity;sid:84689635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-cup3.corex4varm.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826534/; classtype:trojan-activity;sid:84689634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.68.43.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826533/; classtype:trojan-activity;sid:84689633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-lamp2.corex4varm.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826532/; classtype:trojan-activity;sid:84689632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.107.12.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826531/; classtype:trojan-activity;sid:84689631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826530/; classtype:trojan-activity;sid:84689630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-table1.corex4varm.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826529/; classtype:trojan-activity;sid:84689629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826528/; classtype:trojan-activity;sid:84689628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.111.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826527/; classtype:trojan-activity;sid:84689627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-color6.pulp-turquoise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826526/; classtype:trojan-activity;sid:84689626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.139.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826525/; classtype:trojan-activity;sid:84689625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-touch5.pulp-turquoise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826524/; classtype:trojan-activity;sid:84689624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-tone4.pulp-turquoise.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826523/; classtype:trojan-activity;sid:84689623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.111.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826522/; classtype:trojan-activity;sid:84689622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-view3.pulp-turquoise.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826521/; classtype:trojan-activity;sid:84689621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826520/; classtype:trojan-activity;sid:84689620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-mix2.pulp-turquoise.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826519/; classtype:trojan-activity;sid:84689619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krane_mips"; depth:11; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826516/; classtype:trojan-activity;sid:84689616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krane_armv5"; depth:12; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826517/; classtype:trojan-activity;sid:84689617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krane_armv6"; depth:12; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826518/; classtype:trojan-activity;sid:84689618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826514/; classtype:trojan-activity;sid:84689614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krane_armv7"; depth:12; endswith; nocase; http.host; content:"89.190.156.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826515/; classtype:trojan-activity;sid:84689615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.225.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826513/; classtype:trojan-activity;sid:84689613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"color-set1.pulp-turquoise.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826512/; classtype:trojan-activity;sid:84689612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solid-base64.hai1owhiten.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826511/; classtype:trojan-activity;sid:84689611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.117.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826510/; classtype:trojan-activity;sid:84689610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.7.241"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826509/; classtype:trojan-activity;sid:84689609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826508/; classtype:trojan-activity;sid:84689608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-roof5.hai1owhiten.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826507/; classtype:trojan-activity;sid:84689607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.91.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826506/; classtype:trojan-activity;sid:84689606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.127.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826505/; classtype:trojan-activity;sid:84689605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.91.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826504/; classtype:trojan-activity;sid:84689604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-door4.hai1owhiten.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826503/; classtype:trojan-activity;sid:84689603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.17.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826501/; classtype:trojan-activity;sid:84689601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.111.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826502/; classtype:trojan-activity;sid:84689602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.243.65.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826500/; classtype:trojan-activity;sid:84689600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-hall3.hai1owhiten.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826499/; classtype:trojan-activity;sid:84689599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.117.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826498/; classtype:trojan-activity;sid:84689598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean-room2.hai1owhiten.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826497/; classtype:trojan-activity;sid:84689597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.107.12.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826496/; classtype:trojan-activity;sid:84689596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826495/; classtype:trojan-activity;sid:84689595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-wall1.hai1owhiten.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826494/; classtype:trojan-activity;sid:84689594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.193.144.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826493/; classtype:trojan-activity;sid:84689593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.53.58.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826492/; classtype:trojan-activity;sid:84689592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.193.144.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826491/; classtype:trojan-activity;sid:84689591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"75.118.179.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826490/; classtype:trojan-activity;sid:84689590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-end6.resolut-revening.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826489/; classtype:trojan-activity;sid:84689589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826488/; classtype:trojan-activity;sid:84689588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.175.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826487/; classtype:trojan-activity;sid:84689587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-check5.resolut-revening.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826486/; classtype:trojan-activity;sid:84689586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.175.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826485/; classtype:trojan-activity;sid:84689585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-result4.resolut-revening.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826484/; classtype:trojan-activity;sid:84689584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-goal3.resolut-revening.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826483/; classtype:trojan-activity;sid:84689583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.225.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826482/; classtype:trojan-activity;sid:84689582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.19.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826481/; classtype:trojan-activity;sid:84689581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-work2.resolut-revening.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826480/; classtype:trojan-activity;sid:84689580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.90.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826479/; classtype:trojan-activity;sid:84689579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826478/; classtype:trojan-activity;sid:84689578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"prime-task1.resolut-revening.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826477/; classtype:trojan-activity;sid:84689577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-style6.rus5icabreast.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826476/; classtype:trojan-activity;sid:84689576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.90.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826475/; classtype:trojan-activity;sid:84689575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.43.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826474/; classtype:trojan-activity;sid:84689574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thin-layer5.rus5icabreast.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826473/; classtype:trojan-activity;sid:84689573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-fabric4.rus5icabreast.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826472/; classtype:trojan-activity;sid:84689572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-silk3.rus5icabreast.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826471/; classtype:trojan-activity;sid:84689571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.243.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826470/; classtype:trojan-activity;sid:84689570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-wool2.rus5icabreast.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826469/; classtype:trojan-activity;sid:84689569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-coat1.rus5icabreast.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826468/; classtype:trojan-activity;sid:84689568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-void6.blasph-nimalo.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826467/; classtype:trojan-activity;sid:84689567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.43.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826466/; classtype:trojan-activity;sid:84689566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-rocket5.blasph-nimalo.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826465/; classtype:trojan-activity;sid:84689565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-speed4.blasph-nimalo.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826464/; classtype:trojan-activity;sid:84689564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moon-orbit3.blasph-nimalo.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826463/; classtype:trojan-activity;sid:84689563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.196.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826462/; classtype:trojan-activity;sid:84689562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"star-field2.blasph-nimalo.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826461/; classtype:trojan-activity;sid:84689561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"space-travel1.blasph-nimalo.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826460/; classtype:trojan-activity;sid:84689560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-life6.big2mychild.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826459/; classtype:trojan-activity;sid:84689559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-day5.big2mychild.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826458/; classtype:trojan-activity;sid:84689558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-step4.big2mychild.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826457/; classtype:trojan-activity;sid:84689557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.202.14.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826456/; classtype:trojan-activity;sid:84689556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.52.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826455/; classtype:trojan-activity;sid:84689555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"toy-box3.big2mychild.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826454/; classtype:trojan-activity;sid:84689554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.226.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826453/; classtype:trojan-activity;sid:84689553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"happy-play2.big2mychild.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826452/; classtype:trojan-activity;sid:84689552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.11.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826451/; classtype:trojan-activity;sid:84689551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"child-care1.big2mychild.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826450/; classtype:trojan-activity;sid:84689550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.74.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826449/; classtype:trojan-activity;sid:84689549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.65.234.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826448/; classtype:trojan-activity;sid:84689548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.74.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826447/; classtype:trojan-activity;sid:84689547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"final-step6.sizar-sniffy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826446/; classtype:trojan-activity;sid:84689546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.202.14.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826445/; classtype:trojan-activity;sid:84689545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user-test5.sizar-sniffy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826444/; classtype:trojan-activity;sid:84689544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.88.183"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826443/; classtype:trojan-activity;sid:84689543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"error-log4.sizar-sniffy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826442/; classtype:trojan-activity;sid:84689542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.196.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826441/; classtype:trojan-activity;sid:84689541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-point3.sizar-sniffy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826440/; classtype:trojan-activity;sid:84689540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.42.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826439/; classtype:trojan-activity;sid:84689539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.12.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826438/; classtype:trojan-activity;sid:84689538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-report2.sizar-sniffy.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826437/; classtype:trojan-activity;sid:84689537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quick-scan1.sizar-sniffy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826436/; classtype:trojan-activity;sid:84689536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.6.91.43"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826435/; classtype:trojan-activity;sid:84689535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.186.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826430/; classtype:trojan-activity;sid:84689530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.42.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826431/; classtype:trojan-activity;sid:84689531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.186.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826432/; classtype:trojan-activity;sid:84689532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.223.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826433/; classtype:trojan-activity;sid:84689533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.209.65.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826434/; classtype:trojan-activity;sid:84689534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-glow5.deser8othic.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826429/; classtype:trojan-activity;sid:84689529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.217.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826425/; classtype:trojan-activity;sid:84689525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.81.139.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826426/; classtype:trojan-activity;sid:84689526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-tint6.deser8othic.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826427/; classtype:trojan-activity;sid:84689527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-red4.deser8othic.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826428/; classtype:trojan-activity;sid:84689528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zhaixing238/gitplay/raw/refs/heads/main/src-tauri/src/software_2.4.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826424/; classtype:trojan-activity;sid:84689524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dilancito2107/uninstall-tool-repack/refs/heads/main/unsurplice/uninstall_tool_repack_3.2.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826421/; classtype:trojan-activity;sid:84689521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zhaixing238/zhaixing238.github.io/raw/refs/heads/main/mica/github_io_zhaixing_2.8-alpha.1.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826422/; classtype:trojan-activity;sid:84689522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay97637/llm-observability-foss/raw/refs/heads/main/docs/ll_observability_foss_v3.8.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826423/; classtype:trojan-activity;sid:84689523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aniff23/aniff23.github.io/refs/heads/main/hokan/aniff-io-github-v3.0.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826405/; classtype:trojan-activity;sid:84689505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zhaixing238/gitplay/refs/heads/main/src-tauri/src/software_2.4.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826406/; classtype:trojan-activity;sid:84689506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ofenomenal/ofenomenal.github.io/refs/heads/main/yokefellow/io_github_ofenomenal_v3.8.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826407/; classtype:trojan-activity;sid:84689507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samsan2003/cg/raw/refs/heads/main/closed/software_v3.0.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826408/; classtype:trojan-activity;sid:84689508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dilancito2107/dilancito2107.github.io/refs/heads/main/codiaceae/dilancito-github-io-2.8-alpha.3.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826409/; classtype:trojan-activity;sid:84689509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samsan2003/samsan2003.github.io/raw/refs/heads/main/goodish/github-io-samsan-v3.0.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826410/; classtype:trojan-activity;sid:84689510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay97637/jay97637.github.io/raw/refs/heads/main/tectospondylic/io-github-jay-v3.5.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826411/; classtype:trojan-activity;sid:84689511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pioneerpine/pioneerpine.github.io/refs/heads/main/galbulae/github-pioneerpine-io-1.5.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826412/; classtype:trojan-activity;sid:84689512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dilancito2107/uninstall-tool-repack/raw/refs/heads/main/unsurplice/uninstall_tool_repack_3.2.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826413/; classtype:trojan-activity;sid:84689513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay97637/jay97637.github.io/refs/heads/main/tectospondylic/io-github-jay-v3.5.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826414/; classtype:trojan-activity;sid:84689514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiyanramin1/raiyanramin1.github.io/raw/refs/heads/main/hurtable/github_raiyanramin_io_3.2.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826415/; classtype:trojan-activity;sid:84689515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pioneerpine/pioneerpine.github.io/raw/refs/heads/main/galbulae/github-pioneerpine-io-1.5.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826416/; classtype:trojan-activity;sid:84689516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiyanramin1/raiyanramin1.github.io/refs/heads/main/hurtable/github_raiyanramin_io_3.2.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826417/; classtype:trojan-activity;sid:84689517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samsan2003/cg/refs/heads/main/closed/software_v3.0.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826418/; classtype:trojan-activity;sid:84689518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aniff23/aniff23.github.io/raw/refs/heads/main/hokan/aniff-io-github-v3.0.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826419/; classtype:trojan-activity;sid:84689519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ofenomenal/ofenomenal.github.io/raw/refs/heads/main/yokefellow/io_github_ofenomenal_v3.8.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826420/; classtype:trojan-activity;sid:84689520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samsan2003/samsan2003.github.io/refs/heads/main/goodish/github-io-samsan-v3.0.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826399/; classtype:trojan-activity;sid:84689499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiyanramin1/ipsw-skill/refs/heads/main/extension/references/ipsw_skill_3.3.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826400/; classtype:trojan-activity;sid:84689500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darsq/qiling-disk-master-repack/refs/heads/main/confelicity/disk_qilin_master_repack_v3.1-beta.1.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826401/; classtype:trojan-activity;sid:84689501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay97637/llm-observability-foss/refs/heads/main/docs/ll_observability_foss_v3.8.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826402/; classtype:trojan-activity;sid:84689502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ofenomenal/git-wt/raw/refs/heads/main/e2e/git-wt-ulexite.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826403/; classtype:trojan-activity;sid:84689503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darsq/qiling-disk-master-repack/raw/refs/heads/main/confelicity/disk_qilin_master_repack_v3.1-beta.1.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826404/; classtype:trojan-activity;sid:84689504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aniff23/flashesp/refs/heads/master/uloncus/software_v3.6.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826398/; classtype:trojan-activity;sid:84689498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ofenomenal/git-wt/refs/heads/main/e2e/git-wt-ulexite.zip"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826392/; classtype:trojan-activity;sid:84689492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pioneerpine/identityregimes/refs/heads/main/docs/regimes-identity-v2.5.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826393/; classtype:trojan-activity;sid:84689493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pioneerpine/identityregimes/raw/refs/heads/main/docs/regimes-identity-v2.5.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826394/; classtype:trojan-activity;sid:84689494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dilancito2107/dilancito2107.github.io/raw/refs/heads/main/codiaceae/dilancito-github-io-2.8-alpha.3.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826395/; classtype:trojan-activity;sid:84689495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aniff23/flashesp/raw/refs/heads/master/uloncus/software_v3.6.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826396/; classtype:trojan-activity;sid:84689496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiyanramin1/ipsw-skill/raw/refs/heads/main/extension/references/ipsw_skill_3.3.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826397/; classtype:trojan-activity;sid:84689497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zhaixing238/zhaixing238.github.io/refs/heads/main/mica/github_io_zhaixing_2.8-alpha.1.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826391/; classtype:trojan-activity;sid:84689491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.240.219.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826390/; classtype:trojan-activity;sid:84689490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pale-blue3.deser8othic.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826389/; classtype:trojan-activity;sid:84689489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.240.219.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826388/; classtype:trojan-activity;sid:84689488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.33.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826387/; classtype:trojan-activity;sid:84689487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-grey2.deser8othic.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826386/; classtype:trojan-activity;sid:84689486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.17.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826384/; classtype:trojan-activity;sid:84689484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.81.139.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826385/; classtype:trojan-activity;sid:84689485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.28.176.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826383/; classtype:trojan-activity;sid:84689483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-shade1.deser8othic.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826382/; classtype:trojan-activity;sid:84689482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.241.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826381/; classtype:trojan-activity;sid:84689481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826380/; classtype:trojan-activity;sid:84689480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826379/; classtype:trojan-activity;sid:84689479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-bloom6.firs-tachycardia.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826378/; classtype:trojan-activity;sid:84689478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.242.42.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826377/; classtype:trojan-activity;sid:84689477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.210.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826376/; classtype:trojan-activity;sid:84689476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-seed5.firs-tachycardia.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826375/; classtype:trojan-activity;sid:84689475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826374/; classtype:trojan-activity;sid:84689474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.80.133.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826373/; classtype:trojan-activity;sid:84689473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.33.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826372/; classtype:trojan-activity;sid:84689472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wild-root2.firs-tachycardia.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826371/; classtype:trojan-activity;sid:84689471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-stem4.firs-tachycardia.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826370/; classtype:trojan-activity;sid:84689470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.28.176.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826367/; classtype:trojan-activity;sid:84689467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.163.68.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826368/; classtype:trojan-activity;sid:84689468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-soil3.firs-tachycardia.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826369/; classtype:trojan-activity;sid:84689469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.124.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826365/; classtype:trojan-activity;sid:84689465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/develoshaan/openad-specification_adengine_text/refs/heads/main/institutor/openad-specification_adengine_text.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826366/; classtype:trojan-activity;sid:84689466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.242.42.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826364/; classtype:trojan-activity;sid:84689464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.80.133.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826363/; classtype:trojan-activity;sid:84689463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.187.40.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826361/; classtype:trojan-activity;sid:84689461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.223.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826362/; classtype:trojan-activity;sid:84689462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.151.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826359/; classtype:trojan-activity;sid:84689459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.9.3"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826360/; classtype:trojan-activity;sid:84689460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/62doc/laravel-docker-pgsql-tailwind-boilerplate/raw/refs/heads/main/src/app/view/tailwind_laravel_boilerplate_pgsql_docker_v2.9.zip"; depth:132; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826357/; classtype:trojan-activity;sid:84689457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"signal-box5.artichf1atly.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826358/; classtype:trojan-activity;sid:84689458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emacute/maize_disease_detection_system/raw/refs/heads/main/syllabicness/system_disease_detection_maize_2.5.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826347/; classtype:trojan-activity;sid:84689447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow-control6.artichf1atly.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826348/; classtype:trojan-activity;sid:84689448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaja25/demo-os/raw/refs/heads/main/modules/demo-os-sparking.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826349/; classtype:trojan-activity;sid:84689449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daffaekaptra/batchadministrator/refs/heads/main/windows%2010%20%26%2011%20scripts/windows%20privacy/batch-administrator-v1.2.zip"; depth:129; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826350/; classtype:trojan-activity;sid:84689450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sebs69/asus-rog-aml-deep-dive/raw/refs/heads/main/besmother/deep-aml-asus-dive-ro-v2.7.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826351/; classtype:trojan-activity;sid:84689451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaja25/demo-os/refs/heads/main/modules/demo-os-sparking.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826352/; classtype:trojan-activity;sid:84689452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sebs69/asus-rog-aml-deep-dive/refs/heads/main/besmother/deep-aml-asus-dive-ro-v2.7.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826353/; classtype:trojan-activity;sid:84689453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daffaekaptra/batchadministrator/raw/refs/heads/main/windows%2010%20|7c|26|7c|%2011%20scripts/windows%20privacy/batch-administrator-v1.2.zip"; depth:140; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826354/; classtype:trojan-activity;sid:84689454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beolog404/zkm-flow/raw/refs/heads/main/sources/zkm-flow-2.6-alpha.2.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826355/; classtype:trojan-activity;sid:84689455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/62doc/laravel-docker-pgsql-tailwind-boilerplate/refs/heads/main/src/app/view/tailwind_laravel_boilerplate_pgsql_docker_v2.9.zip"; depth:128; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826356/; classtype:trojan-activity;sid:84689456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beolog404/venusbloodhollow-freereleasehub/raw/refs/heads/main/featherweight/free_venus_hub_blood_hollow_release_2.8.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826344/; classtype:trojan-activity;sid:84689444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/betawi10/nyc311-infrastructure-hotspots-google-cloud-bigquery-hackathon-poc/raw/refs/heads/master/.vs/todolistapi/v16/nyc_google_query_hackathon_hotspots_c_infrastructure_po_big_cloud_3.1-beta.5.zip"; depth:199; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826345/; classtype:trojan-activity;sid:84689445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/develoshaan/openad-specification_adengine_text/raw/refs/heads/main/institutor/openad-specification_adengine_text.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826346/; classtype:trojan-activity;sid:84689446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-leaf1.firs-tachycardia.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826340/; classtype:trojan-activity;sid:84689440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emacute/coder-kit/raw/refs/heads/main/kindlesome/kit-coder-1.8.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826341/; classtype:trojan-activity;sid:84689441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emacute/coder-kit/refs/heads/main/kindlesome/kit-coder-1.8.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826342/; classtype:trojan-activity;sid:84689442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emacute/maize_disease_detection_system/refs/heads/main/syllabicness/system_disease_detection_maize_2.5.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826343/; classtype:trojan-activity;sid:84689443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.124.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826336/; classtype:trojan-activity;sid:84689436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beolog404/venusbloodhollow-freereleasehub/refs/heads/main/featherweight/free_venus_hub_blood_hollow_release_2.8.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826337/; classtype:trojan-activity;sid:84689437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/betawi10/todolist/raw/refs/heads/master/src/components/todo_list_v3.2.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826338/; classtype:trojan-activity;sid:84689438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/betawi10/nyc311-infrastructure-hotspots-google-cloud-bigquery-hackathon-poc/refs/heads/master/.vs/todolistapi/v16/nyc_google_query_hackathon_hotspots_c_infrastructure_po_big_cloud_3.1-beta.5.zip"; depth:195; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826339/; classtype:trojan-activity;sid:84689439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/betawi10/todolist/refs/heads/master/src/components/todo_list_v3.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826333/; classtype:trojan-activity;sid:84689433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camilo-vs/patching-hacked-world/raw/refs/heads/principal/landrick_v3.2/__macosx/landrick_v3.2/html/php/patching_world_hacked_v3.8.zip"; depth:134; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826334/; classtype:trojan-activity;sid:84689434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beolog404/zkm-flow/refs/heads/main/sources/zkm-flow-2.6-alpha.2.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826335/; classtype:trojan-activity;sid:84689435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826332/; classtype:trojan-activity;sid:84689432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oskar2133123/cursor-ide-setup/raw/refs/heads/main/docs/setup_ide_cursor_v1.3.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826331/; classtype:trojan-activity;sid:84689431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/habibhassansehani/arduino-projects/raw/refs/heads/main/stevel/projects_arduino_3.7.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826328/; classtype:trojan-activity;sid:84689428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/habibhassansehani/arduino-projects/refs/heads/main/stevel/projects_arduino_3.7.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826329/; classtype:trojan-activity;sid:84689429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/habibhassansehani/openai-sdk-knowledge-org/raw/refs/heads/main/public/images/knowledge_sdk_org_openai_v3.3.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826330/; classtype:trojan-activity;sid:84689430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaki774/ai-tools-list/raw/refs/heads/main/transillumination/tools-list-a-v2.0.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826314/; classtype:trojan-activity;sid:84689414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oskar2133123/cursor-ide-setup/refs/heads/main/docs/setup_ide_cursor_v1.3.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826315/; classtype:trojan-activity;sid:84689415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaki774/ai-tools-list/refs/heads/main/transillumination/tools-list-a-v2.0.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826316/; classtype:trojan-activity;sid:84689416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepunikki/hestiacp/refs/heads/main/web/locale/sv/software_v1.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826317/; classtype:trojan-activity;sid:84689417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shahzaib14458/wall-world-hacks-strike-kill-instant/refs/heads/main/somnambulary/instant-hacks-kill-world-wall-strike-1.4.zip"; depth:125; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826318/; classtype:trojan-activity;sid:84689418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepunikki/souls-rebirth-hacks-gauge-no-awakening/refs/heads/main/farasula/gauge_souls_awakening_rebirth_hacks_no_v2.8.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826319/; classtype:trojan-activity;sid:84689419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camilo-vs/patching-hacked-world/refs/heads/principal/landrick_v3.2/__macosx/landrick_v3.2/html/php/patching_world_hacked_v3.8.zip"; depth:130; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826320/; classtype:trojan-activity;sid:84689420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shahzaib14458/wall-world-hacks-strike-kill-instant/raw/refs/heads/main/somnambulary/instant-hacks-kill-world-wall-strike-1.4.zip"; depth:129; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826321/; classtype:trojan-activity;sid:84689421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepunikki/hestiacp/raw/refs/heads/main/web/locale/sv/software_v1.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826322/; classtype:trojan-activity;sid:84689422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepunikki/souls-rebirth-hacks-gauge-no-awakening/raw/refs/heads/main/farasula/gauge_souls_awakening_rebirth_hacks_no_v2.8.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826323/; classtype:trojan-activity;sid:84689423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvinlugohe/hack-baldurs-gate-3-minimum-roll/refs/heads/main/photoactivity/baldurs_hack_gate_minimum_roll_2.8.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826324/; classtype:trojan-activity;sid:84689424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvinlugohe/lgtv-firmware-downgrade/raw/refs/heads/main/wakingly/lgt-firmware-downgrade-v3.8-alpha.1.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826325/; classtype:trojan-activity;sid:84689425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvinlugohe/hack-baldurs-gate-3-minimum-roll/raw/refs/heads/main/photoactivity/baldurs_hack_gate_minimum_roll_2.8.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826326/; classtype:trojan-activity;sid:84689426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvinlugohe/lgtv-firmware-downgrade/refs/heads/main/wakingly/lgt-firmware-downgrade-v3.8-alpha.1.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826327/; classtype:trojan-activity;sid:84689427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/habibhassansehani/openai-sdk-knowledge-org/refs/heads/main/public/images/knowledge_sdk_org_openai_v3.3.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826313/; classtype:trojan-activity;sid:84689413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-input4.artichf1atly.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826312/; classtype:trojan-activity;sid:84689412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-sensor3.artichf1atly.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826311/; classtype:trojan-activity;sid:84689411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/golane2/-/raw/refs/heads/main/intersexualism/software-2.6.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826310/; classtype:trojan-activity;sid:84689410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.163.68.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826308/; classtype:trojan-activity;sid:84689408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/golane2/1/raw/refs/heads/main/mattery/software_1.8-alpha.3.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826309/; classtype:trojan-activity;sid:84689409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ulas6221/axie-infinity-bot-crypto-cheat-auto-farm-clicker-game-api-hack-km/raw/refs/heads/main/unfragrantly/crypto_hack_km_game_axie_clicker_cheat_api_infinity_bot_auto_farm_3.4.zip"; depth:182; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826304/; classtype:trojan-activity;sid:84689404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ulas6221/axie-infinity-bot-crypto-cheat-auto-farm-clicker-game-api-hack-km/refs/heads/main/unfragrantly/crypto_hack_km_game_axie_clicker_cheat_api_infinity_bot_auto_farm_3.4.zip"; depth:178; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826305/; classtype:trojan-activity;sid:84689405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/golane2/-/refs/heads/main/intersexualism/software-2.6.zip"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826306/; classtype:trojan-activity;sid:84689406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/golane2/1/refs/heads/main/mattery/software_1.8-alpha.3.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826307/; classtype:trojan-activity;sid:84689407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/golane2/gashero-finance-game-bot-auto-farm-clicker-crypto-blockchain-hack-cheat/raw/refs/heads/main/portia/cheat-auto-farm-gas-bot-blockchain-clicker-finance-hero-game-crypto-hack-2.8.zip"; depth:188; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826303/; classtype:trojan-activity;sid:84689403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/govardhan908/dbfz-cheat-engine-mod/raw/refs/heads/main/caprimulgidae/cheat-mod-engine-dbf-2.5.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826302/; classtype:trojan-activity;sid:84689402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/govardhan908/dbfz-cheat-engine-mod/refs/heads/main/caprimulgidae/cheat-mod-engine-dbf-2.5.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826301/; classtype:trojan-activity;sid:84689401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"power-unit2.artichf1atly.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826300/; classtype:trojan-activity;sid:84689400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.207.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826299/; classtype:trojan-activity;sid:84689399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-system1.artichf1atly.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826298/; classtype:trojan-activity;sid:84689398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.2.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826297/; classtype:trojan-activity;sid:84689397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.9.3"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826296/; classtype:trojan-activity;sid:84689396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.66.72.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826295/; classtype:trojan-activity;sid:84689395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.66.72.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826294/; classtype:trojan-activity;sid:84689394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-plot6.art-tonsillitis.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826293/; classtype:trojan-activity;sid:84689393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.254.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826292/; classtype:trojan-activity;sid:84689392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spineround/hamfal/-/raw/main/l7xh7ur9695u.exe"; depth:46; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826291/; classtype:trojan-activity;sid:84689391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-tale5.art-tonsillitis.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826290/; classtype:trojan-activity;sid:84689390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-word4.art-tonsillitis.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826289/; classtype:trojan-activity;sid:84689389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/premierflare/cs2-cheat-2026-external/releases/download/new/cs2cheatexternal-4.3.7.rar"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826288/; classtype:trojan-activity;sid:84689388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-turn3.art-tonsillitis.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826287/; classtype:trojan-activity;sid:84689387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.181.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826286/; classtype:trojan-activity;sid:84689386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.105.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826285/; classtype:trojan-activity;sid:84689385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-story2.art-tonsillitis.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826284/; classtype:trojan-activity;sid:84689384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.45.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826283/; classtype:trojan-activity;sid:84689383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.254.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826282/; classtype:trojan-activity;sid:84689382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"book-read1.art-tonsillitis.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826281/; classtype:trojan-activity;sid:84689381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.197.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826280/; classtype:trojan-activity;sid:84689380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-rain6.white5lave.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826279/; classtype:trojan-activity;sid:84689379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826278/; classtype:trojan-activity;sid:84689378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.158.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826277/; classtype:trojan-activity;sid:84689377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-wind5.white5lave.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826276/; classtype:trojan-activity;sid:84689376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-snow4.white5lave.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826275/; classtype:trojan-activity;sid:84689375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.11.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826274/; classtype:trojan-activity;sid:84689374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-cloud3.white5lave.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826273/; classtype:trojan-activity;sid:84689373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/efewefwewfew342234423234feweefwwefewefweffewwefewf.php|3f|file=333.exe"; depth:185; endswith; nocase; http.host; content:"ts.bhaaratkeeshakti.vip"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826272/; classtype:trojan-activity;sid:84689372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.45.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826271/; classtype:trojan-activity;sid:84689371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sun-light2.white5lave.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826270/; classtype:trojan-activity;sid:84689370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.133.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826269/; classtype:trojan-activity;sid:84689369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okarm6"; depth:9; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826265/; classtype:trojan-activity;sid:84689365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okx86"; depth:8; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826266/; classtype:trojan-activity;sid:84689366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okarm5"; depth:9; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826267/; classtype:trojan-activity;sid:84689367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okarm7"; depth:9; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826268/; classtype:trojan-activity;sid:84689368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sky-view1.white5lave.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826264/; classtype:trojan-activity;sid:84689364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.105.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826262/; classtype:trojan-activity;sid:84689362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.158.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826263/; classtype:trojan-activity;sid:84689363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00oksh4"; depth:8; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826261/; classtype:trojan-activity;sid:84689361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okspc"; depth:8; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826255/; classtype:trojan-activity;sid:84689355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ok"; depth:3; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826256/; classtype:trojan-activity;sid:84689356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okm68k"; depth:9; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826257/; classtype:trojan-activity;sid:84689357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okmips"; depth:9; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826258/; classtype:trojan-activity;sid:84689358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okx64"; depth:8; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826259/; classtype:trojan-activity;sid:84689359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okmpsl"; depth:9; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826260/; classtype:trojan-activity;sid:84689360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00okppc"; depth:8; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826254/; classtype:trojan-activity;sid:84689354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-drink6.apoth-shopping.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826253/; classtype:trojan-activity;sid:84689353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.11.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826251/; classtype:trojan-activity;sid:84689351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-coffee5.apoth-shopping.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826250/; classtype:trojan-activity;sid:84689350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.227.163.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826249/; classtype:trojan-activity;sid:84689349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-cake4.apoth-shopping.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826248/; classtype:trojan-activity;sid:84689348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.129.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826246/; classtype:trojan-activity;sid:84689346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.171.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826247/; classtype:trojan-activity;sid:84689347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.133.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826245/; classtype:trojan-activity;sid:84689345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-food3.apoth-shopping.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826244/; classtype:trojan-activity;sid:84689344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-meal2.apoth-shopping.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826243/; classtype:trojan-activity;sid:84689343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.220.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826242/; classtype:trojan-activity;sid:84689342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-chef1.apoth-shopping.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826241/; classtype:trojan-activity;sid:84689341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826240/; classtype:trojan-activity;sid:84689340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826236/; classtype:trojan-activity;sid:84689336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826237/; classtype:trojan-activity;sid:84689337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826238/; classtype:trojan-activity;sid:84689338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826239/; classtype:trojan-activity;sid:84689339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826234/; classtype:trojan-activity;sid:84689334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826235/; classtype:trojan-activity;sid:84689335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826229/; classtype:trojan-activity;sid:84689329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826230/; classtype:trojan-activity;sid:84689330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826231/; classtype:trojan-activity;sid:84689331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826232/; classtype:trojan-activity;sid:84689332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826233/; classtype:trojan-activity;sid:84689333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-deal6.albann0vosel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826228/; classtype:trojan-activity;sid:84689328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.227.163.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826227/; classtype:trojan-activity;sid:84689327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-buy5.albann0vosel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826226/; classtype:trojan-activity;sid:84689326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.197.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826225/; classtype:trojan-activity;sid:84689325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.96.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826223/; classtype:trojan-activity;sid:84689323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.153.253"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826224/; classtype:trojan-activity;sid:84689324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-item4.albann0vosel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826222/; classtype:trojan-activity;sid:84689322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.126.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826221/; classtype:trojan-activity;sid:84689321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.209.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826220/; classtype:trojan-activity;sid:84689320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.201.89.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826219/; classtype:trojan-activity;sid:84689319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-sale3.albann0vosel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826218/; classtype:trojan-activity;sid:84689318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-price2.albann0vosel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826217/; classtype:trojan-activity;sid:84689317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.253.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826216/; classtype:trojan-activity;sid:84689316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shop-list1.albann0vosel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826215/; classtype:trojan-activity;sid:84689315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-walk6.there-way.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826214/; classtype:trojan-activity;sid:84689314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"local-trip5.there-way.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826213/; classtype:trojan-activity;sid:84689313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.0.32"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826212/; classtype:trojan-activity;sid:84689312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.69.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826211/; classtype:trojan-activity;sid:84689311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.171.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826210/; classtype:trojan-activity;sid:84689310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beach-view4.there-way.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826209/; classtype:trojan-activity;sid:84689309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.96.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826208/; classtype:trojan-activity;sid:84689308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hotel-stay3.there-way.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826207/; classtype:trojan-activity;sid:84689307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.253.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826206/; classtype:trojan-activity;sid:84689306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826205/; classtype:trojan-activity;sid:84689305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"world-tour2.there-way.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826204/; classtype:trojan-activity;sid:84689304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travel-blog1.there-way.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826203/; classtype:trojan-activity;sid:84689303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.174.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826202/; classtype:trojan-activity;sid:84689302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-goal6.ashes5upervise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826201/; classtype:trojan-activity;sid:84689301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-time5.ashes5upervise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826200/; classtype:trojan-activity;sid:84689300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.44.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826199/; classtype:trojan-activity;sid:84689299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-plan4.ashes5upervise.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826198/; classtype:trojan-activity;sid:84689298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826197/; classtype:trojan-activity;sid:84689297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-work3.ashes5upervise.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826196/; classtype:trojan-activity;sid:84689296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"office-job2.ashes5upervise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826195/; classtype:trojan-activity;sid:84689295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-task1.ashes5upervise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826194/; classtype:trojan-activity;sid:84689294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-frame6.laryngol-needle.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826193/; classtype:trojan-activity;sid:84689293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826192/; classtype:trojan-activity;sid:84689292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.89.252.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826191/; classtype:trojan-activity;sid:84689291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-cloud5.laryngol-needle.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826190/; classtype:trojan-activity;sid:84689290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-base4.laryngol-needle.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826189/; classtype:trojan-activity;sid:84689289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web-server3.laryngol-needle.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826188/; classtype:trojan-activity;sid:84689288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826187/; classtype:trojan-activity;sid:84689287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.68.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826186/; classtype:trojan-activity;sid:84689286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-node2.laryngol-needle.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826185/; classtype:trojan-activity;sid:84689285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.250.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826184/; classtype:trojan-activity;sid:84689284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tech-portal1.laryngol-needle.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826183/; classtype:trojan-activity;sid:84689283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.178.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826182/; classtype:trojan-activity;sid:84689282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.11.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826181/; classtype:trojan-activity;sid:84689281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"live-show6.tippyv0lup.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826180/; classtype:trojan-activity;sid:84689280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"photo-shot5.tippyv0lup.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826179/; classtype:trojan-activity;sid:84689279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.157.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826178/; classtype:trojan-activity;sid:84689278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dance-floor4.tippyv0lup.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826177/; classtype:trojan-activity;sid:84689277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.14.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826176/; classtype:trojan-activity;sid:84689276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.174.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826175/; classtype:trojan-activity;sid:84689275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.250.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826174/; classtype:trojan-activity;sid:84689274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.68.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826173/; classtype:trojan-activity;sid:84689273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.120.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826170/; classtype:trojan-activity;sid:84689270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.50.200.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826171/; classtype:trojan-activity;sid:84689271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"music-band3.tippyv0lup.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826172/; classtype:trojan-activity;sid:84689272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.30.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826169/; classtype:trojan-activity;sid:84689269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"color-paint2.tippyv0lup.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826168/; classtype:trojan-activity;sid:84689268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.34.205"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826167/; classtype:trojan-activity;sid:84689267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"art-studio1.tippyv0lup.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826166/; classtype:trojan-activity;sid:84689266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"large-box6.elephant-harv.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826165/; classtype:trojan-activity;sid:84689265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826164/; classtype:trojan-activity;sid:84689264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826163/; classtype:trojan-activity;sid:84689263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"air-flight5.elephant-harv.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826162/; classtype:trojan-activity;sid:84689262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.64.174.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826161/; classtype:trojan-activity;sid:84689261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.4.124"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826160/; classtype:trojan-activity;sid:84689260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"global-ship4.elephant-harv.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826159/; classtype:trojan-activity;sid:84689259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.x86_64"; depth:19; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826154/; classtype:trojan-activity;sid:84689254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.powerpc-440fp"; depth:26; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826155/; classtype:trojan-activity;sid:84689255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.arc"; depth:16; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826156/; classtype:trojan-activity;sid:84689256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.armv7l"; depth:19; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826157/; classtype:trojan-activity;sid:84689257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.armv6l"; depth:19; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826158/; classtype:trojan-activity;sid:84689258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.245.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826153/; classtype:trojan-activity;sid:84689253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe-store3.elephant-harv.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826152/; classtype:trojan-activity;sid:84689252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.178.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826151/; classtype:trojan-activity;sid:84689251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-cargo2.elephant-harv.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826150/; classtype:trojan-activity;sid:84689250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.34.205"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826149/; classtype:trojan-activity;sid:84689249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.armv5l"; depth:19; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826141/; classtype:trojan-activity;sid:84689241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/penis.sh"; depth:9; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826142/; classtype:trojan-activity;sid:84689242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.powerpc"; depth:20; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826143/; classtype:trojan-activity;sid:84689243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.mipsel"; depth:19; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826144/; classtype:trojan-activity;sid:84689244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.m68k"; depth:17; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826145/; classtype:trojan-activity;sid:84689245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.sh4"; depth:16; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826146/; classtype:trojan-activity;sid:84689246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.mips"; depth:17; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826147/; classtype:trojan-activity;sid:84689247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mynode.armv4l"; depth:19; endswith; nocase; http.host; content:"198.50.124.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826148/; classtype:trojan-activity;sid:84689248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.88.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826140/; classtype:trojan-activity;sid:84689240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-truck1.elephant-harv.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826139/; classtype:trojan-activity;sid:84689239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.126.86.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826138/; classtype:trojan-activity;sid:84689238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.179.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826137/; classtype:trojan-activity;sid:84689237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826136/; classtype:trojan-activity;sid:84689236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-lake6.lucernemo7al.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826135/; classtype:trojan-activity;sid:84689235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.4.124"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826134/; classtype:trojan-activity;sid:84689234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-field5.lucernemo7al.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826133/; classtype:trojan-activity;sid:84689233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-cave4.lucernemo7al.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826132/; classtype:trojan-activity;sid:84689232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826130/; classtype:trojan-activity;sid:84689230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.162.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826131/; classtype:trojan-activity;sid:84689231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-mount3.lucernemo7al.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826129/; classtype:trojan-activity;sid:84689229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.12.132"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826128/; classtype:trojan-activity;sid:84689228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wild-river2.lucernemo7al.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826127/; classtype:trojan-activity;sid:84689227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-forest1.lucernemo7al.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826126/; classtype:trojan-activity;sid:84689226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lpke7.heaton-stolid.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826125/; classtype:trojan-activity;sid:84689225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.73.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826124/; classtype:trojan-activity;sid:84689224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"formatcon.heaton-stolid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826123/; classtype:trojan-activity;sid:84689223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nvxlifpf.heaton-stolid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826122/; classtype:trojan-activity;sid:84689222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826121/; classtype:trojan-activity;sid:84689221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.128.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826120/; classtype:trojan-activity;sid:84689220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826119/; classtype:trojan-activity;sid:84689219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.231.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826118/; classtype:trojan-activity;sid:84689218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xazhg.heaton-stolid.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826117/; classtype:trojan-activity;sid:84689217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p0rt-hold.heaton-stolid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826116/; classtype:trojan-activity;sid:84689216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.84.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826115/; classtype:trojan-activity;sid:84689215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.128.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826114/; classtype:trojan-activity;sid:84689214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"casca-frame.heaton-stolid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826113/; classtype:trojan-activity;sid:84689213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.252.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826112/; classtype:trojan-activity;sid:84689212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.73.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826111/; classtype:trojan-activity;sid:84689211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spatra.desa1inatcount.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826110/; classtype:trojan-activity;sid:84689210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rur4-watch.desa1inatcount.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826109/; classtype:trojan-activity;sid:84689209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"builrai.desa1inatcount.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826108/; classtype:trojan-activity;sid:84689208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826107/; classtype:trojan-activity;sid:84689207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826106/; classtype:trojan-activity;sid:84689206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826105/; classtype:trojan-activity;sid:84689205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.250.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826104/; classtype:trojan-activity;sid:84689204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.16.164.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826103/; classtype:trojan-activity;sid:84689203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spruce-field.desa1inatcount.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826102/; classtype:trojan-activity;sid:84689202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.99.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826101/; classtype:trojan-activity;sid:84689201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826099/; classtype:trojan-activity;sid:84689199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826100/; classtype:trojan-activity;sid:84689200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.252.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826098/; classtype:trojan-activity;sid:84689198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"118jq.desa1inatcount.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826097/; classtype:trojan-activity;sid:84689197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slu780t.desa1inatcount.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826096/; classtype:trojan-activity;sid:84689196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sernex2en.animate-worn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826095/; classtype:trojan-activity;sid:84689195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coucinema.animate-worn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826094/; classtype:trojan-activity;sid:84689194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/np.exe"; depth:7; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826093/; classtype:trojan-activity;sid:84689193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshlin.animate-worn.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826092/; classtype:trojan-activity;sid:84689192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826091/; classtype:trojan-activity;sid:84689191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.29.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826090/; classtype:trojan-activity;sid:84689190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.16.164.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826089/; classtype:trojan-activity;sid:84689189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.127.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826088/; classtype:trojan-activity;sid:84689188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6jny.animate-worn.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826087/; classtype:trojan-activity;sid:84689187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"050oanp8.animate-worn.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826086/; classtype:trojan-activity;sid:84689186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=wuzlbctajnoluybn"; depth:27; endswith; nocase; http.host; content:"rzdwkgtc.chernichco5t.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826085/; classtype:trojan-activity;sid:84689185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ph0ton0-crest.animate-worn.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826084/; classtype:trojan-activity;sid:84689184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.116.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826083/; classtype:trojan-activity;sid:84689183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.35.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826082/; classtype:trojan-activity;sid:84689182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"triggerunload.jordan5nual.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826081/; classtype:trojan-activity;sid:84689181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quickque.jordan5nual.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826080/; classtype:trojan-activity;sid:84689180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.29.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826079/; classtype:trojan-activity;sid:84689179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.55.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826078/; classtype:trojan-activity;sid:84689178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kxqj.jordan5nual.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826077/; classtype:trojan-activity;sid:84689177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moleculeblend.jordan5nual.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826076/; classtype:trojan-activity;sid:84689176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.29.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826075/; classtype:trojan-activity;sid:84689175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.113.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826073/; classtype:trojan-activity;sid:84689173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.113.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826074/; classtype:trojan-activity;sid:84689174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5jhxktfe.jordan5nual.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826072/; classtype:trojan-activity;sid:84689172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826071/; classtype:trojan-activity;sid:84689171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826070/; classtype:trojan-activity;sid:84689170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t3st-plate.jordan5nual.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826069/; classtype:trojan-activity;sid:84689169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.129.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826068/; classtype:trojan-activity;sid:84689168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cavhn.effect-razina.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826067/; classtype:trojan-activity;sid:84689167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.113.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826066/; classtype:trojan-activity;sid:84689166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.36.203.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826065/; classtype:trojan-activity;sid:84689165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.116.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826064/; classtype:trojan-activity;sid:84689164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumnex2ar.effect-razina.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826063/; classtype:trojan-activity;sid:84689163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f0x-span.effect-razina.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826062/; classtype:trojan-activity;sid:84689162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.113.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826061/; classtype:trojan-activity;sid:84689161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826060/; classtype:trojan-activity;sid:84689160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sdkmodu.effect-razina.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826059/; classtype:trojan-activity;sid:84689159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soumea.effect-razina.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826058/; classtype:trojan-activity;sid:84689158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.133.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826057/; classtype:trojan-activity;sid:84689157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.105.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826056/; classtype:trojan-activity;sid:84689156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.62.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826055/; classtype:trojan-activity;sid:84689155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spec4-craft.effect-razina.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826054/; classtype:trojan-activity;sid:84689154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.137.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826053/; classtype:trojan-activity;sid:84689153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumtideen9.cabmic7on.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826052/; classtype:trojan-activity;sid:84689152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snqw.cabmic7on.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826051/; classtype:trojan-activity;sid:84689151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"8rv3pcd.cabmic7on.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826050/; classtype:trojan-activity;sid:84689150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hsipz.cabmic7on.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826049/; classtype:trojan-activity;sid:84689149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.199.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826048/; classtype:trojan-activity;sid:84689148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.151.72.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826047/; classtype:trojan-activity;sid:84689147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oz557xfr.cabmic7on.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826046/; classtype:trojan-activity;sid:84689146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.157.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826045/; classtype:trojan-activity;sid:84689145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826044/; classtype:trojan-activity;sid:84689144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.213.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826042/; classtype:trojan-activity;sid:84689142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.38.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826043/; classtype:trojan-activity;sid:84689143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nor-tideet.cabmic7on.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826041/; classtype:trojan-activity;sid:84689141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.222.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826040/; classtype:trojan-activity;sid:84689140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pvc1l.merit-susyuka.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826039/; classtype:trojan-activity;sid:84689139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.166.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826038/; classtype:trojan-activity;sid:84689138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stre4m-well.merit-susyuka.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826037/; classtype:trojan-activity;sid:84689137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"efiarz.merit-susyuka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826036/; classtype:trojan-activity;sid:84689136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.151.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826035/; classtype:trojan-activity;sid:84689135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"echamb.merit-susyuka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826034/; classtype:trojan-activity;sid:84689134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826032/; classtype:trojan-activity;sid:84689132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826033/; classtype:trojan-activity;sid:84689133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.72.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826031/; classtype:trojan-activity;sid:84689131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"umxburt3.merit-susyuka.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826030/; classtype:trojan-activity;sid:84689130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.157.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826029/; classtype:trojan-activity;sid:84689129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.17.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826027/; classtype:trojan-activity;sid:84689127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.85.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826028/; classtype:trojan-activity;sid:84689128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.200.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826026/; classtype:trojan-activity;sid:84689126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.185.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826025/; classtype:trojan-activity;sid:84689125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-5tudio.merit-susyuka.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826024/; classtype:trojan-activity;sid:84689124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826020/; classtype:trojan-activity;sid:84689120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826021/; classtype:trojan-activity;sid:84689121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826022/; classtype:trojan-activity;sid:84689122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826023/; classtype:trojan-activity;sid:84689123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826014/; classtype:trojan-activity;sid:84689114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826015/; classtype:trojan-activity;sid:84689115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826016/; classtype:trojan-activity;sid:84689116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826017/; classtype:trojan-activity;sid:84689117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826018/; classtype:trojan-activity;sid:84689118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826019/; classtype:trojan-activity;sid:84689119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826010/; classtype:trojan-activity;sid:84689110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826011/; classtype:trojan-activity;sid:84689111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826012/; classtype:trojan-activity;sid:84689112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826013/; classtype:trojan-activity;sid:84689113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826009/; classtype:trojan-activity;sid:84689109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/files/17uatcxcbhl34_19si0b7fbsuf4_windows_x64.msi"; depth:63; endswith; nocase; http.host; content:"zoommeetingg.click"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826008/; classtype:trojan-activity;sid:84689108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sora.sh"; depth:8; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826007/; classtype:trojan-activity;sid:84689107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pcllgu4.hearkenw2tman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826006/; classtype:trojan-activity;sid:84689106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.253.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826005/; classtype:trojan-activity;sid:84689105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.151.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826004/; classtype:trojan-activity;sid:84689104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.28.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826003/; classtype:trojan-activity;sid:84689103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"r31a6-gate.hearkenw2tman.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826002/; classtype:trojan-activity;sid:84689102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.38.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826001/; classtype:trojan-activity;sid:84689101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cliffbala.hearkenw2tman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3826000/; classtype:trojan-activity;sid:84689100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.185.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825999/; classtype:trojan-activity;sid:84689099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.157.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825998/; classtype:trojan-activity;sid:84689098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"retailree.hearkenw2tman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825997/; classtype:trojan-activity;sid:84689097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.214.230.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825996/; classtype:trojan-activity;sid:84689096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.231.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825995/; classtype:trojan-activity;sid:84689095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ul9d3.hearkenw2tman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825994/; classtype:trojan-activity;sid:84689094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"voltquarry.hearkenw2tman.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825993/; classtype:trojan-activity;sid:84689093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.28.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825992/; classtype:trojan-activity;sid:84689092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825991/; classtype:trojan-activity;sid:84689091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"posterharbor.dickina-exagger.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825990/; classtype:trojan-activity;sid:84689090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.248.175.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825989/; classtype:trojan-activity;sid:84689089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.224.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825988/; classtype:trojan-activity;sid:84689088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825987/; classtype:trojan-activity;sid:84689087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arnubx.dickina-exagger.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825986/; classtype:trojan-activity;sid:84689086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"63ev.dickina-exagger.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825985/; classtype:trojan-activity;sid:84689085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.227.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825984/; classtype:trojan-activity;sid:84689084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.218.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825983/; classtype:trojan-activity;sid:84689083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pipelinestudi.dickina-exagger.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825982/; classtype:trojan-activity;sid:84689082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.184.60.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825981/; classtype:trojan-activity;sid:84689081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"g9jy.dickina-exagger.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825980/; classtype:trojan-activity;sid:84689080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.74.106"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825979/; classtype:trojan-activity;sid:84689079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.64.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825978/; classtype:trojan-activity;sid:84689078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.166.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825977/; classtype:trojan-activity;sid:84689077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.224.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825976/; classtype:trojan-activity;sid:84689076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"golgath.dickina-exagger.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825975/; classtype:trojan-activity;sid:84689075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"traile1-wave.craftf1uctuate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825974/; classtype:trojan-activity;sid:84689074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.78.57.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825973/; classtype:trojan-activity;sid:84689073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.164.69.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825972/; classtype:trojan-activity;sid:84689072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.52.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825971/; classtype:trojan-activity;sid:84689071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.56.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825970/; classtype:trojan-activity;sid:84689070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.74.106"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825969/; classtype:trojan-activity;sid:84689069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.213.219.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825968/; classtype:trojan-activity;sid:84689068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.218.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825967/; classtype:trojan-activity;sid:84689067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.78.57.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825966/; classtype:trojan-activity;sid:84689066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-task6.qi9morlen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825965/; classtype:trojan-activity;sid:84689065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.173.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825964/; classtype:trojan-activity;sid:84689064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-load5.qi9morlen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825963/; classtype:trojan-activity;sid:84689063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.76.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825962/; classtype:trojan-activity;sid:84689062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825961/; classtype:trojan-activity;sid:84689061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"large-pack4.qi9morlen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825960/; classtype:trojan-activity;sid:84689060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.227.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825959/; classtype:trojan-activity;sid:84689059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.53.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825958/; classtype:trojan-activity;sid:84689058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-gift3.qi9morlen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825957/; classtype:trojan-activity;sid:84689057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-box2.qi9morlen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825956/; classtype:trojan-activity;sid:84689056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.100.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825955/; classtype:trojan-activity;sid:84689055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"book-shelf1.qi9morlen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825954/; classtype:trojan-activity;sid:84689054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.100.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825953/; classtype:trojan-activity;sid:84689053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-bun6.bovla5ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825952/; classtype:trojan-activity;sid:84689052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825951/; classtype:trojan-activity;sid:84689051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825949/; classtype:trojan-activity;sid:84689049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825950/; classtype:trojan-activity;sid:84689050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.69.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825948/; classtype:trojan-activity;sid:84689048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.232.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825946/; classtype:trojan-activity;sid:84689046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.232.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825947/; classtype:trojan-activity;sid:84689047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-milk5.bovla5ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825945/; classtype:trojan-activity;sid:84689045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.53.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825944/; classtype:trojan-activity;sid:84689044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"153.3.11.210"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825943/; classtype:trojan-activity;sid:84689043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.243.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825942/; classtype:trojan-activity;sid:84689042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-grill4.bovla5ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825941/; classtype:trojan-activity;sid:84689041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.215.173.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825940/; classtype:trojan-activity;sid:84689040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.101.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825939/; classtype:trojan-activity;sid:84689039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-cake3.bovla5ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825938/; classtype:trojan-activity;sid:84689038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825937/; classtype:trojan-activity;sid:84689037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-pie2.bovla5ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825936/; classtype:trojan-activity;sid:84689036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.88.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825934/; classtype:trojan-activity;sid:84689034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.243.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825935/; classtype:trojan-activity;sid:84689035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-chef1.bovla5ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825933/; classtype:trojan-activity;sid:84689033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825932/; classtype:trojan-activity;sid:84689032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825931/; classtype:trojan-activity;sid:84689031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.125.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825930/; classtype:trojan-activity;sid:84689030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cloud-node6.de4xpamil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825929/; classtype:trojan-activity;sid:84689029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825928/; classtype:trojan-activity;sid:84689028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.103.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825927/; classtype:trojan-activity;sid:84689027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-base5.de4xpamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825926/; classtype:trojan-activity;sid:84689026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.64.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825925/; classtype:trojan-activity;sid:84689025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file-list4.de4xpamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825924/; classtype:trojan-activity;sid:84689024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.101.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825923/; classtype:trojan-activity;sid:84689023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-link3.de4xpamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825922/; classtype:trojan-activity;sid:84689022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-map2.de4xpamil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825921/; classtype:trojan-activity;sid:84689021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.88.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825920/; classtype:trojan-activity;sid:84689020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.103.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825919/; classtype:trojan-activity;sid:84689019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user-info1.de4xpamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825918/; classtype:trojan-activity;sid:84689018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.243.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825917/; classtype:trojan-activity;sid:84689017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"boat-tour6.wi1msaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825916/; classtype:trojan-activity;sid:84689016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"island-trip5.wi1msaren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825915/; classtype:trojan-activity;sid:84689015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.51.68"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825914/; classtype:trojan-activity;sid:84689014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-wave4.wi1msaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825913/; classtype:trojan-activity;sid:84689013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.99.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825912/; classtype:trojan-activity;sid:84689012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"palm-tree3.wi1msaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825911/; classtype:trojan-activity;sid:84689011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sand-beach2.wi1msaren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825910/; classtype:trojan-activity;sid:84689010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ocean-view1.wi1msaren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825909/; classtype:trojan-activity;sid:84689009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-void6.po8vtirel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825908/; classtype:trojan-activity;sid:84689008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.88.221"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825907/; classtype:trojan-activity;sid:84689007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-auth5.po8vtirel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825906/; classtype:trojan-activity;sid:84689006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.54.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825905/; classtype:trojan-activity;sid:84689005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.51.68"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825904/; classtype:trojan-activity;sid:84689004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.243.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825903/; classtype:trojan-activity;sid:84689003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cloud-gate4.po8vtirel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825902/; classtype:trojan-activity;sid:84689002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825896/; classtype:trojan-activity;sid:84688996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825897/; classtype:trojan-activity;sid:84688997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.m68k"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825898/; classtype:trojan-activity;sid:84688998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825899/; classtype:trojan-activity;sid:84688999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.x86"; depth:14; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825900/; classtype:trojan-activity;sid:84689000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.sparc"; depth:16; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825901/; classtype:trojan-activity;sid:84689001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.i586"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825894/; classtype:trojan-activity;sid:84688994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.i686"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825895/; classtype:trojan-activity;sid:84688995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scar"; depth:5; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825893/; classtype:trojan-activity;sid:84688993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm5"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825888/; classtype:trojan-activity;sid:84688988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.sh4"; depth:14; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825889/; classtype:trojan-activity;sid:84688989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.ppc"; depth:14; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825890/; classtype:trojan-activity;sid:84688990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825891/; classtype:trojan-activity;sid:84688991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm7"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825892/; classtype:trojan-activity;sid:84688992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scar"; depth:5; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825885/; classtype:trojan-activity;sid:84688985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825886/; classtype:trojan-activity;sid:84688986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm4"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825887/; classtype:trojan-activity;sid:84688987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web-tunnel3.po8vtirel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825884/; classtype:trojan-activity;sid:84688984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825880/; classtype:trojan-activity;sid:84688980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.arm6"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825881/; classtype:trojan-activity;sid:84688981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825882/; classtype:trojan-activity;sid:84688982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825883/; classtype:trojan-activity;sid:84688983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.ppc440fp"; depth:19; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825879/; classtype:trojan-activity;sid:84688979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825875/; classtype:trojan-activity;sid:84688975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.mips"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825876/; classtype:trojan-activity;sid:84688976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825877/; classtype:trojan-activity;sid:84688977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hoho.mpsl"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825878/; classtype:trojan-activity;sid:84688978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825874/; classtype:trojan-activity;sid:84688974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"secure-node2.po8vtirel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825873/; classtype:trojan-activity;sid:84688973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.95.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825872/; classtype:trojan-activity;sid:84688972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-proxy1.po8vtirel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825871/; classtype:trojan-activity;sid:84688971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.47.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825870/; classtype:trojan-activity;sid:84688970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.54.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825869/; classtype:trojan-activity;sid:84688969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sport-news6.kymli7ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825868/; classtype:trojan-activity;sid:84688968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.239.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825867/; classtype:trojan-activity;sid:84688967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.62.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825866/; classtype:trojan-activity;sid:84688966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"final-game5.kymli7ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825865/; classtype:trojan-activity;sid:84688965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/amoookde.x"; depth:13; endswith; nocase; http.host; content:"x.vodxz.icu"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825864/; classtype:trojan-activity;sid:84688964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//tmp/f/10dfff942805d90d6ebb28bd58093653_20251208021850.so"; depth:58; endswith; nocase; http.host; content:"fd.v2downf.shop"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825863/; classtype:trojan-activity;sid:84688963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ba0af68-0037-5f6e-afd1-64f89fc0f554/v1"; depth:40; endswith; nocase; http.host; content:"oblionts.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825862/; classtype:trojan-activity;sid:84688962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ba0af68-0037-5f6e-afd1-64f89fc0f554/loc1"; depth:42; endswith; nocase; http.host; content:"oblionts.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825861/; classtype:trojan-activity;sid:84688961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"tg-xxooxx888.8964.mom"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825860/; classtype:trojan-activity;sid:84688960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.146.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825858/; classtype:trojan-activity;sid:84688958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.132.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825859/; classtype:trojan-activity;sid:84688959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-player4.kymli7ren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825857/; classtype:trojan-activity;sid:84688957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-medal3.kymli7ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825856/; classtype:trojan-activity;sid:84688956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-score2.kymli7ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825855/; classtype:trojan-activity;sid:84688955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.217.47.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825854/; classtype:trojan-activity;sid:84688954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.239.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825853/; classtype:trojan-activity;sid:84688953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.156.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825851/; classtype:trojan-activity;sid:84688951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.156.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825852/; classtype:trojan-activity;sid:84688952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-match1.kymli7ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825850/; classtype:trojan-activity;sid:84688950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"49.89.101.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825849/; classtype:trojan-activity;sid:84688949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"live-feed6.to3vamil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825848/; classtype:trojan-activity;sid:84688948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.79.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825847/; classtype:trojan-activity;sid:84688947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"film-edit5.to3vamil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825846/; classtype:trojan-activity;sid:84688946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"49.89.101.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825845/; classtype:trojan-activity;sid:84688945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"photo-shot4.to3vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825844/; classtype:trojan-activity;sid:84688944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sound-mix3.to3vamil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825843/; classtype:trojan-activity;sid:84688943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"video-clip2.to3vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825842/; classtype:trojan-activity;sid:84688942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media-info1.to3vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825841/; classtype:trojan-activity;sid:84688941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-paper6.sylo9rex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825840/; classtype:trojan-activity;sid:84688940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thick-file5.sylo9rex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825839/; classtype:trojan-activity;sid:84688939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.79.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825838/; classtype:trojan-activity;sid:84688938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.42.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825837/; classtype:trojan-activity;sid:84688937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-mark4.sylo9rex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825836/; classtype:trojan-activity;sid:84688936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.228.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825835/; classtype:trojan-activity;sid:84688935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.168.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825834/; classtype:trojan-activity;sid:84688934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-pen3.sylo9rex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825833/; classtype:trojan-activity;sid:84688933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.113.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825832/; classtype:trojan-activity;sid:84688932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-page2.sylo9rex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825831/; classtype:trojan-activity;sid:84688931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"black-ink1.sylo9rex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825830/; classtype:trojan-activity;sid:84688930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.192.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825829/; classtype:trojan-activity;sid:84688929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.42.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825828/; classtype:trojan-activity;sid:84688928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"night-view6.ra6xovel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825827/; classtype:trojan-activity;sid:84688927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-square5.ra6xovel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825826/; classtype:trojan-activity;sid:84688926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.10.180.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825825/; classtype:trojan-activity;sid:84688925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.3.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825824/; classtype:trojan-activity;sid:84688924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.168.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825823/; classtype:trojan-activity;sid:84688923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-street4.ra6xovel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825822/; classtype:trojan-activity;sid:84688922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.73.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825821/; classtype:trojan-activity;sid:84688921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.252.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825820/; classtype:trojan-activity;sid:84688920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.233.113.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825819/; classtype:trojan-activity;sid:84688919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.158.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825818/; classtype:trojan-activity;sid:84688918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"urban-style3.ra6xovel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825817/; classtype:trojan-activity;sid:84688917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.227.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825816/; classtype:trojan-activity;sid:84688916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"modern-base2.ra6xovel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825815/; classtype:trojan-activity;sid:84688915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.89.252.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825814/; classtype:trojan-activity;sid:84688914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-plan1.ra6xovel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825813/; classtype:trojan-activity;sid:84688913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.78.47.223"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825812/; classtype:trojan-activity;sid:84688912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-yard6.2zorelin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825811/; classtype:trojan-activity;sid:84688911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.185.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825810/; classtype:trojan-activity;sid:84688910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.10.180.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825809/; classtype:trojan-activity;sid:84688909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.63.138.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825808/; classtype:trojan-activity;sid:84688908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-garden5.2zorelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825807/; classtype:trojan-activity;sid:84688907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.3.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825806/; classtype:trojan-activity;sid:84688906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.158.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825805/; classtype:trojan-activity;sid:84688905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.252.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825804/; classtype:trojan-activity;sid:84688904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-house4.2zorelin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825803/; classtype:trojan-activity;sid:84688903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.140.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825802/; classtype:trojan-activity;sid:84688902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.209.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825801/; classtype:trojan-activity;sid:84688901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-decor3.2zorelin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825800/; classtype:trojan-activity;sid:84688900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.190.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825799/; classtype:trojan-activity;sid:84688899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825798/; classtype:trojan-activity;sid:84688898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.134.58.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825797/; classtype:trojan-activity;sid:84688897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"living-room2.2zorelin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825796/; classtype:trojan-activity;sid:84688896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.185.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825795/; classtype:trojan-activity;sid:84688895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-design1.2zorelin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825794/; classtype:trojan-activity;sid:84688894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.ppc"; depth:8; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825793/; classtype:trojan-activity;sid:84688893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.78.47.223"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825792/; classtype:trojan-activity;sid:84688892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.219.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825791/; classtype:trojan-activity;sid:84688891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.spc"; depth:8; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825790/; classtype:trojan-activity;sid:84688890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86"; depth:8; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825789/; classtype:trojan-activity;sid:84688889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.m68k"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825788/; classtype:trojan-activity;sid:84688888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825783/; classtype:trojan-activity;sid:84688883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.sh4"; depth:8; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825784/; classtype:trojan-activity;sid:84688884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825785/; classtype:trojan-activity;sid:84688885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825786/; classtype:trojan-activity;sid:84688886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825787/; classtype:trojan-activity;sid:84688887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825781/; classtype:trojan-activity;sid:84688881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825782/; classtype:trojan-activity;sid:84688882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-library6.qi1moxel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825780/; classtype:trojan-activity;sid:84688880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.73.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825779/; classtype:trojan-activity;sid:84688879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825778/; classtype:trojan-activity;sid:84688878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-author5.qi1moxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825777/; classtype:trojan-activity;sid:84688877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.209.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825776/; classtype:trojan-activity;sid:84688876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-seller4.qi1moxel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825775/; classtype:trojan-activity;sid:84688875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.190.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825774/; classtype:trojan-activity;sid:84688874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-number3.qi1moxel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825773/; classtype:trojan-activity;sid:84688873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.134.58.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825772/; classtype:trojan-activity;sid:84688872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825771/; classtype:trojan-activity;sid:84688871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"read-more2.qi1moxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825770/; classtype:trojan-activity;sid:84688870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.219.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825769/; classtype:trojan-activity;sid:84688869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-book1.qi1moxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825768/; classtype:trojan-activity;sid:84688868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.140.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825767/; classtype:trojan-activity;sid:84688867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-drink6.bovla8ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825766/; classtype:trojan-activity;sid:84688866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.239.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825765/; classtype:trojan-activity;sid:84688865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.200.102.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825764/; classtype:trojan-activity;sid:84688864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.68.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825763/; classtype:trojan-activity;sid:84688863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-juice5.bovla8ren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825762/; classtype:trojan-activity;sid:84688862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825760/; classtype:trojan-activity;sid:84688860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825761/; classtype:trojan-activity;sid:84688861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.8.152"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825759/; classtype:trojan-activity;sid:84688859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-cake4.bovla8ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825758/; classtype:trojan-activity;sid:84688858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.220.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825757/; classtype:trojan-activity;sid:84688857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-dish3.bovla8ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825756/; classtype:trojan-activity;sid:84688856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-meal2.bovla8ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825755/; classtype:trojan-activity;sid:84688855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-food1.bovla8ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825754/; classtype:trojan-activity;sid:84688854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.14.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825753/; classtype:trojan-activity;sid:84688853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.239.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825752/; classtype:trojan-activity;sid:84688852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.125.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825751/; classtype:trojan-activity;sid:84688851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"live-stream6.de5xpiren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825750/; classtype:trojan-activity;sid:84688850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825749/; classtype:trojan-activity;sid:84688849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.248.31.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825748/; classtype:trojan-activity;sid:84688848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-topic5.de5xpiren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825747/; classtype:trojan-activity;sid:84688847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.250.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825746/; classtype:trojan-activity;sid:84688846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"weather-post4.de5xpiren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825745/; classtype:trojan-activity;sid:84688845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.103.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825744/; classtype:trojan-activity;sid:84688844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.125.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825743/; classtype:trojan-activity;sid:84688843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sport-match3.de5xpiren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825742/; classtype:trojan-activity;sid:84688842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.46.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825741/; classtype:trojan-activity;sid:84688841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"world-press2.de5xpiren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825740/; classtype:trojan-activity;sid:84688840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-news1.de5xpiren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825739/; classtype:trojan-activity;sid:84688839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.250.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825738/; classtype:trojan-activity;sid:84688838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.219.74.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825737/; classtype:trojan-activity;sid:84688837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-snow6.wi9msorin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825736/; classtype:trojan-activity;sid:84688836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"silver-coin5.wi9msorin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825735/; classtype:trojan-activity;sid:84688835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.162.75.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825734/; classtype:trojan-activity;sid:84688834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.46.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825733/; classtype:trojan-activity;sid:84688833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-star4.wi9msorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825732/; classtype:trojan-activity;sid:84688832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825731/; classtype:trojan-activity;sid:84688831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-apple3.wi9msorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825730/; classtype:trojan-activity;sid:84688830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-grass2.wi9msorin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825729/; classtype:trojan-activity;sid:84688829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.100.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825728/; classtype:trojan-activity;sid:84688828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.151.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825727/; classtype:trojan-activity;sid:84688827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-ocean1.wi9msorin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825726/; classtype:trojan-activity;sid:84688826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-park6.po2vtalen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825725/; classtype:trojan-activity;sid:84688825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gas-station5.po2vtalen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825724/; classtype:trojan-activity;sid:84688824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.50.200.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825723/; classtype:trojan-activity;sid:84688823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auto-parts4.po2vtalen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825722/; classtype:trojan-activity;sid:84688822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"road-trip3.po2vtalen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825721/; classtype:trojan-activity;sid:84688821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.78.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825720/; classtype:trojan-activity;sid:84688820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.162.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825719/; classtype:trojan-activity;sid:84688819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.151.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825718/; classtype:trojan-activity;sid:84688818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-drive2.po2vtalen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825717/; classtype:trojan-activity;sid:84688817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"car-rental1.po2vtalen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825716/; classtype:trojan-activity;sid:84688816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media-player6.kymli4rex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825715/; classtype:trojan-activity;sid:84688815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825713/; classtype:trojan-activity;sid:84688813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825714/; classtype:trojan-activity;sid:84688814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825712/; classtype:trojan-activity;sid:84688812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825707/; classtype:trojan-activity;sid:84688807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825708/; classtype:trojan-activity;sid:84688808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825709/; classtype:trojan-activity;sid:84688809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825710/; classtype:trojan-activity;sid:84688810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825711/; classtype:trojan-activity;sid:84688811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825705/; classtype:trojan-activity;sid:84688805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825706/; classtype:trojan-activity;sid:84688806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825703/; classtype:trojan-activity;sid:84688803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825704/; classtype:trojan-activity;sid:84688804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825699/; classtype:trojan-activity;sid:84688799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825700/; classtype:trojan-activity;sid:84688800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825701/; classtype:trojan-activity;sid:84688801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"45.156.87.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825702/; classtype:trojan-activity;sid:84688802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825698/; classtype:trojan-activity;sid:84688798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825697/; classtype:trojan-activity;sid:84688797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825694/; classtype:trojan-activity;sid:84688794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825695/; classtype:trojan-activity;sid:84688795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825696/; classtype:trojan-activity;sid:84688796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825685/; classtype:trojan-activity;sid:84688785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825686/; classtype:trojan-activity;sid:84688786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825687/; classtype:trojan-activity;sid:84688787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825688/; classtype:trojan-activity;sid:84688788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825689/; classtype:trojan-activity;sid:84688789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825690/; classtype:trojan-activity;sid:84688790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825691/; classtype:trojan-activity;sid:84688791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825692/; classtype:trojan-activity;sid:84688792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"176.65.148.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825693/; classtype:trojan-activity;sid:84688793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825684/; classtype:trojan-activity;sid:84688784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"14.157.18.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825674/; classtype:trojan-activity;sid:84688774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825675/; classtype:trojan-activity;sid:84688775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825676/; classtype:trojan-activity;sid:84688776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825677/; classtype:trojan-activity;sid:84688777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825678/; classtype:trojan-activity;sid:84688778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825679/; classtype:trojan-activity;sid:84688779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825680/; classtype:trojan-activity;sid:84688780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825681/; classtype:trojan-activity;sid:84688781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825682/; classtype:trojan-activity;sid:84688782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"185.132.53.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825683/; classtype:trojan-activity;sid:84688783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sound-track5.kymli4rex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825673/; classtype:trojan-activity;sid:84688773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.107.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825672/; classtype:trojan-activity;sid:84688772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.122.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825671/; classtype:trojan-activity;sid:84688771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"video-clip4.kymli4rex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825670/; classtype:trojan-activity;sid:84688770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.185.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825669/; classtype:trojan-activity;sid:84688769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.250.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825668/; classtype:trojan-activity;sid:84688768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"picture-book3.kymli4rex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825667/; classtype:trojan-activity;sid:84688767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"image-zoom2.kymli4rex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825666/; classtype:trojan-activity;sid:84688766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.250.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825665/; classtype:trojan-activity;sid:84688765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"photo-frame1.kymli4rex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825664/; classtype:trojan-activity;sid:84688764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.47.201.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825663/; classtype:trojan-activity;sid:84688763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825662/; classtype:trojan-activity;sid:84688762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.80.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825661/; classtype:trojan-activity;sid:84688761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.185.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825660/; classtype:trojan-activity;sid:84688760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-door6.to8varin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825659/; classtype:trojan-activity;sid:84688759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.97.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825658/; classtype:trojan-activity;sid:84688758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"water-pipe5.to8varin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825657/; classtype:trojan-activity;sid:84688757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.53.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825656/; classtype:trojan-activity;sid:84688756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"garden-view4.to8varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825655/; classtype:trojan-activity;sid:84688755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.210.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825654/; classtype:trojan-activity;sid:84688754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"repair-work3.to8varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825653/; classtype:trojan-activity;sid:84688753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean-house2.to8varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825652/; classtype:trojan-activity;sid:84688752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.53.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825651/; classtype:trojan-activity;sid:84688751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-service1.to8varin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825650/; classtype:trojan-activity;sid:84688750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"desk-folder6.sylom7er.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825649/; classtype:trojan-activity;sid:84688749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.161.141.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825648/; classtype:trojan-activity;sid:84688748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.25.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825647/; classtype:trojan-activity;sid:84688747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.72.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825646/; classtype:trojan-activity;sid:84688746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glue-stick5.sylom7er.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825645/; classtype:trojan-activity;sid:84688745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.75.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825644/; classtype:trojan-activity;sid:84688744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.97.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825643/; classtype:trojan-activity;sid:84688743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-board4.sylom7er.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825642/; classtype:trojan-activity;sid:84688742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.228.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825641/; classtype:trojan-activity;sid:84688741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"black-marker3.sylom7er.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825640/; classtype:trojan-activity;sid:84688740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.210.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825639/; classtype:trojan-activity;sid:84688739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pencil-case2.sylom7er.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825638/; classtype:trojan-activity;sid:84688738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.161.141.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825637/; classtype:trojan-activity;sid:84688737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825636/; classtype:trojan-activity;sid:84688736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"office-paper1.sylom7er.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825635/; classtype:trojan-activity;sid:84688735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.225.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825634/; classtype:trojan-activity;sid:84688734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.148.232.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825633/; classtype:trojan-activity;sid:84688733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.146.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825632/; classtype:trojan-activity;sid:84688732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"local-event6.ra3xelin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825631/; classtype:trojan-activity;sid:84688731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825630/; classtype:trojan-activity;sid:84688730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825629/; classtype:trojan-activity;sid:84688729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trip-advisor5.ra3xelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825628/; classtype:trojan-activity;sid:84688728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beach-resort4.ra3xelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825627/; classtype:trojan-activity;sid:84688727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"world-map3.ra3xelin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825626/; classtype:trojan-activity;sid:84688726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.90.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825625/; classtype:trojan-activity;sid:84688725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.148.232.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825624/; classtype:trojan-activity;sid:84688724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hotel-check2.ra3xelin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825623/; classtype:trojan-activity;sid:84688723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travel-guide1.ra3xelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825622/; classtype:trojan-activity;sid:84688722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.67.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825621/; classtype:trojan-activity;sid:84688721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825620/; classtype:trojan-activity;sid:84688720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grade-point6.6zoranel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825619/; classtype:trojan-activity;sid:84688719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.158.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825618/; classtype:trojan-activity;sid:84688718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825617/; classtype:trojan-activity;sid:84688717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.109.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825616/; classtype:trojan-activity;sid:84688716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"book-reader5.6zoranel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825615/; classtype:trojan-activity;sid:84688715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"class-report4.6zoranel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825614/; classtype:trojan-activity;sid:84688714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"final-lesson3.6zoranel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825613/; classtype:trojan-activity;sid:84688713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.157.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825612/; classtype:trojan-activity;sid:84688712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.138.221.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825611/; classtype:trojan-activity;sid:84688711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-student2.6zoranel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825610/; classtype:trojan-activity;sid:84688710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.180.13.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825609/; classtype:trojan-activity;sid:84688709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"online-study1.6zoranel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825608/; classtype:trojan-activity;sid:84688708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"10987.7zorelin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825607/; classtype:trojan-activity;sid:84688707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.206.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825606/; classtype:trojan-activity;sid:84688706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tallithar8.7zorelin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825605/; classtype:trojan-activity;sid:84688705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.29.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825604/; classtype:trojan-activity;sid:84688704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.183.130.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825603/; classtype:trojan-activity;sid:84688703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ed171vt.7zorelin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825602/; classtype:trojan-activity;sid:84688702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.138.221.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825601/; classtype:trojan-activity;sid:84688701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ion-cas.7zorelin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825600/; classtype:trojan-activity;sid:84688700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.137.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825599/; classtype:trojan-activity;sid:84688699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825598/; classtype:trojan-activity;sid:84688698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"profitlat.7zorelin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825597/; classtype:trojan-activity;sid:84688697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.221.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825596/; classtype:trojan-activity;sid:84688696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.172.186.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825595/; classtype:trojan-activity;sid:84688695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"echo-slow.7zorelin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825594/; classtype:trojan-activity;sid:84688694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.242.15.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825593/; classtype:trojan-activity;sid:84688693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkdraa3.qi4morxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825592/; classtype:trojan-activity;sid:84688692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.183.130.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825591/; classtype:trojan-activity;sid:84688691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arktide7en.qi4morxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825590/; classtype:trojan-activity;sid:84688690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.36.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825589/; classtype:trojan-activity;sid:84688689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.88.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825588/; classtype:trojan-activity;sid:84688688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-h1dde.qi4morxel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825587/; classtype:trojan-activity;sid:84688687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.110.15.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825586/; classtype:trojan-activity;sid:84688686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.224.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825585/; classtype:trojan-activity;sid:84688685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"load-array.qi4morxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825584/; classtype:trojan-activity;sid:84688684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"adapterharvest.qi4morxel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825583/; classtype:trojan-activity;sid:84688683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825582/; classtype:trojan-activity;sid:84688682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.215.173.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825581/; classtype:trojan-activity;sid:84688681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thxzt16c.qi4morxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825580/; classtype:trojan-activity;sid:84688680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stock-cir.bovlare7x.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825579/; classtype:trojan-activity;sid:84688679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.253.178"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825578/; classtype:trojan-activity;sid:84688678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.110.15.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825577/; classtype:trojan-activity;sid:84688677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yabplkm.bovlare7x.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825576/; classtype:trojan-activity;sid:84688676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.85.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825575/; classtype:trojan-activity;sid:84688675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"az60udk.bovlare7x.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825574/; classtype:trojan-activity;sid:84688674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.241.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825573/; classtype:trojan-activity;sid:84688673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.162.223.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825572/; classtype:trojan-activity;sid:84688672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825571/; classtype:trojan-activity;sid:84688671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825570/; classtype:trojan-activity;sid:84688670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.15.56.127"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825569/; classtype:trojan-activity;sid:84688669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"i2wigref.bovlare7x.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825568/; classtype:trojan-activity;sid:84688668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.251.118.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825567/; classtype:trojan-activity;sid:84688667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cnjcb.bovlare7x.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825566/; classtype:trojan-activity;sid:84688666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.171.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825565/; classtype:trojan-activity;sid:84688665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825564/; classtype:trojan-activity;sid:84688664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deli-soli.bovlare7x.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825563/; classtype:trojan-activity;sid:84688663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lveu.wi3msorel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825562/; classtype:trojan-activity;sid:84688662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825561/; classtype:trojan-activity;sid:84688661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825560/; classtype:trojan-activity;sid:84688660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825558/; classtype:trojan-activity;sid:84688658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"modernsilver.wi3msorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825559/; classtype:trojan-activity;sid:84688659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.0.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825557/; classtype:trojan-activity;sid:84688657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.251.118.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825556/; classtype:trojan-activity;sid:84688656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825555/; classtype:trojan-activity;sid:84688655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dkkvkpl.wi3msorel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825554/; classtype:trojan-activity;sid:84688654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.162.223.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825553/; classtype:trojan-activity;sid:84688653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.64.242.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825552/; classtype:trojan-activity;sid:84688652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.35.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825551/; classtype:trojan-activity;sid:84688651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pix32-logic.wi3msorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825550/; classtype:trojan-activity;sid:84688650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825549/; classtype:trojan-activity;sid:84688649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825548/; classtype:trojan-activity;sid:84688648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.14.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825547/; classtype:trojan-activity;sid:84688647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vialnoti.wi3msorel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825546/; classtype:trojan-activity;sid:84688646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.35.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825545/; classtype:trojan-activity;sid:84688645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.172.22.97"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825544/; classtype:trojan-activity;sid:84688644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825543/; classtype:trojan-activity;sid:84688643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vor-spireos.wi3msorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825542/; classtype:trojan-activity;sid:84688642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ipghcn.po6vtaren.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825541/; classtype:trojan-activity;sid:84688641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2mbdmbjd.po6vtaren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825540/; classtype:trojan-activity;sid:84688640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.35.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825539/; classtype:trojan-activity;sid:84688639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mediacata.po6vtaren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825538/; classtype:trojan-activity;sid:84688638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.251.230.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825537/; classtype:trojan-activity;sid:84688637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"portvelv.po6vtaren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825536/; classtype:trojan-activity;sid:84688636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deployreed.po6vtaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825535/; classtype:trojan-activity;sid:84688635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.192.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825534/; classtype:trojan-activity;sid:84688634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynfluxar3.po6vtaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825533/; classtype:trojan-activity;sid:84688633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oputo.kym2lirex.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825532/; classtype:trojan-activity;sid:84688632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.193.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825531/; classtype:trojan-activity;sid:84688631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pineroute.kym2lirex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825530/; classtype:trojan-activity;sid:84688630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.251.230.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825529/; classtype:trojan-activity;sid:84688629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sapvial.kym2lirex.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825528/; classtype:trojan-activity;sid:84688628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.244.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825527/; classtype:trojan-activity;sid:84688627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"packbind.kym2lirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825526/; classtype:trojan-activity;sid:84688626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"latti6-mesh.kym2lirex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825525/; classtype:trojan-activity;sid:84688625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"revifern.kym2lirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825524/; classtype:trojan-activity;sid:84688624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.181.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825523/; classtype:trojan-activity;sid:84688623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825522/; classtype:trojan-activity;sid:84688622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"forrna9-watch.to9varem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825521/; classtype:trojan-activity;sid:84688621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825520/; classtype:trojan-activity;sid:84688620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.192.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825519/; classtype:trojan-activity;sid:84688619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"s0rt3-frame.to9varem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825518/; classtype:trojan-activity;sid:84688618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.23.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825517/; classtype:trojan-activity;sid:84688617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arklithix.to9varem.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825516/; classtype:trojan-activity;sid:84688616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.162.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825515/; classtype:trojan-activity;sid:84688615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geyserlab.to9varem.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825514/; classtype:trojan-activity;sid:84688614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825513/; classtype:trojan-activity;sid:84688613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"windsystem.to9varem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825512/; classtype:trojan-activity;sid:84688612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.244.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825511/; classtype:trojan-activity;sid:84688611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.47.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825510/; classtype:trojan-activity;sid:84688610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.166.41.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825509/; classtype:trojan-activity;sid:84688609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825508/; classtype:trojan-activity;sid:84688608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"threa-moon.to9varem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825507/; classtype:trojan-activity;sid:84688607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.23.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825506/; classtype:trojan-activity;sid:84688606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f335e.sylo7den.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825505/; classtype:trojan-activity;sid:84688605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.234.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825503/; classtype:trojan-activity;sid:84688603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.234.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825504/; classtype:trojan-activity;sid:84688604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nzhfxgcc.sylo7den.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825502/; classtype:trojan-activity;sid:84688602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"azcqv.sylo7den.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825501/; classtype:trojan-activity;sid:84688601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.180.56.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825500/; classtype:trojan-activity;sid:84688600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.171.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825499/; classtype:trojan-activity;sid:84688599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qu3ue-leaf.sylo7den.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825498/; classtype:trojan-activity;sid:84688598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825497/; classtype:trojan-activity;sid:84688597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.162.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825496/; classtype:trojan-activity;sid:84688596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.236.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825495/; classtype:trojan-activity;sid:84688595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.83.2.247"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825494/; classtype:trojan-activity;sid:84688594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"n662mc07.sylo7den.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825493/; classtype:trojan-activity;sid:84688593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.166.41.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825492/; classtype:trojan-activity;sid:84688592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.80.59"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825491/; classtype:trojan-activity;sid:84688591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5503.sylo7den.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825490/; classtype:trojan-activity;sid:84688590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.66.181"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825489/; classtype:trojan-activity;sid:84688589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.71.31.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825488/; classtype:trojan-activity;sid:84688588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p4rce9-loop.raxmi8vel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825487/; classtype:trojan-activity;sid:84688587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auditcove.raxmi8vel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825486/; classtype:trojan-activity;sid:84688586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825485/; classtype:trojan-activity;sid:84688585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.11.248.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825483/; classtype:trojan-activity;sid:84688583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.180.56.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825484/; classtype:trojan-activity;sid:84688584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"217.168.128.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825482/; classtype:trojan-activity;sid:84688582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.157.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825481/; classtype:trojan-activity;sid:84688581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fcjcbzp.raxmi8vel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825480/; classtype:trojan-activity;sid:84688580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vbaw.raxmi8vel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825479/; classtype:trojan-activity;sid:84688579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5un-lab.raxmi8vel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825478/; classtype:trojan-activity;sid:84688578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825477/; classtype:trojan-activity;sid:84688577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.193.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825476/; classtype:trojan-activity;sid:84688576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.108.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825475/; classtype:trojan-activity;sid:84688575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.66.181"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825474/; classtype:trojan-activity;sid:84688574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"k28gzwh.raxmi8vel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825473/; classtype:trojan-activity;sid:84688573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.157.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825472/; classtype:trojan-activity;sid:84688572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825471/; classtype:trojan-activity;sid:84688571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freightframe.5zoramel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825470/; classtype:trojan-activity;sid:84688570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.4.65.159"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825469/; classtype:trojan-activity;sid:84688569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.147.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825468/; classtype:trojan-activity;sid:84688568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ledgerinn.5zoramel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825467/; classtype:trojan-activity;sid:84688567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.211.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825466/; classtype:trojan-activity;sid:84688566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.9.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825465/; classtype:trojan-activity;sid:84688565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.108.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825464/; classtype:trojan-activity;sid:84688564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.77.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825463/; classtype:trojan-activity;sid:84688563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.137.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825462/; classtype:trojan-activity;sid:84688562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynnex4on.5zoramel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825461/; classtype:trojan-activity;sid:84688561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.238.101.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825460/; classtype:trojan-activity;sid:84688560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.238.101.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825459/; classtype:trojan-activity;sid:84688559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.231.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825458/; classtype:trojan-activity;sid:84688558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"temp-enc.5zoramel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825457/; classtype:trojan-activity;sid:84688557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.136.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825456/; classtype:trojan-activity;sid:84688556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.193.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825455/; classtype:trojan-activity;sid:84688555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.4.65.159"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825454/; classtype:trojan-activity;sid:84688554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ggsf.5zoramel.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825453/; classtype:trojan-activity;sid:84688553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.30.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825452/; classtype:trojan-activity;sid:84688552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.227.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825451/; classtype:trojan-activity;sid:84688551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ubyzw.5zoramel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825450/; classtype:trojan-activity;sid:84688550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.137.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825449/; classtype:trojan-activity;sid:84688549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"castsynt.qi8morlen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825448/; classtype:trojan-activity;sid:84688548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.135.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825447/; classtype:trojan-activity;sid:84688547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.228.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825446/; classtype:trojan-activity;sid:84688546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.136.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825445/; classtype:trojan-activity;sid:84688545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825444/; classtype:trojan-activity;sid:84688544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rnerge-field.qi8morlen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825443/; classtype:trojan-activity;sid:84688543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.151.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825442/; classtype:trojan-activity;sid:84688542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sand-visua.qi8morlen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825441/; classtype:trojan-activity;sid:84688541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorvenar4.qi8morlen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825440/; classtype:trojan-activity;sid:84688540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.89.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825439/; classtype:trojan-activity;sid:84688539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.250.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825438/; classtype:trojan-activity;sid:84688538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825437/; classtype:trojan-activity;sid:84688537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.157.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825436/; classtype:trojan-activity;sid:84688536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"voltdesign.qi8morlen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825435/; classtype:trojan-activity;sid:84688535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tritideex2.qi8morlen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825434/; classtype:trojan-activity;sid:84688534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.55.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825433/; classtype:trojan-activity;sid:84688533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorforge3et.bovlare6n.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825432/; classtype:trojan-activity;sid:84688532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.252.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825430/; classtype:trojan-activity;sid:84688530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.146.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825431/; classtype:trojan-activity;sid:84688531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"frame-inn.bovlare6n.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825429/; classtype:trojan-activity;sid:84688529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.200.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825428/; classtype:trojan-activity;sid:84688528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825427/; classtype:trojan-activity;sid:84688527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cleanprice.bovlare6n.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825426/; classtype:trojan-activity;sid:84688526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.184.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825425/; classtype:trojan-activity;sid:84688525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1jec49.bovlare6n.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825424/; classtype:trojan-activity;sid:84688524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.157.252.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825423/; classtype:trojan-activity;sid:84688523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proto-5cree.bovlare6n.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825422/; classtype:trojan-activity;sid:84688522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.108.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825420/; classtype:trojan-activity;sid:84688520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.55.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825421/; classtype:trojan-activity;sid:84688521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lpxkdb6.bovlare6n.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825419/; classtype:trojan-activity;sid:84688519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.19.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825418/; classtype:trojan-activity;sid:84688518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.222.59.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825417/; classtype:trojan-activity;sid:84688517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sermesh7ex.de1xpamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825416/; classtype:trojan-activity;sid:84688516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.168.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825414/; classtype:trojan-activity;sid:84688514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.158.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825415/; classtype:trojan-activity;sid:84688515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.243.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825413/; classtype:trojan-activity;sid:84688513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.108.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825412/; classtype:trojan-activity;sid:84688512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"balanmeadow.de1xpamil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825411/; classtype:trojan-activity;sid:84688511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.200.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825410/; classtype:trojan-activity;sid:84688510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"edimor.de1xpamil.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825409/; classtype:trojan-activity;sid:84688509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.249.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825408/; classtype:trojan-activity;sid:84688508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.49.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825407/; classtype:trojan-activity;sid:84688507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dl9p.de1xpamil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825406/; classtype:trojan-activity;sid:84688506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.168.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825405/; classtype:trojan-activity;sid:84688505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zjpd.de1xpamil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825404/; classtype:trojan-activity;sid:84688504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.215.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825403/; classtype:trojan-activity;sid:84688503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scannergarden.de1xpamil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825402/; classtype:trojan-activity;sid:84688502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c0urie-dock.wi4msaren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825401/; classtype:trojan-activity;sid:84688501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.52.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825399/; classtype:trojan-activity;sid:84688499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.215.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825400/; classtype:trojan-activity;sid:84688500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.171.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825398/; classtype:trojan-activity;sid:84688498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"merdra7ix.wi4msaren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825397/; classtype:trojan-activity;sid:84688497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825396/; classtype:trojan-activity;sid:84688496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vorfluxor5.wi4msaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825395/; classtype:trojan-activity;sid:84688495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ts70.wi4msaren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825394/; classtype:trojan-activity;sid:84688494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.171.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825393/; classtype:trojan-activity;sid:84688493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"socialplai.wi4msaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825392/; classtype:trojan-activity;sid:84688492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.133.46.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825391/; classtype:trojan-activity;sid:84688491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.67.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825390/; classtype:trojan-activity;sid:84688490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.63.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825389/; classtype:trojan-activity;sid:84688489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c0rt3x-spool.wi4msaren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825388/; classtype:trojan-activity;sid:84688488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.63.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825387/; classtype:trojan-activity;sid:84688487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"7skoub.po9vtirel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825386/; classtype:trojan-activity;sid:84688486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.255.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825385/; classtype:trojan-activity;sid:84688485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glacierfocu.po9vtirel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825384/; classtype:trojan-activity;sid:84688484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.143.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825383/; classtype:trojan-activity;sid:84688483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"isy00.po9vtirel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825382/; classtype:trojan-activity;sid:84688482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.64.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825381/; classtype:trojan-activity;sid:84688481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.88.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825380/; classtype:trojan-activity;sid:84688480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"53xs2msk.po9vtirel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825379/; classtype:trojan-activity;sid:84688479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.60.179.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825378/; classtype:trojan-activity;sid:84688478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wcq78s.po9vtirel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825377/; classtype:trojan-activity;sid:84688477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.234.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825375/; classtype:trojan-activity;sid:84688475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.154.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825376/; classtype:trojan-activity;sid:84688476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.88.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825374/; classtype:trojan-activity;sid:84688474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"triggerclean.po9vtirel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825373/; classtype:trojan-activity;sid:84688473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.154.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825372/; classtype:trojan-activity;sid:84688472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kelforgeon.ky2mloren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825371/; classtype:trojan-activity;sid:84688471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.60.179.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825370/; classtype:trojan-activity;sid:84688470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sollithum1.ky2mloren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825369/; classtype:trojan-activity;sid:84688469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825368/; classtype:trojan-activity;sid:84688468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.205.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825367/; classtype:trojan-activity;sid:84688467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spri5-grid.ky2mloren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825366/; classtype:trojan-activity;sid:84688466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.52.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825365/; classtype:trojan-activity;sid:84688465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"runtimeport.ky2mloren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825364/; classtype:trojan-activity;sid:84688464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.82.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825363/; classtype:trojan-activity;sid:84688463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.171.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825362/; classtype:trojan-activity;sid:84688462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"r0ut-line.ky2mloren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825361/; classtype:trojan-activity;sid:84688461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sfcbq.ky2mloren.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825360/; classtype:trojan-activity;sid:84688460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825359/; classtype:trojan-activity;sid:84688459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ibjxfl.to7vamil.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825358/; classtype:trojan-activity;sid:84688458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"plan-couri.to7vamil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825357/; classtype:trojan-activity;sid:84688457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.18.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825356/; classtype:trojan-activity;sid:84688456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"l0c4l-phase.to7vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825355/; classtype:trojan-activity;sid:84688455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.110.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825354/; classtype:trojan-activity;sid:84688454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.146.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825353/; classtype:trojan-activity;sid:84688453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crims0n-path.to7vamil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825352/; classtype:trojan-activity;sid:84688452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825350/; classtype:trojan-activity;sid:84688450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825351/; classtype:trojan-activity;sid:84688451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c4rry-index.to7vamil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825349/; classtype:trojan-activity;sid:84688449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825348/; classtype:trojan-activity;sid:84688448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825346/; classtype:trojan-activity;sid:84688446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825347/; classtype:trojan-activity;sid:84688447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.216.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825337/; classtype:trojan-activity;sid:84688437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825338/; classtype:trojan-activity;sid:84688438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825339/; classtype:trojan-activity;sid:84688439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825340/; classtype:trojan-activity;sid:84688440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825341/; classtype:trojan-activity;sid:84688441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825342/; classtype:trojan-activity;sid:84688442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825343/; classtype:trojan-activity;sid:84688443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825344/; classtype:trojan-activity;sid:84688444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825345/; classtype:trojan-activity;sid:84688445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825336/; classtype:trojan-activity;sid:84688436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825335/; classtype:trojan-activity;sid:84688435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825330/; classtype:trojan-activity;sid:84688430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825331/; classtype:trojan-activity;sid:84688431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825332/; classtype:trojan-activity;sid:84688432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825333/; classtype:trojan-activity;sid:84688433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825334/; classtype:trojan-activity;sid:84688434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.216.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825329/; classtype:trojan-activity;sid:84688429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.80.189"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825328/; classtype:trojan-activity;sid:84688428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825323/; classtype:trojan-activity;sid:84688423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.i686"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825324/; classtype:trojan-activity;sid:84688424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825325/; classtype:trojan-activity;sid:84688425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825326/; classtype:trojan-activity;sid:84688426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825327/; classtype:trojan-activity;sid:84688427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"atom0-bridge.to7vamil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825322/; classtype:trojan-activity;sid:84688422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825321/; classtype:trojan-activity;sid:84688421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825319/; classtype:trojan-activity;sid:84688419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825320/; classtype:trojan-activity;sid:84688420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm4"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825317/; classtype:trojan-activity;sid:84688417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825318/; classtype:trojan-activity;sid:84688418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arc"; depth:8; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825313/; classtype:trojan-activity;sid:84688413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.spc"; depth:8; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825314/; classtype:trojan-activity;sid:84688414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.ppc-440fp"; depth:14; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825315/; classtype:trojan-activity;sid:84688415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825316/; classtype:trojan-activity;sid:84688416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.i586"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825312/; classtype:trojan-activity;sid:84688412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.i486"; depth:9; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825311/; classtype:trojan-activity;sid:84688411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.169.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825309/; classtype:trojan-activity;sid:84688409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.6.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825310/; classtype:trojan-activity;sid:84688410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.9.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825308/; classtype:trojan-activity;sid:84688408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.253.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825307/; classtype:trojan-activity;sid:84688407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mer-draet.sylo3rex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825306/; classtype:trojan-activity;sid:84688406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1e4r-span.sylo3rex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825305/; classtype:trojan-activity;sid:84688405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.157.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825304/; classtype:trojan-activity;sid:84688404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825303/; classtype:trojan-activity;sid:84688403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6a00327.sylo3rex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825302/; classtype:trojan-activity;sid:84688402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.253.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825301/; classtype:trojan-activity;sid:84688401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sx9v1.sylo3rex.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825300/; classtype:trojan-activity;sid:84688400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.161.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825299/; classtype:trojan-activity;sid:84688399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.6.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825297/; classtype:trojan-activity;sid:84688397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.169.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825298/; classtype:trojan-activity;sid:84688398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"watch-signal.sylo3rex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825296/; classtype:trojan-activity;sid:84688396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.221.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825295/; classtype:trojan-activity;sid:84688395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rwwolv22.sylo3rex.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825294/; classtype:trojan-activity;sid:84688394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.64.233.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825293/; classtype:trojan-activity;sid:84688393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stab7-sheet.ra5xovel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825292/; classtype:trojan-activity;sid:84688392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.161.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825291/; classtype:trojan-activity;sid:84688391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"veldraex9.ra5xovel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825290/; classtype:trojan-activity;sid:84688390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.42.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825289/; classtype:trojan-activity;sid:84688389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3wteeo.ra5xovel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825288/; classtype:trojan-activity;sid:84688388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.89.164.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825287/; classtype:trojan-activity;sid:84688387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bluhz.ra5xovel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825286/; classtype:trojan-activity;sid:84688386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.149.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825285/; classtype:trojan-activity;sid:84688385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825284/; classtype:trojan-activity;sid:84688384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.91.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825283/; classtype:trojan-activity;sid:84688383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"broker-plate.ra5xovel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825282/; classtype:trojan-activity;sid:84688382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.71.31.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825281/; classtype:trojan-activity;sid:84688381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.91.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825280/; classtype:trojan-activity;sid:84688380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-via1.ra5xovel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825279/; classtype:trojan-activity;sid:84688379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.51.153"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825278/; classtype:trojan-activity;sid:84688378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.42.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825277/; classtype:trojan-activity;sid:84688377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.224.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825276/; classtype:trojan-activity;sid:84688376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2gxb0vyl.8zorelin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825275/; classtype:trojan-activity;sid:84688375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825274/; classtype:trojan-activity;sid:84688374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talcoreos.8zorelin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825273/; classtype:trojan-activity;sid:84688373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.67.103.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825272/; classtype:trojan-activity;sid:84688372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.129.211.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825271/; classtype:trojan-activity;sid:84688371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sri4.8zorelin.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825270/; classtype:trojan-activity;sid:84688370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowoyel91h576uav/cag54tgv8n"; depth:28; endswith; nocase; http.host; content:"filebin.net"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825269/; classtype:trojan-activity;sid:84688369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mipsle"; depth:11; endswith; nocase; http.host; content:"161.97.173.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825268/; classtype:trojan-activity;sid:84688368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"layoutcrawle.8zorelin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825267/; classtype:trojan-activity;sid:84688367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"52hb.8zorelin.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825266/; classtype:trojan-activity;sid:84688366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.97.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825265/; classtype:trojan-activity;sid:84688365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.195.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825264/; classtype:trojan-activity;sid:84688364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.67.103.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825263/; classtype:trojan-activity;sid:84688363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sub-the0.8zorelin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825262/; classtype:trojan-activity;sid:84688362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"asdf.qimor6xel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825261/; classtype:trojan-activity;sid:84688361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825260/; classtype:trojan-activity;sid:84688360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lowa.qimor6xel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825259/; classtype:trojan-activity;sid:84688359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.97.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825258/; classtype:trojan-activity;sid:84688358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"low-cost6.qimor6xel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825257/; classtype:trojan-activity;sid:84688357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-deal5.qimor6xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825256/; classtype:trojan-activity;sid:84688356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.4.155"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825255/; classtype:trojan-activity;sid:84688355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825253/; classtype:trojan-activity;sid:84688353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.0.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825254/; classtype:trojan-activity;sid:84688354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-stock4.qimor6xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825252/; classtype:trojan-activity;sid:84688352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825251/; classtype:trojan-activity;sid:84688351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.97.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825250/; classtype:trojan-activity;sid:84688350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gift-item3.qimor6xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825249/; classtype:trojan-activity;sid:84688349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sale-price2.qimor6xel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825248/; classtype:trojan-activity;sid:84688348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.152.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825247/; classtype:trojan-activity;sid:84688347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.134.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825246/; classtype:trojan-activity;sid:84688346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.227.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825245/; classtype:trojan-activity;sid:84688345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shop-list1.qimor6xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825244/; classtype:trojan-activity;sid:84688344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825242/; classtype:trojan-activity;sid:84688342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.54.52.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825243/; classtype:trojan-activity;sid:84688343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.4.155"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825241/; classtype:trojan-activity;sid:84688341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825240/; classtype:trojan-activity;sid:84688340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825239/; classtype:trojan-activity;sid:84688339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-ham6.bov7larex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825238/; classtype:trojan-activity;sid:84688338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.50.71.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825237/; classtype:trojan-activity;sid:84688337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-mint5.bov7larex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825236/; classtype:trojan-activity;sid:84688336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-grill4.bov7larex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825235/; classtype:trojan-activity;sid:84688335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825234/; classtype:trojan-activity;sid:84688334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.54.52.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825233/; classtype:trojan-activity;sid:84688333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-pie3.bov7larex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825232/; classtype:trojan-activity;sid:84688332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.76.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825231/; classtype:trojan-activity;sid:84688331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.76.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825230/; classtype:trojan-activity;sid:84688330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.199.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825229/; classtype:trojan-activity;sid:84688329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-food2.bov7larex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825228/; classtype:trojan-activity;sid:84688328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"cnpaintequipment.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825227/; classtype:trojan-activity;sid:84688327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-chef1.bov7larex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825226/; classtype:trojan-activity;sid:84688326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armistixconp.zip"; depth:17; endswith; nocase; http.host; content:"insureongo.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825225/; classtype:trojan-activity;sid:84688325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install"; depth:8; endswith; nocase; http.host; content:"xrplnode.dev"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825224/; classtype:trojan-activity;sid:84688324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-link6.de8xporel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825223/; classtype:trojan-activity;sid:84688323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user-info5.de8xporel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825222/; classtype:trojan-activity;sid:84688322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.216.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825221/; classtype:trojan-activity;sid:84688321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.4.244"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825220/; classtype:trojan-activity;sid:84688320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-map4.de8xporel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825219/; classtype:trojan-activity;sid:84688319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.166.188.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825218/; classtype:trojan-activity;sid:84688318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"post-card3.de8xporel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825217/; classtype:trojan-activity;sid:84688317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.51.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825216/; classtype:trojan-activity;sid:84688316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.42.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825215/; classtype:trojan-activity;sid:84688315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"news-feed2.de8xporel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825214/; classtype:trojan-activity;sid:84688314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web-blog1.de8xporel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825213/; classtype:trojan-activity;sid:84688313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.199.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825212/; classtype:trojan-activity;sid:84688312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.216.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825211/; classtype:trojan-activity;sid:84688311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.36.118.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825210/; classtype:trojan-activity;sid:84688310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.36.118.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825209/; classtype:trojan-activity;sid:84688309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-level6.wi5msorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825208/; classtype:trojan-activity;sid:84688308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.59.177"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825207/; classtype:trojan-activity;sid:84688307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.227.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825206/; classtype:trojan-activity;sid:84688306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-win5.wi5msorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825205/; classtype:trojan-activity;sid:84688305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.237.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825204/; classtype:trojan-activity;sid:84688304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.143.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825203/; classtype:trojan-activity;sid:84688303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.80.59"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825202/; classtype:trojan-activity;sid:84688302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-move4.wi5msorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825201/; classtype:trojan-activity;sid:84688301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825200/; classtype:trojan-activity;sid:84688300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.226.10.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825199/; classtype:trojan-activity;sid:84688299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.148.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825198/; classtype:trojan-activity;sid:84688298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-score3.wi5msorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825197/; classtype:trojan-activity;sid:84688297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.237.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825196/; classtype:trojan-activity;sid:84688296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825195/; classtype:trojan-activity;sid:84688295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"179.49.213.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825194/; classtype:trojan-activity;sid:84688294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.249.199.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825193/; classtype:trojan-activity;sid:84688293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-play2.wi5msorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825192/; classtype:trojan-activity;sid:84688292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"game-mode1.wi5msorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825191/; classtype:trojan-activity;sid:84688291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-lake6.po9vtaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825190/; classtype:trojan-activity;sid:84688290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-ice5.po9vtaren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825189/; classtype:trojan-activity;sid:84688289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.249.199.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825188/; classtype:trojan-activity;sid:84688288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825187/; classtype:trojan-activity;sid:84688287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-field4.po9vtaren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825186/; classtype:trojan-activity;sid:84688286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.59.177"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825185/; classtype:trojan-activity;sid:84688285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"high-hill3.po9vtaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825184/; classtype:trojan-activity;sid:84688284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.164.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825183/; classtype:trojan-activity;sid:84688283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825181/; classtype:trojan-activity;sid:84688281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.52.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825182/; classtype:trojan-activity;sid:84688282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.173.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825180/; classtype:trojan-activity;sid:84688280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-sea2.po9vtaren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825179/; classtype:trojan-activity;sid:84688279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wild-life1.po9vtaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825178/; classtype:trojan-activity;sid:84688278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.50.71.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825177/; classtype:trojan-activity;sid:84688277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825176/; classtype:trojan-activity;sid:84688276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean-tech6.kymli2rex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825175/; classtype:trojan-activity;sid:84688275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.162.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825174/; classtype:trojan-activity;sid:84688274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.15.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825173/; classtype:trojan-activity;sid:84688273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-energy5.kymli2rex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825172/; classtype:trojan-activity;sid:84688272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825171/; classtype:trojan-activity;sid:84688271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eco-power4.kymli2rex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825170/; classtype:trojan-activity;sid:84688270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.sparc"; depth:11; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825164/; classtype:trojan-activity;sid:84688264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.mpsl"; depth:10; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825165/; classtype:trojan-activity;sid:84688265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.x86"; depth:9; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825166/; classtype:trojan-activity;sid:84688266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.arm5"; depth:10; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825167/; classtype:trojan-activity;sid:84688267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.arm6"; depth:10; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825168/; classtype:trojan-activity;sid:84688268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.arm4"; depth:10; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825169/; classtype:trojan-activity;sid:84688269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.10.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825163/; classtype:trojan-activity;sid:84688263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l_mips"; depth:7; endswith; nocase; http.host; content:"185.218.194.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825161/; classtype:trojan-activity;sid:84688261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l_arm"; depth:6; endswith; nocase; http.host; content:"185.218.194.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825162/; classtype:trojan-activity;sid:84688262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config"; depth:7; endswith; nocase; http.host; content:"36.92.154.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825146/; classtype:trojan-activity;sid:84688246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"36.92.154.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825147/; classtype:trojan-activity;sid:84688247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.i586"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825148/; classtype:trojan-activity;sid:84688248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825149/; classtype:trojan-activity;sid:84688249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm4"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825150/; classtype:trojan-activity;sid:84688250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.sparc"; depth:12; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825151/; classtype:trojan-activity;sid:84688251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm7"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825152/; classtype:trojan-activity;sid:84688252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.ppc"; depth:10; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825153/; classtype:trojan-activity;sid:84688253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm5"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825154/; classtype:trojan-activity;sid:84688254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"194.110.247.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825155/; classtype:trojan-activity;sid:84688255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.i686"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825156/; classtype:trojan-activity;sid:84688256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.m68k"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825157/; classtype:trojan-activity;sid:84688257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm6"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825158/; classtype:trojan-activity;sid:84688258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"194.110.247.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825159/; classtype:trojan-activity;sid:84688259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"194.110.247.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825160/; classtype:trojan-activity;sid:84688260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.131.200.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825143/; classtype:trojan-activity;sid:84688243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"37.131.200.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825144/; classtype:trojan-activity;sid:84688244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config"; depth:7; endswith; nocase; http.host; content:"37.131.200.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825145/; classtype:trojan-activity;sid:84688245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haker.sh"; depth:9; endswith; nocase; http.host; content:"2.26.103.215"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825141/; classtype:trojan-activity;sid:84688241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.92.154.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825142/; classtype:trojan-activity;sid:84688242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.ppc"; depth:9; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825140/; classtype:trojan-activity;sid:84688240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.mips"; depth:10; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825139/; classtype:trojan-activity;sid:84688239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.47.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825138/; classtype:trojan-activity;sid:84688238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825130/; classtype:trojan-activity;sid:84688230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825131/; classtype:trojan-activity;sid:84688231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.ppc440fp"; depth:15; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825132/; classtype:trojan-activity;sid:84688232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.sh4"; depth:10; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825133/; classtype:trojan-activity;sid:84688233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.mips"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825134/; classtype:trojan-activity;sid:84688234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.mpsl"; depth:11; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825135/; classtype:trojan-activity;sid:84688235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.x86"; depth:10; endswith; nocase; http.host; content:"89.190.156.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825136/; classtype:trojan-activity;sid:84688236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config"; depth:7; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825137/; classtype:trojan-activity;sid:84688237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"103.77.246.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825128/; classtype:trojan-activity;sid:84688228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5mszlflcu1n04xb4/cag54tgv8n"; depth:28; endswith; nocase; http.host; content:"filebin.net"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825129/; classtype:trojan-activity;sid:84688229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-heat3.kymli2rex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825127/; classtype:trojan-activity;sid:84688227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825126/; classtype:trojan-activity;sid:84688226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825125/; classtype:trojan-activity;sid:84688225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825124/; classtype:trojan-activity;sid:84688224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-farm2.kymli2rex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825123/; classtype:trojan-activity;sid:84688223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.219.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825122/; classtype:trojan-activity;sid:84688222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.25.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825121/; classtype:trojan-activity;sid:84688221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.89.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825120/; classtype:trojan-activity;sid:84688220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.219.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825119/; classtype:trojan-activity;sid:84688219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solar-light1.kymli2rex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825118/; classtype:trojan-activity;sid:84688218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.26.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825117/; classtype:trojan-activity;sid:84688217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.10.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825116/; classtype:trojan-activity;sid:84688216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.51.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825115/; classtype:trojan-activity;sid:84688215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"live-feed6.to3varem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825114/; classtype:trojan-activity;sid:84688214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.197.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825113/; classtype:trojan-activity;sid:84688213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825112/; classtype:trojan-activity;sid:84688212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media-link5.to3varem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825111/; classtype:trojan-activity;sid:84688211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.15.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825110/; classtype:trojan-activity;sid:84688210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825109/; classtype:trojan-activity;sid:84688209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.26.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825108/; classtype:trojan-activity;sid:84688208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"photo-shot4.to3varem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825107/; classtype:trojan-activity;sid:84688207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"film-edit3.to3varem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825106/; classtype:trojan-activity;sid:84688206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.42.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825105/; classtype:trojan-activity;sid:84688205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.95.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825104/; classtype:trojan-activity;sid:84688204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sound-mix2.to3varem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825103/; classtype:trojan-activity;sid:84688203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.88.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825102/; classtype:trojan-activity;sid:84688202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"video-clip1.to3varem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825101/; classtype:trojan-activity;sid:84688201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.248.19.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825099/; classtype:trojan-activity;sid:84688199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.248.19.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825100/; classtype:trojan-activity;sid:84688200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"store-house6.sy7loden.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825098/; classtype:trojan-activity;sid:84688198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.147.82.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825097/; classtype:trojan-activity;sid:84688197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.243.140.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825096/; classtype:trojan-activity;sid:84688196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.243.140.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825095/; classtype:trojan-activity;sid:84688195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.242.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825094/; classtype:trojan-activity;sid:84688194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.242.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825093/; classtype:trojan-activity;sid:84688193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.197.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825085/; classtype:trojan-activity;sid:84688185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.221.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825086/; classtype:trojan-activity;sid:84688186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.167.2.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825087/; classtype:trojan-activity;sid:84688187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.39.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825088/; classtype:trojan-activity;sid:84688188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.195.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825089/; classtype:trojan-activity;sid:84688189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.85.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825090/; classtype:trojan-activity;sid:84688190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.39.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825091/; classtype:trojan-activity;sid:84688191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.253.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825092/; classtype:trojan-activity;sid:84688192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.35.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825072/; classtype:trojan-activity;sid:84688172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.6.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825073/; classtype:trojan-activity;sid:84688173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.159.74.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825074/; classtype:trojan-activity;sid:84688174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.168.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825075/; classtype:trojan-activity;sid:84688175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.10.45.103"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825076/; classtype:trojan-activity;sid:84688176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.50.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825077/; classtype:trojan-activity;sid:84688177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.59.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825078/; classtype:trojan-activity;sid:84688178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.196.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825079/; classtype:trojan-activity;sid:84688179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.215.17.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825080/; classtype:trojan-activity;sid:84688180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.226.238.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825081/; classtype:trojan-activity;sid:84688181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.226.238.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825082/; classtype:trojan-activity;sid:84688182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.38.79.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825083/; classtype:trojan-activity;sid:84688183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.44.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825084/; classtype:trojan-activity;sid:84688184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.204.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825070/; classtype:trojan-activity;sid:84688170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.184.149.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825071/; classtype:trojan-activity;sid:84688171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825069/; classtype:trojan-activity;sid:84688169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.86.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825068/; classtype:trojan-activity;sid:84688168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.198.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825059/; classtype:trojan-activity;sid:84688159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.59.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825060/; classtype:trojan-activity;sid:84688160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.235.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825061/; classtype:trojan-activity;sid:84688161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.141.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825062/; classtype:trojan-activity;sid:84688162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.12.40.94"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825063/; classtype:trojan-activity;sid:84688163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.176.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825064/; classtype:trojan-activity;sid:84688164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.17.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825065/; classtype:trojan-activity;sid:84688165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.184.149.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825066/; classtype:trojan-activity;sid:84688166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.74.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825067/; classtype:trojan-activity;sid:84688167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.147.82.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825050/; classtype:trojan-activity;sid:84688150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.196.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825051/; classtype:trojan-activity;sid:84688151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"93.157.253.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825052/; classtype:trojan-activity;sid:84688152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825053/; classtype:trojan-activity;sid:84688153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.250.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825054/; classtype:trojan-activity;sid:84688154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"98.167.107.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825055/; classtype:trojan-activity;sid:84688155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.43.21.116"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825056/; classtype:trojan-activity;sid:84688156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.253.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825057/; classtype:trojan-activity;sid:84688157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.94.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825058/; classtype:trojan-activity;sid:84688158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.238.27.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825048/; classtype:trojan-activity;sid:84688148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.21.70.189"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825049/; classtype:trojan-activity;sid:84688149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.212.104.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825047/; classtype:trojan-activity;sid:84688147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.81.103.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825046/; classtype:trojan-activity;sid:84688146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.81.103.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825045/; classtype:trojan-activity;sid:84688145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.190.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825037/; classtype:trojan-activity;sid:84688137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.94.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825038/; classtype:trojan-activity;sid:84688138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.166.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825039/; classtype:trojan-activity;sid:84688139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.234.90.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825040/; classtype:trojan-activity;sid:84688140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.227.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825041/; classtype:trojan-activity;sid:84688141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.90.174"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825042/; classtype:trojan-activity;sid:84688142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.6.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825043/; classtype:trojan-activity;sid:84688143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.43.21.116"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825044/; classtype:trojan-activity;sid:84688144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.242.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825031/; classtype:trojan-activity;sid:84688131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.247.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825032/; classtype:trojan-activity;sid:84688132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.221.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825033/; classtype:trojan-activity;sid:84688133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.221.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825034/; classtype:trojan-activity;sid:84688134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.190.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825035/; classtype:trojan-activity;sid:84688135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.201.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825036/; classtype:trojan-activity;sid:84688136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825029/; classtype:trojan-activity;sid:84688129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.238.27.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825030/; classtype:trojan-activity;sid:84688130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.189.41"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825028/; classtype:trojan-activity;sid:84688128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"box-pack5.sy7loden.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825027/; classtype:trojan-activity;sid:84688127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"air-flight4.sy7loden.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825026/; classtype:trojan-activity;sid:84688126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.160.191.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825025/; classtype:trojan-activity;sid:84688125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825024/; classtype:trojan-activity;sid:84688124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ship-port3.sy7loden.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825023/; classtype:trojan-activity;sid:84688123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.227.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825022/; classtype:trojan-activity;sid:84688122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-truck2.sy7loden.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825021/; classtype:trojan-activity;sid:84688121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.189.41"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825020/; classtype:trojan-activity;sid:84688120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-cargo1.sy7loden.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825019/; classtype:trojan-activity;sid:84688119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.218.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825018/; classtype:trojan-activity;sid:84688118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.25.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825017/; classtype:trojan-activity;sid:84688117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-bench6.rax8mivel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825016/; classtype:trojan-activity;sid:84688116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.114.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825015/; classtype:trojan-activity;sid:84688115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.146.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825014/; classtype:trojan-activity;sid:84688114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.126.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825013/; classtype:trojan-activity;sid:84688113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.102.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825011/; classtype:trojan-activity;sid:84688111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.152.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825012/; classtype:trojan-activity;sid:84688112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wood-glue5.rax8mivel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825010/; classtype:trojan-activity;sid:84688110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.253.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825009/; classtype:trojan-activity;sid:84688109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"metal-bolt4.rax8mivel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825008/; classtype:trojan-activity;sid:84688108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.89.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825007/; classtype:trojan-activity;sid:84688107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.227.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825006/; classtype:trojan-activity;sid:84688106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sharp-saw3.rax8mivel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825005/; classtype:trojan-activity;sid:84688105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.146.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825004/; classtype:trojan-activity;sid:84688104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.218.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825003/; classtype:trojan-activity;sid:84688103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.25.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825002/; classtype:trojan-activity;sid:84688102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.114.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825001/; classtype:trojan-activity;sid:84688101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"power-drill2.rax8mivel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825000/; classtype:trojan-activity;sid:84688100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824999/; classtype:trojan-activity;sid:84688099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824991/; classtype:trojan-activity;sid:84688091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824992/; classtype:trojan-activity;sid:84688092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824993/; classtype:trojan-activity;sid:84688093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824994/; classtype:trojan-activity;sid:84688094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824995/; classtype:trojan-activity;sid:84688095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824996/; classtype:trojan-activity;sid:84688096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824997/; classtype:trojan-activity;sid:84688097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824998/; classtype:trojan-activity;sid:84688098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824987/; classtype:trojan-activity;sid:84688087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.i686"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824988/; classtype:trojan-activity;sid:84688088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arc"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824989/; classtype:trojan-activity;sid:84688089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips64"; depth:17; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824990/; classtype:trojan-activity;sid:84688090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hand-tool1.rax8mivel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824986/; classtype:trojan-activity;sid:84688086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824985/; classtype:trojan-activity;sid:84688085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sparc"; depth:16; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824984/; classtype:trojan-activity;sid:84688084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824983/; classtype:trojan-activity;sid:84688083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.33.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824982/; classtype:trojan-activity;sid:84688082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.253.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824981/; classtype:trojan-activity;sid:84688081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.228.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824980/; classtype:trojan-activity;sid:84688080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"night-road6.4zomiren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824979/; classtype:trojan-activity;sid:84688079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-bridge5.4zomiren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824978/; classtype:trojan-activity;sid:84688078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.253.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824977/; classtype:trojan-activity;sid:84688077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824976/; classtype:trojan-activity;sid:84688076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824969/; classtype:trojan-activity;sid:84688069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824970/; classtype:trojan-activity;sid:84688070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824971/; classtype:trojan-activity;sid:84688071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824972/; classtype:trojan-activity;sid:84688072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824973/; classtype:trojan-activity;sid:84688073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824974/; classtype:trojan-activity;sid:84688074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824975/; classtype:trojan-activity;sid:84688075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824968/; classtype:trojan-activity;sid:84688068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824965/; classtype:trojan-activity;sid:84688065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824966/; classtype:trojan-activity;sid:84688066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824967/; classtype:trojan-activity;sid:84688067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824963/; classtype:trojan-activity;sid:84688063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"45.141.148.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824964/; classtype:trojan-activity;sid:84688064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.175.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824962/; classtype:trojan-activity;sid:84688062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"street-light4.4zomiren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824961/; classtype:trojan-activity;sid:84688061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-tower3.4zomiren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824960/; classtype:trojan-activity;sid:84688060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.227.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824959/; classtype:trojan-activity;sid:84688059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"metro-station2.4zomiren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824958/; classtype:trojan-activity;sid:84688058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.222.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824957/; classtype:trojan-activity;sid:84688057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"central-park1.4zomiren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824956/; classtype:trojan-activity;sid:84688056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ship-yard6.qi5mlixar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824955/; classtype:trojan-activity;sid:84688055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.4.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824954/; classtype:trojan-activity;sid:84688054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.157.18.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824953/; classtype:trojan-activity;sid:84688053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.222.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824952/; classtype:trojan-activity;sid:84688052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"boat-tour5.qi5mlixar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824951/; classtype:trojan-activity;sid:84688051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.233.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824950/; classtype:trojan-activity;sid:84688050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824949/; classtype:trojan-activity;sid:84688049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.227.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824948/; classtype:trojan-activity;sid:84688048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"island-trip4.qi5mlixar.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824947/; classtype:trojan-activity;sid:84688047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv6l"; depth:10; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824938/; classtype:trojan-activity;sid:84688038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv4l"; depth:10; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824939/; classtype:trojan-activity;sid:84688039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/ppc"; depth:7; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824940/; classtype:trojan-activity;sid:84688040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv5l"; depth:10; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824941/; classtype:trojan-activity;sid:84688041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv7l"; depth:10; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824942/; classtype:trojan-activity;sid:84688042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips64"; depth:10; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824943/; classtype:trojan-activity;sid:84688043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/m68k"; depth:8; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824944/; classtype:trojan-activity;sid:84688044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/aarch64"; depth:11; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824945/; classtype:trojan-activity;sid:84688045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/sh4"; depth:7; endswith; nocase; http.host; content:"45.202.243.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824946/; classtype:trojan-activity;sid:84688046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.233.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824937/; classtype:trojan-activity;sid:84688037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.10.45.103"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824936/; classtype:trojan-activity;sid:84688036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"palm-tree3.qi5mlixar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824935/; classtype:trojan-activity;sid:84688035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"217.60.61.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824934/; classtype:trojan-activity;sid:84688034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"217.60.61.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824931/; classtype:trojan-activity;sid:84688031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"217.60.61.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824932/; classtype:trojan-activity;sid:84688032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sand-beach2.qi5mlixar.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824930/; classtype:trojan-activity;sid:84688030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diicot.sh"; depth:10; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824929/; classtype:trojan-activity;sid:84688029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean-sea1.qi5mlixar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824928/; classtype:trojan-activity;sid:84688028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.99.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824927/; classtype:trojan-activity;sid:84688027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.93.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824926/; classtype:trojan-activity;sid:84688026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.173.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824925/; classtype:trojan-activity;sid:84688025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.203.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824924/; classtype:trojan-activity;sid:84688024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv7l"; depth:10; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824915/; classtype:trojan-activity;sid:84688015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/x86_64"; depth:10; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824916/; classtype:trojan-activity;sid:84688016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/ppc"; depth:7; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824917/; classtype:trojan-activity;sid:84688017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv6l"; depth:10; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824918/; classtype:trojan-activity;sid:84688018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/aarch64"; depth:11; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824919/; classtype:trojan-activity;sid:84688019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv4l"; depth:10; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824920/; classtype:trojan-activity;sid:84688020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/sh4"; depth:7; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824921/; classtype:trojan-activity;sid:84688021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/m68k"; depth:8; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824922/; classtype:trojan-activity;sid:84688022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips64"; depth:10; endswith; nocase; http.host; content:"162.248.102.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824923/; classtype:trojan-activity;sid:84688023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-bun6.bovdalen7.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824914/; classtype:trojan-activity;sid:84688014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-soup5.bovdalen7.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824913/; classtype:trojan-activity;sid:84688013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dips"; depth:5; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824912/; classtype:trojan-activity;sid:84688012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.18.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824911/; classtype:trojan-activity;sid:84688011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.125.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824910/; classtype:trojan-activity;sid:84688010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-milk4.bovdalen7.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824909/; classtype:trojan-activity;sid:84688009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.66.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824906/; classtype:trojan-activity;sid:84688006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-cake3.bovdalen7.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824905/; classtype:trojan-activity;sid:84688005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824896/; classtype:trojan-activity;sid:84687996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaaarm5"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824897/; classtype:trojan-activity;sid:84687997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaaarm6"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824898/; classtype:trojan-activity;sid:84687998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824899/; classtype:trojan-activity;sid:84687999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824900/; classtype:trojan-activity;sid:84688000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaappc"; depth:11; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824901/; classtype:trojan-activity;sid:84688001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaamips"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824902/; classtype:trojan-activity;sid:84688002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaai686"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824903/; classtype:trojan-activity;sid:84688003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaaarm7"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824904/; classtype:trojan-activity;sid:84688004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaampsl"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824892/; classtype:trojan-activity;sid:84687992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.82.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824893/; classtype:trojan-activity;sid:84687993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaam68k"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824894/; classtype:trojan-activity;sid:84687994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaai486"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824895/; classtype:trojan-activity;sid:84687995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaai586"; depth:12; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824890/; classtype:trojan-activity;sid:84687990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaaarm"; depth:11; endswith; nocase; http.host; content:"156.229.165.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824891/; classtype:trojan-activity;sid:84687991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824889/; classtype:trojan-activity;sid:84687989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824888/; classtype:trojan-activity;sid:84687988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824887/; classtype:trojan-activity;sid:84687987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824884/; classtype:trojan-activity;sid:84687984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824885/; classtype:trojan-activity;sid:84687985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824886/; classtype:trojan-activity;sid:84687986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"apple-pie2.bovdalen7.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824883/; classtype:trojan-activity;sid:84687983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.sh"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824879/; classtype:trojan-activity;sid:84687979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824880/; classtype:trojan-activity;sid:84687980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824881/; classtype:trojan-activity;sid:84687981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824882/; classtype:trojan-activity;sid:84687982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824877/; classtype:trojan-activity;sid:84687977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.148.173.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824878/; classtype:trojan-activity;sid:84687978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.sh"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824876/; classtype:trojan-activity;sid:84687976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.128.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824875/; classtype:trojan-activity;sid:84687975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.93.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824874/; classtype:trojan-activity;sid:84687974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fruit-box1.bovdalen7.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824873/; classtype:trojan-activity;sid:84687973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.118.209.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824872/; classtype:trojan-activity;sid:84687972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cloud-node6.dexpor1el.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824871/; classtype:trojan-activity;sid:84687971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.86.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824870/; classtype:trojan-activity;sid:84687970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824869/; classtype:trojan-activity;sid:84687969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.154.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824868/; classtype:trojan-activity;sid:84687968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-base5.dexpor1el.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824867/; classtype:trojan-activity;sid:84687967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824866/; classtype:trojan-activity;sid:84687966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.83.2.247"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824864/; classtype:trojan-activity;sid:84687964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.184.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824865/; classtype:trojan-activity;sid:84687965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.120.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824863/; classtype:trojan-activity;sid:84687963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm"; depth:16; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824862/; classtype:trojan-activity;sid:84687962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mips"; depth:17; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824852/; classtype:trojan-activity;sid:84687952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mpsl"; depth:17; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824853/; classtype:trojan-activity;sid:84687953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm5"; depth:17; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824854/; classtype:trojan-activity;sid:84687954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.spc"; depth:16; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824855/; classtype:trojan-activity;sid:84687955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm7"; depth:17; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824856/; classtype:trojan-activity;sid:84687956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.x86"; depth:16; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824857/; classtype:trojan-activity;sid:84687957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm6"; depth:17; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824858/; classtype:trojan-activity;sid:84687958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.ppc"; depth:16; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824859/; classtype:trojan-activity;sid:84687959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.m68k"; depth:17; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824860/; classtype:trojan-activity;sid:84687960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.sh4"; depth:16; endswith; nocase; http.host; content:"94.103.188.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824861/; classtype:trojan-activity;sid:84687961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824851/; classtype:trojan-activity;sid:84687951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-code4.dexpor1el.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824850/; classtype:trojan-activity;sid:84687950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web-site3.dexpor1el.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824849/; classtype:trojan-activity;sid:84687949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.118.209.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824848/; classtype:trojan-activity;sid:84687948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-app2.dexpor1el.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824847/; classtype:trojan-activity;sid:84687947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.27.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824846/; classtype:trojan-activity;sid:84687946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824845/; classtype:trojan-activity;sid:84687945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.147.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824844/; classtype:trojan-activity;sid:84687944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tech-tool1.dexpor1el.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824843/; classtype:trojan-activity;sid:84687943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.60.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824842/; classtype:trojan-activity;sid:84687942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.68.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824841/; classtype:trojan-activity;sid:84687941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wind-speed6.wimso4rel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824840/; classtype:trojan-activity;sid:84687940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.18.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824839/; classtype:trojan-activity;sid:84687939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.126.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824838/; classtype:trojan-activity;sid:84687938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snow-fall5.wimso4rel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824837/; classtype:trojan-activity;sid:84687937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.134.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824835/; classtype:trojan-activity;sid:84687935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.30.79.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824836/; classtype:trojan-activity;sid:84687936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.60.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824834/; classtype:trojan-activity;sid:84687934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.166.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824833/; classtype:trojan-activity;sid:84687933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.248.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824832/; classtype:trojan-activity;sid:84687932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.59.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824830/; classtype:trojan-activity;sid:84687930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.27.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824831/; classtype:trojan-activity;sid:84687931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rain-drop4.wimso4rel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824829/; classtype:trojan-activity;sid:84687929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.215.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824828/; classtype:trojan-activity;sid:84687928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sun-light3.wimso4rel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824827/; classtype:trojan-activity;sid:84687927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.253.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824826/; classtype:trojan-activity;sid:84687926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.111.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824825/; classtype:trojan-activity;sid:84687925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.248.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824824/; classtype:trojan-activity;sid:84687924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-cloud2.wimso4rel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824823/; classtype:trojan-activity;sid:84687923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.226.10.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824822/; classtype:trojan-activity;sid:84687922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sky-view1.wimso4rel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824821/; classtype:trojan-activity;sid:84687921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.246.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824820/; classtype:trojan-activity;sid:84687920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.106.45.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824817/; classtype:trojan-activity;sid:84687917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.26.86.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824818/; classtype:trojan-activity;sid:84687918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.114.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824819/; classtype:trojan-activity;sid:84687919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"road-trip6.povt8aren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824816/; classtype:trojan-activity;sid:84687916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824815/; classtype:trojan-activity;sid:84687915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-drive5.povt8aren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824814/; classtype:trojan-activity;sid:84687914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.193.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824813/; classtype:trojan-activity;sid:84687913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.22.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824812/; classtype:trojan-activity;sid:84687912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.22.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824811/; classtype:trojan-activity;sid:84687911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"car-wash4.povt8aren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824810/; classtype:trojan-activity;sid:84687910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.219.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824808/; classtype:trojan-activity;sid:84687908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.105.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824809/; classtype:trojan-activity;sid:84687909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-tires3.povt8aren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824807/; classtype:trojan-activity;sid:84687907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.105.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824804/; classtype:trojan-activity;sid:84687904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.249.211.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824805/; classtype:trojan-activity;sid:84687905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.219.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824806/; classtype:trojan-activity;sid:84687906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.145.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824803/; classtype:trojan-activity;sid:84687903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oil-change2.povt8aren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824802/; classtype:trojan-activity;sid:84687902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.122.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824801/; classtype:trojan-activity;sid:84687901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.249.211.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824800/; classtype:trojan-activity;sid:84687900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.80.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824799/; classtype:trojan-activity;sid:84687899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auto-care1.povt8aren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824798/; classtype:trojan-activity;sid:84687898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.198.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824797/; classtype:trojan-activity;sid:84687897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.67.213.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824796/; classtype:trojan-activity;sid:84687896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.162.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824795/; classtype:trojan-activity;sid:84687895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.67.213.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824794/; classtype:trojan-activity;sid:84687894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824793/; classtype:trojan-activity;sid:84687893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-window6.k2ymlirem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824792/; classtype:trojan-activity;sid:84687892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824791/; classtype:trojan-activity;sid:84687891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm61"; depth:6; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824784/; classtype:trojan-activity;sid:84687884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/586"; depth:4; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824785/; classtype:trojan-activity;sid:84687885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dss"; depth:4; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824786/; classtype:trojan-activity;sid:84687886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824787/; classtype:trojan-activity;sid:84687887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824788/; classtype:trojan-activity;sid:84687888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824789/; classtype:trojan-activity;sid:84687889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/co"; depth:3; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824790/; classtype:trojan-activity;sid:84687890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"85.11.167.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824782/; classtype:trojan-activity;sid:84687882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.49.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824783/; classtype:trojan-activity;sid:84687883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-plant5.k2ymlirem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824781/; classtype:trojan-activity;sid:84687881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.248.37.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824779/; classtype:trojan-activity;sid:84687879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.248.37.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824780/; classtype:trojan-activity;sid:84687880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.252.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824778/; classtype:trojan-activity;sid:84687878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.0.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824777/; classtype:trojan-activity;sid:84687877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.119.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824776/; classtype:trojan-activity;sid:84687876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.106.45.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824774/; classtype:trojan-activity;sid:84687874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.159.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824775/; classtype:trojan-activity;sid:84687875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.221.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824773/; classtype:trojan-activity;sid:84687873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.80.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824772/; classtype:trojan-activity;sid:84687872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-light4.k2ymlirem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824771/; classtype:trojan-activity;sid:84687871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.119.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824770/; classtype:trojan-activity;sid:84687870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-sofa3.k2ymlirem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824769/; classtype:trojan-activity;sid:84687869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824768/; classtype:trojan-activity;sid:84687868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.186.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824767/; classtype:trojan-activity;sid:84687867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"modern-room2.k2ymlirem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824766/; classtype:trojan-activity;sid:84687866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.119.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824765/; classtype:trojan-activity;sid:84687865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.186.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824764/; classtype:trojan-activity;sid:84687864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.30.79.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824763/; classtype:trojan-activity;sid:84687863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-style1.k2ymlirem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824762/; classtype:trojan-activity;sid:84687862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.0.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824761/; classtype:trojan-activity;sid:84687861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.215.17.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824759/; classtype:trojan-activity;sid:84687859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.7.234.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824760/; classtype:trojan-activity;sid:84687860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.89.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824754/; classtype:trojan-activity;sid:84687854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.59.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824755/; classtype:trojan-activity;sid:84687855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.12.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824756/; classtype:trojan-activity;sid:84687856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.18.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824757/; classtype:trojan-activity;sid:84687857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.154.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824758/; classtype:trojan-activity;sid:84687858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.253.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824753/; classtype:trojan-activity;sid:84687853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hobby-time6.tovdo9ral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824752/; classtype:trojan-activity;sid:84687852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"book-shelf5.tovdo9ral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824751/; classtype:trojan-activity;sid:84687851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cinema-club4.tovdo9ral.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824750/; classtype:trojan-activity;sid:84687850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dance-floor3.tovdo9ral.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824749/; classtype:trojan-activity;sid:84687849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"music-band2.tovdo9ral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824748/; classtype:trojan-activity;sid:84687848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"art-studio1.tovdo9ral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824747/; classtype:trojan-activity;sid:84687847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"global-tax6.sylpi6ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824746/; classtype:trojan-activity;sid:84687846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.122.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824745/; classtype:trojan-activity;sid:84687845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"194.54.161.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824744/; classtype:trojan-activity;sid:84687844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe-invest5.sylpi6ren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3824743/; classtype:trojan-activity;sid:84687843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.220.29.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824742/; classtype:trojan-activity;sid:84687842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"credit-card4.sylpi6ren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824741/; classtype:trojan-activity;sid:84687841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.85.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824740/; classtype:trojan-activity;sid:84687840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cash-flow3.sylpi6ren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824739/; classtype:trojan-activity;sid:84687839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.133.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824738/; classtype:trojan-activity;sid:84687838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"194.54.161.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824737/; classtype:trojan-activity;sid:84687837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"money-save2.sylpi6ren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824736/; classtype:trojan-activity;sid:84687836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.146.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824735/; classtype:trojan-activity;sid:84687835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bank-report1.sylpi6ren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824734/; classtype:trojan-activity;sid:84687834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-player6.ra7vmixel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824733/; classtype:trojan-activity;sid:84687833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.85.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824732/; classtype:trojan-activity;sid:84687832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.151.254.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824731/; classtype:trojan-activity;sid:84687831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sport-news5.ra7vmixel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824730/; classtype:trojan-activity;sid:84687830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824729/; classtype:trojan-activity;sid:84687829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"final-game4.ra7vmixel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824728/; classtype:trojan-activity;sid:84687828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gold-medal3.ra7vmixel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824727/; classtype:trojan-activity;sid:84687827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-score2.ra7vmixel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824726/; classtype:trojan-activity;sid:84687826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.146.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824724/; classtype:trojan-activity;sid:84687824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.254.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824725/; classtype:trojan-activity;sid:84687825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-match1.ra7vmixel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824723/; classtype:trojan-activity;sid:84687823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"strong-mind6.3lomaren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824722/; classtype:trojan-activity;sid:84687822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.145.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824721/; classtype:trojan-activity;sid:84687821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"body-fit5.3lomaren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824720/; classtype:trojan-activity;sid:84687820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.29.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824719/; classtype:trojan-activity;sid:84687819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"power-gym4.3lomaren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824718/; classtype:trojan-activity;sid:84687818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.253.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824717/; classtype:trojan-activity;sid:84687817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-juice3.3lomaren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824716/; classtype:trojan-activity;sid:84687816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yoga-class2.3lomaren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824715/; classtype:trojan-activity;sid:84687815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-health1.3lomaren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824714/; classtype:trojan-activity;sid:84687814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.107.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824713/; classtype:trojan-activity;sid:84687813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wolfcoupo.kiv6darem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824712/; classtype:trojan-activity;sid:84687812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.253.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824711/; classtype:trojan-activity;sid:84687811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3qui-crest.tav4sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824710/; classtype:trojan-activity;sid:84687810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.120.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824709/; classtype:trojan-activity;sid:84687809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gzvsfzls.vym7lixar.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824708/; classtype:trojan-activity;sid:84687808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.158.39.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824707/; classtype:trojan-activity;sid:84687807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.107.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824706/; classtype:trojan-activity;sid:84687806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.251.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824705/; classtype:trojan-activity;sid:84687805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spark0-mesh.nuv2moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824704/; classtype:trojan-activity;sid:84687804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.145.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824703/; classtype:trojan-activity;sid:84687803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.138.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824702/; classtype:trojan-activity;sid:84687802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.138.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824701/; classtype:trojan-activity;sid:84687801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.158.39.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824700/; classtype:trojan-activity;sid:84687800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.56.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824699/; classtype:trojan-activity;sid:84687799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clipvale.dex9taren.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824698/; classtype:trojan-activity;sid:84687798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.58.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824697/; classtype:trojan-activity;sid:84687797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.251.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824696/; classtype:trojan-activity;sid:84687796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"a4lp.tov4mixel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824695/; classtype:trojan-activity;sid:84687795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824678/; classtype:trojan-activity;sid:84687778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824679/; classtype:trojan-activity;sid:84687779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824680/; classtype:trojan-activity;sid:84687780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.ppc440"; depth:12; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824681/; classtype:trojan-activity;sid:84687781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824682/; classtype:trojan-activity;sid:84687782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x64"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824683/; classtype:trojan-activity;sid:84687783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824684/; classtype:trojan-activity;sid:84687784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824685/; classtype:trojan-activity;sid:84687785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824686/; classtype:trojan-activity;sid:84687786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm4"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824687/; classtype:trojan-activity;sid:84687787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824688/; classtype:trojan-activity;sid:84687788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824689/; classtype:trojan-activity;sid:84687789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824690/; classtype:trojan-activity;sid:84687790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824691/; classtype:trojan-activity;sid:84687791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824692/; classtype:trojan-activity;sid:84687792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.apk"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824693/; classtype:trojan-activity;sid:84687793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.dbg"; depth:9; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824694/; classtype:trojan-activity;sid:84687794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824677/; classtype:trojan-activity;sid:84687777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"50.83.204.239"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824676/; classtype:trojan-activity;sid:84687776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"44kg.rav2piren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824675/; classtype:trojan-activity;sid:84687775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.64.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824674/; classtype:trojan-activity;sid:84687774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.221.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824673/; classtype:trojan-activity;sid:84687773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824672/; classtype:trojan-activity;sid:84687772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.253.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824671/; classtype:trojan-activity;sid:84687771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easy-life6.kiv6darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824670/; classtype:trojan-activity;sid:84687770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.234.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824669/; classtype:trojan-activity;sid:84687769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cup/update.ps1"; depth:15; endswith; nocase; http.host; content:"www.vame.be"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824668/; classtype:trojan-activity;sid:84687768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagedan73.png"; depth:15; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824667/; classtype:trojan-activity;sid:84687767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desk.png"; depth:9; endswith; nocase; http.host; content:"corwineagles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824666/; classtype:trojan-activity;sid:84687766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ao/images.png"; depth:14; endswith; nocase; http.host; content:"zorvex.life"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824665/; classtype:trojan-activity;sid:84687765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/image.png"; depth:19; endswith; nocase; http.host; content:"allsydevs.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824664/; classtype:trojan-activity;sid:84687764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hard-work5.kiv6darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824663/; classtype:trojan-activity;sid:84687763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image.png"; depth:10; endswith; nocase; http.host; content:"www.shcgroup-vn.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824662/; classtype:trojan-activity;sid:84687762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pentagon"; depth:9; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824650/; classtype:trojan-activity;sid:84687750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824651/; classtype:trojan-activity;sid:84687751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.mra"; depth:10; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824652/; classtype:trojan-activity;sid:84687752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.4hs"; depth:10; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824653/; classtype:trojan-activity;sid:84687753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824654/; classtype:trojan-activity;sid:84687754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.7mra"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824655/; classtype:trojan-activity;sid:84687755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.spim"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824656/; classtype:trojan-activity;sid:84687756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824657/; classtype:trojan-activity;sid:84687757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/star"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824658/; classtype:trojan-activity;sid:84687758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.685i"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824659/; classtype:trojan-activity;sid:84687759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diamond"; depth:8; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824660/; classtype:trojan-activity;sid:84687760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhombus"; depth:8; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824661/; classtype:trojan-activity;sid:84687761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824628/; classtype:trojan-activity;sid:84687728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"///arm5"; depth:7; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824629/; classtype:trojan-activity;sid:84687729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.5mra"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824630/; classtype:trojan-activity;sid:84687730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824631/; classtype:trojan-activity;sid:84687731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824632/; classtype:trojan-activity;sid:84687732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/octagon"; depth:8; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824633/; classtype:trojan-activity;sid:84687733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824634/; classtype:trojan-activity;sid:84687734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshith.sh"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824635/; classtype:trojan-activity;sid:84687735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824636/; classtype:trojan-activity;sid:84687736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824637/; classtype:trojan-activity;sid:84687737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.cra"; depth:10; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824638/; classtype:trojan-activity;sid:84687738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/triangle"; depth:9; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824639/; classtype:trojan-activity;sid:84687739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.46_68x"; depth:13; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824640/; classtype:trojan-activity;sid:84687740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.686i"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824641/; classtype:trojan-activity;sid:84687741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hexagon"; depth:8; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824642/; classtype:trojan-activity;sid:84687742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.lspm"; depth:11; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824643/; classtype:trojan-activity;sid:84687743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hik/h.craps"; depth:12; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824644/; classtype:trojan-activity;sid:84687744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heptagon"; depth:9; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824645/; classtype:trojan-activity;sid:84687745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/circle"; depth:7; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824646/; classtype:trojan-activity;sid:84687746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/square"; depth:7; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824647/; classtype:trojan-activity;sid:84687747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824648/; classtype:trojan-activity;sid:84687748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"65.87.7.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824649/; classtype:trojan-activity;sid:84687749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.msi"; depth:14; endswith; nocase; http.host; content:"pub-f629f9eff5c742ab9493f73c421a617a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824627/; classtype:trojan-activity;sid:84687727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"short-cut4.kiv6darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824626/; classtype:trojan-activity;sid:84687726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"ministrew.info"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824625/; classtype:trojan-activity;sid:84687725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.116.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824624/; classtype:trojan-activity;sid:84687724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/images/ifmkhdg.txt"; depth:26; endswith; nocase; http.host; content:"banglabillboard.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824623/; classtype:trojan-activity;sid:84687723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/network/wp-includes/pol/assets/css/update.ps1"; depth:55; endswith; nocase; http.host; content:"walnuthillcounseling.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824622/; classtype:trojan-activity;sid:84687722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-road3.kiv6darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824621/; classtype:trojan-activity;sid:84687721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/csi/update.ps1"; depth:15; endswith; nocase; http.host; content:"www.vame.be"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824620/; classtype:trojan-activity;sid:84687720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuismart/download|3f|uid=@1.awptrmtha1jgq3nxtji5mgdvakvwv1pacnrtqml1stfyq1dneuv1l2hwohnuzkvjevzkl1zizzyxnglbc2p6rw=="; depth:119; endswith; nocase; http.host; content:"mailshare.it"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824619/; classtype:trojan-activity;sid:84687719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.253.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824618/; classtype:trojan-activity;sid:84687718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1skz87dljwm7olk5lj85pxgqhpjmytpja"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824617/; classtype:trojan-activity;sid:84687717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=17yjpobo5jpv0mexjkqqfpi8wuvugp9jo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824616/; classtype:trojan-activity;sid:84687716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slow-walk2.kiv6darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824615/; classtype:trojan-activity;sid:84687715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wem/fmhdakc.txt"; depth:16; endswith; nocase; http.host; content:"144.172.95.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824614/; classtype:trojan-activity;sid:84687714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-track1.kiv6darem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824613/; classtype:trojan-activity;sid:84687713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1tbkfeq5rysnx_udp-roncch_h3mbok7e"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824612/; classtype:trojan-activity;sid:84687712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1xftelet35rssc0cgx-rhxevrnzdyfbzj"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824611/; classtype:trojan-activity;sid:84687711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"purple-rain6.tav4sorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824610/; classtype:trojan-activity;sid:84687710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/images/frostcoder.txt"; depth:29; endswith; nocase; http.host; content:"banglabillboard.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824609/; classtype:trojan-activity;sid:84687709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mnnljrzr/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824608/; classtype:trojan-activity;sid:84687708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_071936.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824607/; classtype:trojan-activity;sid:84687707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.116.196"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824606/; classtype:trojan-activity;sid:84687706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/89/img_211914.png"; depth:18; endswith; nocase; http.host; content:"66.63.170.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824605/; classtype:trojan-activity;sid:84687705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-cloud5.tav4sorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824604/; classtype:trojan-activity;sid:84687704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"104.238.189.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824603/; classtype:trojan-activity;sid:84687703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_131810.png"; depth:15; endswith; nocase; http.host; content:"screenshot.finance"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824602/; classtype:trojan-activity;sid:84687702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quxera.png"; depth:11; endswith; nocase; http.host; content:"pub-78a0a6b6bcb04ed486fae205ee734af2.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824601/; classtype:trojan-activity;sid:84687701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preeuy.msi"; depth:11; endswith; nocase; http.host; content:"pub-9c47b1bd45604a82bb27d7c7000ef589.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824600/; classtype:trojan-activity;sid:84687700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.8.35"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824599/; classtype:trojan-activity;sid:84687699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yellow-sun4.tav4sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824598/; classtype:trojan-activity;sid:84687698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12/img_175349.png"; depth:18; endswith; nocase; http.host; content:"172.245.95.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824597/; classtype:trojan-activity;sid:84687697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12/metrokingsformebetter.hta"; depth:29; endswith; nocase; http.host; content:"172.245.95.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824596/; classtype:trojan-activity;sid:84687696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_095825.png"; depth:15; endswith; nocase; http.host; content:"genghis.yzz.me"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824595/; classtype:trojan-activity;sid:84687695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rrliha.vmp.msi"; depth:15; endswith; nocase; http.host; content:"sfunited.club"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824594/; classtype:trojan-activity;sid:84687694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824589/; classtype:trojan-activity;sid:84687689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824590/; classtype:trojan-activity;sid:84687690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnarmv7lxnxn"; depth:32; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824591/; classtype:trojan-activity;sid:84687691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824592/; classtype:trojan-activity;sid:84687692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824593/; classtype:trojan-activity;sid:84687693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824580/; classtype:trojan-activity;sid:84687680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824581/; classtype:trojan-activity;sid:84687681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824582/; classtype:trojan-activity;sid:84687682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824583/; classtype:trojan-activity;sid:84687683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824584/; classtype:trojan-activity;sid:84687684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824585/; classtype:trojan-activity;sid:84687685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824586/; classtype:trojan-activity;sid:84687686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824587/; classtype:trojan-activity;sid:84687687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824588/; classtype:trojan-activity;sid:84687688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-leaf3.tav4sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824579/; classtype:trojan-activity;sid:84687679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/images/knskgpc.txt"; depth:26; endswith; nocase; http.host; content:"banglabillboard.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824578/; classtype:trojan-activity;sid:84687678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image.png"; depth:10; endswith; nocase; http.host; content:"officials.ink"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824577/; classtype:trojan-activity;sid:84687677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_133213.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824576/; classtype:trojan-activity;sid:84687676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_151624.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824575/; classtype:trojan-activity;sid:84687675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.116.196"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824574/; classtype:trojan-activity;sid:84687674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/update.ps1"; depth:21; endswith; nocase; http.host; content:"krikadoo.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824573/; classtype:trojan-activity;sid:84687673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"red-rose2.tav4sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824572/; classtype:trojan-activity;sid:84687672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.221.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824571/; classtype:trojan-activity;sid:84687671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"overly.dinergysolutions.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824570/; classtype:trojan-activity;sid:84687670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.142.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824569/; classtype:trojan-activity;sid:84687669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blue-sky1.tav4sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824568/; classtype:trojan-activity;sid:84687668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"job-offer6.vym7lixar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824567/; classtype:trojan-activity;sid:84687667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lunch-break5.vym7lixar.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824566/; classtype:trojan-activity;sid:84687666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.221.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824565/; classtype:trojan-activity;sid:84687665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"office-desk4.vym7lixar.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824564/; classtype:trojan-activity;sid:84687664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.58.210.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824563/; classtype:trojan-activity;sid:84687663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"staff-room3.vym7lixar.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824562/; classtype:trojan-activity;sid:84687662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-group2.vym7lixar.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824561/; classtype:trojan-activity;sid:84687661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.198.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824560/; classtype:trojan-activity;sid:84687660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.126.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824559/; classtype:trojan-activity;sid:84687659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-spirit1.vym7lixar.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824558/; classtype:trojan-activity;sid:84687658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.221.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824557/; classtype:trojan-activity;sid:84687657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"world-tour6.nuv2moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824556/; classtype:trojan-activity;sid:84687656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.142.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824555/; classtype:trojan-activity;sid:84687655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.58.210.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824554/; classtype:trojan-activity;sid:84687654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travel-bag5.nuv2moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824553/; classtype:trojan-activity;sid:84687653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.126.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824552/; classtype:trojan-activity;sid:84687652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ski-resort4.nuv2moren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824551/; classtype:trojan-activity;sid:84687651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beach-party3.nuv2moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824550/; classtype:trojan-activity;sid:84687650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.238.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824549/; classtype:trojan-activity;sid:84687649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824548/; classtype:trojan-activity;sid:84687648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"winter-stay2.nuv2moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824547/; classtype:trojan-activity;sid:84687647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8717422379/hlss5qb.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824546/; classtype:trojan-activity;sid:84687646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"summer-trip1.nuv2moren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824545/; classtype:trojan-activity;sid:84687645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.174.171.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824544/; classtype:trojan-activity;sid:84687644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file-save6.dex9taren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824543/; classtype:trojan-activity;sid:84687643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.238.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824542/; classtype:trojan-activity;sid:84687642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.115.102.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824541/; classtype:trojan-activity;sid:84687641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"send-mail5.dex9taren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824540/; classtype:trojan-activity;sid:84687640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.189.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824539/; classtype:trojan-activity;sid:84687639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"call-back4.dex9taren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824538/; classtype:trojan-activity;sid:84687638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meet-time3.dex9taren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824537/; classtype:trojan-activity;sid:84687637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.189.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824536/; classtype:trojan-activity;sid:84687636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-task2.dex9taren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824535/; classtype:trojan-activity;sid:84687635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-plan1.dex9taren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824534/; classtype:trojan-activity;sid:84687634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.233.4.0"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824533/; classtype:trojan-activity;sid:84687633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.127.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824532/; classtype:trojan-activity;sid:84687632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.237.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824531/; classtype:trojan-activity;sid:84687631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.239.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824530/; classtype:trojan-activity;sid:84687630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"power-cable6.tov4mixel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824529/; classtype:trojan-activity;sid:84687629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"video-screen5.tov4mixel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824528/; classtype:trojan-activity;sid:84687628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.159.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824527/; classtype:trojan-activity;sid:84687627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.239.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824526/; classtype:trojan-activity;sid:84687626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"music-radio4.tov4mixel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824525/; classtype:trojan-activity;sid:84687625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.75.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824524/; classtype:trojan-activity;sid:84687624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824518/; classtype:trojan-activity;sid:84687618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824519/; classtype:trojan-activity;sid:84687619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824520/; classtype:trojan-activity;sid:84687620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824521/; classtype:trojan-activity;sid:84687621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824522/; classtype:trojan-activity;sid:84687622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824523/; classtype:trojan-activity;sid:84687623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824517/; classtype:trojan-activity;sid:84687617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824513/; classtype:trojan-activity;sid:84687613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824514/; classtype:trojan-activity;sid:84687614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824515/; classtype:trojan-activity;sid:84687615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.144.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824516/; classtype:trojan-activity;sid:84687616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824512/; classtype:trojan-activity;sid:84687612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.148.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824511/; classtype:trojan-activity;sid:84687611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.227.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824510/; classtype:trojan-activity;sid:84687610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.237.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824509/; classtype:trojan-activity;sid:84687609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"photo-camera3.tov4mixel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824508/; classtype:trojan-activity;sid:84687608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.159.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824507/; classtype:trojan-activity;sid:84687607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824506/; classtype:trojan-activity;sid:84687606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824505/; classtype:trojan-activity;sid:84687605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glass-lens2.tov4mixel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824504/; classtype:trojan-activity;sid:84687604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagepoiuy0.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824503/; classtype:trojan-activity;sid:84687603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-watch1.tov4mixel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824502/; classtype:trojan-activity;sid:84687602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageiuyre99.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824501/; classtype:trojan-activity;sid:84687601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageven098.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824500/; classtype:trojan-activity;sid:84687600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.148.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824499/; classtype:trojan-activity;sid:84687599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagesddff00.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824498/; classtype:trojan-activity;sid:84687598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagehola21.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824497/; classtype:trojan-activity;sid:84687597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageyyyy1.png"; depth:15; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824496/; classtype:trojan-activity;sid:84687596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelokoko222.png"; depth:19; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824495/; classtype:trojan-activity;sid:84687595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagefresk090.png"; depth:18; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824494/; classtype:trojan-activity;sid:84687594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.241.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824493/; classtype:trojan-activity;sid:84687593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image77490p.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824492/; classtype:trojan-activity;sid:84687592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8356237953/jdgf7l9.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824491/; classtype:trojan-activity;sid:84687591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecdg09.png"; depth:15; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824490/; classtype:trojan-activity;sid:84687590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image09iug0.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824489/; classtype:trojan-activity;sid:84687589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.233.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824488/; classtype:trojan-activity;sid:84687588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file_premium/2a9ugis6zfmrh4g/0brk22z336890esnqo_arb748491g1f8vougrn.iso/file"; depth:77; endswith; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824487/; classtype:trojan-activity;sid:84687587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.exe"; depth:11; endswith; nocase; http.host; content:"merchant-gateway.live"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824486/; classtype:trojan-activity;sid:84687586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.243.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824485/; classtype:trojan-activity;sid:84687585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_msbuild.txt"; depth:91; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824483/; classtype:trojan-activity;sid:84687583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_jsc.txt"; depth:87; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824484/; classtype:trojan-activity;sid:84687584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/31agosto.txt"; depth:86; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824481/; classtype:trojan-activity;sid:84687581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_aspnet_compiler.txt"; depth:99; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824482/; classtype:trojan-activity;sid:84687582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/class.txt"; depth:83; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824480/; classtype:trojan-activity;sid:84687580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_installutil.txt"; depth:95; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824478/; classtype:trojan-activity;sid:84687578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_regsvcs.txt"; depth:91; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824479/; classtype:trojan-activity;sid:84687579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_regasm.txt"; depth:90; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824477/; classtype:trojan-activity;sid:84687577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_applaunch.txt"; depth:93; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824476/; classtype:trojan-activity;sid:84687576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_cvtres.txt"; depth:90; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824475/; classtype:trojan-activity;sid:84687575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824474/; classtype:trojan-activity;sid:84687574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/tumfuf.txt|3f|ref_type=heads"; depth:102; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824472/; classtype:trojan-activity;sid:84687572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/31ago.txt"; depth:83; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824473/; classtype:trojan-activity;sid:84687573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelnorteoficial-group/elpolacodelnorteoficial-project/-/raw/main/cryp2_addinprocess32.txt"; depth:98; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824471/; classtype:trojan-activity;sid:84687571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rumpshitnew.png"; depth:16; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824470/; classtype:trojan-activity;sid:84687570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/i7ieyuj1bhqrueruoiywg1rasfwi5zfwoztlkxbx0ehuq42v"; depth:51; endswith; nocase; http.host; content:"vxugfeari7.ufs.sh"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824469/; classtype:trojan-activity;sid:84687569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xyupaid.png"; depth:12; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824468/; classtype:trojan-activity;sid:84687568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/rodriakd-8413d.appspot.com/o/dll%2fdll%20newaaaaaaaaa.txt|3f|alt=media|7c|26|7c|token=92418096-85c5-4090-a574-5c807c304562"; depth:128; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824467/; classtype:trojan-activity;sid:84687567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/dxknkbur"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824466/; classtype:trojan-activity;sid:84687566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rumpnew.png"; depth:12; endswith; nocase; http.host; content:"172.245.95.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824465/; classtype:trojan-activity;sid:84687565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/masse.png"; depth:10; endswith; nocase; http.host; content:"corwineagles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824464/; classtype:trojan-activity;sid:84687564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ocean-wave6.rav2piren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824463/; classtype:trojan-activity;sid:84687563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/89/givemebestthingswithbetterwithgreat.hta"; depth:43; endswith; nocase; http.host; content:"66.63.170.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824462/; classtype:trojan-activity;sid:84687562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"desert-sand5.rav2piren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824461/; classtype:trojan-activity;sid:84687561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.243.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824460/; classtype:trojan-activity;sid:84687560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.135.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824459/; classtype:trojan-activity;sid:84687559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/158.94.211.95/leoo/update.ps1"; depth:30; endswith; nocase; http.host; content:"158.94.211.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824458/; classtype:trojan-activity;sid:84687558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.67.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824457/; classtype:trojan-activity;sid:84687557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lake-view4.rav2piren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824456/; classtype:trojan-activity;sid:84687556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.90.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824455/; classtype:trojan-activity;sid:84687555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.33.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824454/; classtype:trojan-activity;sid:84687554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.220.135.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824453/; classtype:trojan-activity;sid:84687553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824452/; classtype:trojan-activity;sid:84687552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.10.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824451/; classtype:trojan-activity;sid:84687551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"river-bank3.rav2piren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824450/; classtype:trojan-activity;sid:84687550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.113.204.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824449/; classtype:trojan-activity;sid:84687549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mountain-top2.rav2piren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824448/; classtype:trojan-activity;sid:84687548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ndzmnemhusrrehrjfwsb"; depth:21; endswith; nocase; http.host; content:"bandgarms.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824445/; classtype:trojan-activity;sid:84687545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dgsoafyjkxroatiqswnz"; depth:21; endswith; nocase; http.host; content:"bandgarms.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824446/; classtype:trojan-activity;sid:84687546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"forest-walk1.rav2piren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824444/; classtype:trojan-activity;sid:84687544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.94.76.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824443/; classtype:trojan-activity;sid:84687543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-water6.lom5terax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824442/; classtype:trojan-activity;sid:84687542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.90.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824441/; classtype:trojan-activity;sid:84687541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amvefrray/triageisusck/-/raw/main/l7xh7ur9695u.exe"; depth:51; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824440/; classtype:trojan-activity;sid:84687540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-coffee5.lom5terax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824439/; classtype:trojan-activity;sid:84687539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image222.png"; depth:13; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824438/; classtype:trojan-activity;sid:84687538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.10.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824437/; classtype:trojan-activity;sid:84687537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.1.26.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824436/; classtype:trojan-activity;sid:84687536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"baked-pizza4.lom5terax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824435/; classtype:trojan-activity;sid:84687535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.113.204.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824434/; classtype:trojan-activity;sid:84687534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ycl"; depth:4; endswith; nocase; http.host; content:"91.92.241.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824433/; classtype:trojan-activity;sid:84687533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.94.76.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824432/; classtype:trojan-activity;sid:84687532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service"; depth:8; endswith; nocase; http.host; content:"91.92.241.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824430/; classtype:trojan-activity;sid:84687530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"91.92.241.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824431/; classtype:trojan-activity;sid:84687531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-salad3.lom5terax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824429/; classtype:trojan-activity;sid:84687529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.25.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824428/; classtype:trojan-activity;sid:84687528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-potato2.lom5terax.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824427/; classtype:trojan-activity;sid:84687527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-tomato1.lom5terax.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824426/; classtype:trojan-activity;sid:84687526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"done-task6.kiv5leren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824425/; classtype:trojan-activity;sid:84687525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8028208931/ct38lcc.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824424/; classtype:trojan-activity;sid:84687524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8757285646/4hzdw0t.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824423/; classtype:trojan-activity;sid:84687523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.25.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824422/; classtype:trojan-activity;sid:84687522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"long-way5.kiv5leren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824421/; classtype:trojan-activity;sid:84687521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.49.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824420/; classtype:trojan-activity;sid:84687520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824419/; classtype:trojan-activity;sid:84687519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pack-unit4.kiv5leren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824418/; classtype:trojan-activity;sid:84687518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main_x86_64"; depth:19; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824417/; classtype:trojan-activity;sid:84687517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-ship3.kiv5leren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824416/; classtype:trojan-activity;sid:84687516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mail-box2.kiv5leren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824415/; classtype:trojan-activity;sid:84687515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"post-card1.kiv5leren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824414/; classtype:trojan-activity;sid:84687514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.75.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824413/; classtype:trojan-activity;sid:84687513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824411/; classtype:trojan-activity;sid:84687511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824412/; classtype:trojan-activity;sid:84687512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-tree6.tav9dorim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824410/; classtype:trojan-activity;sid:84687510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php|3f|q=spd6tejq1n0nrmnkxaq"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824409/; classtype:trojan-activity;sid:84687509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.43.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824408/; classtype:trojan-activity;sid:84687508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-wind5.tav9dorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824407/; classtype:trojan-activity;sid:84687507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"13.60.36.54"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824405/; classtype:trojan-activity;sid:84687505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.12.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824406/; classtype:trojan-activity;sid:84687506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader.sh"; depth:15; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824404/; classtype:trojan-activity;sid:84687504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.pl"; depth:7; endswith; nocase; http.host; content:"31.57.243.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824403/; classtype:trojan-activity;sid:84687503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.sakura"; depth:15; endswith; nocase; http.host; content:"192.241.155.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824402/; classtype:trojan-activity;sid:84687502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.49.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824401/; classtype:trojan-activity;sid:84687501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"warm-sun4.tav9dorim.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824400/; classtype:trojan-activity;sid:84687500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"bigblograin.bond"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824397/; classtype:trojan-activity;sid:84687497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mygoodblog.sbs"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824398/; classtype:trojan-activity;sid:84687498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mygoodblog.cyou"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824399/; classtype:trojan-activity;sid:84687499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824396/; classtype:trojan-activity;sid:84687496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"beacon-mysummitfcu.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824395/; classtype:trojan-activity;sid:84687495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"productionmaza.sbs"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824393/; classtype:trojan-activity;sid:84687493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"158.94.210.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824394/; classtype:trojan-activity;sid:84687494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"goodgoodmoon.bond"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824386/; classtype:trojan-activity;sid:84687486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mygoodblog.bond"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824387/; classtype:trojan-activity;sid:84687487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"biggestchlen.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824388/; classtype:trojan-activity;sid:84687488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"krempie.xyz"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824389/; classtype:trojan-activity;sid:84687489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"bigbadwolf.click"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824390/; classtype:trojan-activity;sid:84687490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"brukva.shop"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824391/; classtype:trojan-activity;sid:84687491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"bestwebchlen.cyou"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824392/; classtype:trojan-activity;sid:84687492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"microblob.bond"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824370/; classtype:trojan-activity;sid:84687470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mygoodblog.bond"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824371/; classtype:trojan-activity;sid:84687471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"sirata.asia"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824372/; classtype:trojan-activity;sid:84687472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"myverifhouse.sbs"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824373/; classtype:trojan-activity;sid:84687473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"allplanetssame.cfd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824374/; classtype:trojan-activity;sid:84687474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mrazotalog.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824375/; classtype:trojan-activity;sid:84687475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"myverifhouse.sbs"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824376/; classtype:trojan-activity;sid:84687476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"brukva.shop"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824377/; classtype:trojan-activity;sid:84687477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"productionmaza.cyou"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824378/; classtype:trojan-activity;sid:84687478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"antongandon.club"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824379/; classtype:trojan-activity;sid:84687479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"allplanetssame.cfd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824380/; classtype:trojan-activity;sid:84687480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"bigboysclub.cyou"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824381/; classtype:trojan-activity;sid:84687481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"productionmaza.cfd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824382/; classtype:trojan-activity;sid:84687482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"cloudflare-check.cfd"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824383/; classtype:trojan-activity;sid:84687483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"myverifyblog.sbs"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824384/; classtype:trojan-activity;sid:84687484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"158.94.210.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824385/; classtype:trojan-activity;sid:84687485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mybiggestjoy.bond"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824349/; classtype:trojan-activity;sid:84687449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mymicroblog.lat"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824350/; classtype:trojan-activity;sid:84687450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"cloudflare-check.cfd"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824351/; classtype:trojan-activity;sid:84687451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mybiggestjoy.bond"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824352/; classtype:trojan-activity;sid:84687452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mrazotalog.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824353/; classtype:trojan-activity;sid:84687453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"denegnet.click"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824354/; classtype:trojan-activity;sid:84687454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"blatnoitovar.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824355/; classtype:trojan-activity;sid:84687455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"mymicroblog.lat"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824356/; classtype:trojan-activity;sid:84687456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"diddyparty.click"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824357/; classtype:trojan-activity;sid:84687457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"etokrol.lol"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824358/; classtype:trojan-activity;sid:84687458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"bigboysclub.cyou"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824359/; classtype:trojan-activity;sid:84687459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"blatnoitovar.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824360/; classtype:trojan-activity;sid:84687460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"merengagoi.bond"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824361/; classtype:trojan-activity;sid:84687461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"myverifyblog.sbs"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824362/; classtype:trojan-activity;sid:84687462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"productionmaza.cyou"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824363/; classtype:trojan-activity;sid:84687463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"etokrol.lol"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824364/; classtype:trojan-activity;sid:84687464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"gooddogshop.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824365/; classtype:trojan-activity;sid:84687465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"diddyparty.click"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824366/; classtype:trojan-activity;sid:84687466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"denegnet.click"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824367/; classtype:trojan-activity;sid:84687467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"productionmaza.cfd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824368/; classtype:trojan-activity;sid:84687468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"blobtop.sbs"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824369/; classtype:trojan-activity;sid:84687469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-rain3.tav9dorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824348/; classtype:trojan-activity;sid:84687448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.252.159.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824347/; classtype:trojan-activity;sid:84687447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.221.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824346/; classtype:trojan-activity;sid:84687446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"179.42.111.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824342/; classtype:trojan-activity;sid:84687442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.128.64.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824343/; classtype:trojan-activity;sid:84687443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.94.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824344/; classtype:trojan-activity;sid:84687444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.251.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824345/; classtype:trojan-activity;sid:84687445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824340/; classtype:trojan-activity;sid:84687440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.64.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824341/; classtype:trojan-activity;sid:84687441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.139.213.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824338/; classtype:trojan-activity;sid:84687438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-sky2.tav9dorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824339/; classtype:trojan-activity;sid:84687439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.219.74.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824337/; classtype:trojan-activity;sid:84687437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.232.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824327/; classtype:trojan-activity;sid:84687427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.27.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824328/; classtype:trojan-activity;sid:84687428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.94.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824329/; classtype:trojan-activity;sid:84687429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.31.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824330/; classtype:trojan-activity;sid:84687430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.101.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824331/; classtype:trojan-activity;sid:84687431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.144.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824332/; classtype:trojan-activity;sid:84687432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.7.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824333/; classtype:trojan-activity;sid:84687433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.42.111.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824334/; classtype:trojan-activity;sid:84687434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.225.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824335/; classtype:trojan-activity;sid:84687435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.235.251.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824336/; classtype:trojan-activity;sid:84687436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.99.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824326/; classtype:trojan-activity;sid:84687426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.226.83.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824325/; classtype:trojan-activity;sid:84687425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.191.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824324/; classtype:trojan-activity;sid:84687424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.113.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824317/; classtype:trojan-activity;sid:84687417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.200.237.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824318/; classtype:trojan-activity;sid:84687418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.39.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824319/; classtype:trojan-activity;sid:84687419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.60.176.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824320/; classtype:trojan-activity;sid:84687420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.33.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824321/; classtype:trojan-activity;sid:84687421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.157.47.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824322/; classtype:trojan-activity;sid:84687422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.172.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824323/; classtype:trojan-activity;sid:84687423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.171.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824316/; classtype:trojan-activity;sid:84687416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.241.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824315/; classtype:trojan-activity;sid:84687415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.248.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824311/; classtype:trojan-activity;sid:84687411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.39.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824312/; classtype:trojan-activity;sid:84687412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.248.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824313/; classtype:trojan-activity;sid:84687413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.150.107.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824314/; classtype:trojan-activity;sid:84687414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.164.179.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824299/; classtype:trojan-activity;sid:84687399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.7.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824300/; classtype:trojan-activity;sid:84687400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.234.154.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824301/; classtype:trojan-activity;sid:84687401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.5.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824302/; classtype:trojan-activity;sid:84687402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.34.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824303/; classtype:trojan-activity;sid:84687403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.255.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824304/; classtype:trojan-activity;sid:84687404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.246.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824305/; classtype:trojan-activity;sid:84687405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.101.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824306/; classtype:trojan-activity;sid:84687406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.247.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824307/; classtype:trojan-activity;sid:84687407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.169.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824308/; classtype:trojan-activity;sid:84687408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.94.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824309/; classtype:trojan-activity;sid:84687409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.60.176.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824310/; classtype:trojan-activity;sid:84687410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.130.24.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824298/; classtype:trojan-activity;sid:84687398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824297/; classtype:trojan-activity;sid:84687397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.128.64.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824296/; classtype:trojan-activity;sid:84687396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.241.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824292/; classtype:trojan-activity;sid:84687392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.252.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824293/; classtype:trojan-activity;sid:84687393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.244.223.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824294/; classtype:trojan-activity;sid:84687394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.232.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824295/; classtype:trojan-activity;sid:84687395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.27.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824285/; classtype:trojan-activity;sid:84687385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824286/; classtype:trojan-activity;sid:84687386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.102.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824287/; classtype:trojan-activity;sid:84687387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.245.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824288/; classtype:trojan-activity;sid:84687388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.164.179.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824289/; classtype:trojan-activity;sid:84687389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.174.246.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824290/; classtype:trojan-activity;sid:84687390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.217.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824291/; classtype:trojan-activity;sid:84687391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.94.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824283/; classtype:trojan-activity;sid:84687383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.119.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824284/; classtype:trojan-activity;sid:84687384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.210.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824276/; classtype:trojan-activity;sid:84687376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824277/; classtype:trojan-activity;sid:84687377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.175.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824278/; classtype:trojan-activity;sid:84687378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"98.167.107.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824279/; classtype:trojan-activity;sid:84687379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.31.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824280/; classtype:trojan-activity;sid:84687380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.83.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824281/; classtype:trojan-activity;sid:84687381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.172.186.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824282/; classtype:trojan-activity;sid:84687382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.227.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824274/; classtype:trojan-activity;sid:84687374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.103.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824275/; classtype:trojan-activity;sid:84687375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.227.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824273/; classtype:trojan-activity;sid:84687373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.159.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824269/; classtype:trojan-activity;sid:84687369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.48.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824270/; classtype:trojan-activity;sid:84687370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.203.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824271/; classtype:trojan-activity;sid:84687371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.183.196.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824272/; classtype:trojan-activity;sid:84687372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.70.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824265/; classtype:trojan-activity;sid:84687365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.103.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824266/; classtype:trojan-activity;sid:84687366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824267/; classtype:trojan-activity;sid:84687367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.153.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824268/; classtype:trojan-activity;sid:84687368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.8.35"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824264/; classtype:trojan-activity;sid:84687364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-water1.tav9dorim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824262/; classtype:trojan-activity;sid:84687362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.206.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824263/; classtype:trojan-activity;sid:84687363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.125.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824261/; classtype:trojan-activity;sid:84687361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.119.164.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824259/; classtype:trojan-activity;sid:84687359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.226.83.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824260/; classtype:trojan-activity;sid:84687360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.210.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824257/; classtype:trojan-activity;sid:84687357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824258/; classtype:trojan-activity;sid:84687358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.129.153.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824256/; classtype:trojan-activity;sid:84687356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824255/; classtype:trojan-activity;sid:84687355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"join-list6.vym2siren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824254/; classtype:trojan-activity;sid:84687354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.43.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824253/; classtype:trojan-activity;sid:84687353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meet-point5.vym2siren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824252/; classtype:trojan-activity;sid:84687352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"office-hour4.vym2siren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824251/; classtype:trojan-activity;sid:84687351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6493278841/kglqns8.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824250/; classtype:trojan-activity;sid:84687350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.91.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824249/; classtype:trojan-activity;sid:84687349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"staff-only3.vym2siren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824248/; classtype:trojan-activity;sid:84687348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.220.58.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824247/; classtype:trojan-activity;sid:84687347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.76.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824246/; classtype:trojan-activity;sid:84687346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"group-chat2.vym2siren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824245/; classtype:trojan-activity;sid:84687345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.105.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824244/; classtype:trojan-activity;sid:84687344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-work1.vym2siren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824243/; classtype:trojan-activity;sid:84687343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.129.153.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824242/; classtype:trojan-activity;sid:84687342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.70.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824241/; classtype:trojan-activity;sid:84687341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.122.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824240/; classtype:trojan-activity;sid:84687340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"free-card6.nuv7porel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824239/; classtype:trojan-activity;sid:84687339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.91.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824238/; classtype:trojan-activity;sid:84687338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/oblivora/random.exe"; depth:26; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824237/; classtype:trojan-activity;sid:84687337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.80.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824236/; classtype:trojan-activity;sid:84687336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stock-item5.nuv7porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824235/; classtype:trojan-activity;sid:84687335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.76.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824234/; classtype:trojan-activity;sid:84687334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-price4.nuv7porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824233/; classtype:trojan-activity;sid:84687333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.157.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824232/; classtype:trojan-activity;sid:84687332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/courageme/mailbox-agent.exe"; depth:28; endswith; nocase; http.host; content:"thecowardlydog.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824231/; classtype:trojan-activity;sid:84687331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.31.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824230/; classtype:trojan-activity;sid:84687330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.220.58.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824229/; classtype:trojan-activity;sid:84687329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"promo-code3.nuv7porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824228/; classtype:trojan-activity;sid:84687328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.105.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824227/; classtype:trojan-activity;sid:84687327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.80.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824226/; classtype:trojan-activity;sid:84687326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"super-sale2.nuv7porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824225/; classtype:trojan-activity;sid:84687325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gift-shop1.nuv7porel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824224/; classtype:trojan-activity;sid:84687324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.241.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824223/; classtype:trojan-activity;sid:84687323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.153.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824222/; classtype:trojan-activity;sid:84687322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe-place6.zav3liten.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824221/; classtype:trojan-activity;sid:84687321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guest-room5.zav3liten.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824220/; classtype:trojan-activity;sid:84687320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"side-door4.zav3liten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824219/; classtype:trojan-activity;sid:84687319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-floor3.zav3liten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824218/; classtype:trojan-activity;sid:84687318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"back-yard2.zav3liten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824217/; classtype:trojan-activity;sid:84687317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.241.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824216/; classtype:trojan-activity;sid:84687316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.153.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824215/; classtype:trojan-activity;sid:84687315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-hall1.zav3liten.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824214/; classtype:trojan-activity;sid:84687314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.15.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824213/; classtype:trojan-activity;sid:84687313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"old-library6.qim8dorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824212/; classtype:trojan-activity;sid:84687312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.28.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824211/; classtype:trojan-activity;sid:84687311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"new-author5.qim8dorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824210/; classtype:trojan-activity;sid:84687310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-seller4.qim8dorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824209/; classtype:trojan-activity;sid:84687309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.150.21.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824208/; classtype:trojan-activity;sid:84687308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-number3.qim8dorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824207/; classtype:trojan-activity;sid:84687307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"read-more2.qim8dorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824206/; classtype:trojan-activity;sid:84687306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.234.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824205/; classtype:trojan-activity;sid:84687305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.169.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824204/; classtype:trojan-activity;sid:84687304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.234.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824203/; classtype:trojan-activity;sid:84687303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-book1.qim8dorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824202/; classtype:trojan-activity;sid:84687302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cool-drink6.bov1serin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824201/; classtype:trojan-activity;sid:84687301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.252.211.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824200/; classtype:trojan-activity;sid:84687300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-juice5.bov1serin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824199/; classtype:trojan-activity;sid:84687299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.161.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824198/; classtype:trojan-activity;sid:84687298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.9.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824197/; classtype:trojan-activity;sid:84687297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-cake4.bov1serin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824196/; classtype:trojan-activity;sid:84687296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.125.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824195/; classtype:trojan-activity;sid:84687295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tasty-dish3.bov1serin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824194/; classtype:trojan-activity;sid:84687294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-meal2.bov1serin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824193/; classtype:trojan-activity;sid:84687293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.172.186.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824192/; classtype:trojan-activity;sid:84687292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-food1.bov1serin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824191/; classtype:trojan-activity;sid:84687291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"live-stream6.dex6laper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824190/; classtype:trojan-activity;sid:84687290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.9.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824189/; classtype:trojan-activity;sid:84687289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.252.211.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824188/; classtype:trojan-activity;sid:84687288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hot-topic5.dex6laper.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824187/; classtype:trojan-activity;sid:84687287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.172.186.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824186/; classtype:trojan-activity;sid:84687286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"weather-post4.dex6laper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824185/; classtype:trojan-activity;sid:84687285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sport-match3.dex6laper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824184/; classtype:trojan-activity;sid:84687284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"world-press2.dex6laper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824183/; classtype:trojan-activity;sid:84687283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.254.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824182/; classtype:trojan-activity;sid:84687282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.169.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824181/; classtype:trojan-activity;sid:84687281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-news1.dex6laper.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824180/; classtype:trojan-activity;sid:84687280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.129.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824179/; classtype:trojan-activity;sid:84687279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.179.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824178/; classtype:trojan-activity;sid:84687278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/hb/img_193055.png"; depth:22; endswith; nocase; http.host; content:"192.3.122.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824177/; classtype:trojan-activity;sid:84687277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.153.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824176/; classtype:trojan-activity;sid:84687276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.188.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824174/; classtype:trojan-activity;sid:84687274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.69.84.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824175/; classtype:trojan-activity;sid:84687275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.129.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824173/; classtype:trojan-activity;sid:84687273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.179.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824172/; classtype:trojan-activity;sid:84687272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.212.150.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824171/; classtype:trojan-activity;sid:84687271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.157.83.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824170/; classtype:trojan-activity;sid:84687270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-park6.pov4daren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824169/; classtype:trojan-activity;sid:84687269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.154.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824168/; classtype:trojan-activity;sid:84687268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"14.157.83.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824167/; classtype:trojan-activity;sid:84687267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gas-station5.pov4daren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824166/; classtype:trojan-activity;sid:84687266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.140.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824164/; classtype:trojan-activity;sid:84687264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.188.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824165/; classtype:trojan-activity;sid:84687265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.69.84.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824163/; classtype:trojan-activity;sid:84687263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auto-parts4.pov4daren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824162/; classtype:trojan-activity;sid:84687262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"road-trip3.pov4daren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824161/; classtype:trojan-activity;sid:84687261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.245.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824159/; classtype:trojan-activity;sid:84687259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.34.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824160/; classtype:trojan-activity;sid:84687260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.18.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824158/; classtype:trojan-activity;sid:84687258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-drive2.pov4daren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824157/; classtype:trojan-activity;sid:84687257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"car-rental1.pov4daren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824156/; classtype:trojan-activity;sid:84687256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.154.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824155/; classtype:trojan-activity;sid:84687255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media-player6.kym7sarel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824154/; classtype:trojan-activity;sid:84687254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sound-track5.kym7sarel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824153/; classtype:trojan-activity;sid:84687253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stub.txt"; depth:9; endswith; nocase; http.host; content:"85.215.159.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824152/; classtype:trojan-activity;sid:84687252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.135.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824151/; classtype:trojan-activity;sid:84687251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.245.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824150/; classtype:trojan-activity;sid:84687250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"video-clip4.kym7sarel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824149/; classtype:trojan-activity;sid:84687249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"picture-book3.kym7sarel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824148/; classtype:trojan-activity;sid:84687248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.28.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824147/; classtype:trojan-activity;sid:84687247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"image-zoom2.kym7sarel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824146/; classtype:trojan-activity;sid:84687246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.230.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824145/; classtype:trojan-activity;sid:84687245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"photo-frame1.kym7sarel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824144/; classtype:trojan-activity;sid:84687244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.135.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824143/; classtype:trojan-activity;sid:84687243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ventrilo.exe"; depth:13; endswith; nocase; http.host; content:"64.89.163.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824142/; classtype:trojan-activity;sid:84687242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-door6.tov2liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824141/; classtype:trojan-activity;sid:84687241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"water-pipe5.tov2liren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824140/; classtype:trojan-activity;sid:84687240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.50.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824139/; classtype:trojan-activity;sid:84687239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"garden-view4.tov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824138/; classtype:trojan-activity;sid:84687238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.ps1"; depth:12; endswith; nocase; http.host; content:"gemini-console.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824136/; classtype:trojan-activity;sid:84687236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.ps1"; depth:12; endswith; nocase; http.host; content:"install-claude.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824137/; classtype:trojan-activity;sid:84687237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.12.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824135/; classtype:trojan-activity;sid:84687235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagefre9003.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824134/; classtype:trojan-activity;sid:84687234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/screenconnect.clientsetup.exe"; depth:30; endswith; nocase; http.host; content:"connect.kexlore.cfd"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824133/; classtype:trojan-activity;sid:84687233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"repair-work3.tov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824132/; classtype:trojan-activity;sid:84687232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.230.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824131/; classtype:trojan-activity;sid:84687231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.39.66"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824130/; classtype:trojan-activity;sid:84687230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean-house2.tov2liren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824129/; classtype:trojan-activity;sid:84687229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.39.66"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824128/; classtype:trojan-activity;sid:84687228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-service1.tov2liren.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824127/; classtype:trojan-activity;sid:84687227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.34.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824126/; classtype:trojan-activity;sid:84687226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"desk-folder6.syl5peran.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824125/; classtype:trojan-activity;sid:84687225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.12.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824124/; classtype:trojan-activity;sid:84687224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glue-stick5.syl5peran.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824123/; classtype:trojan-activity;sid:84687223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"white-board4.syl5peran.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824122/; classtype:trojan-activity;sid:84687222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"black-marker3.syl5peran.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824121/; classtype:trojan-activity;sid:84687221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pencil-case2.syl5peran.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824120/; classtype:trojan-activity;sid:84687220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.78.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824119/; classtype:trojan-activity;sid:84687219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"office-paper1.syl5peran.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824118/; classtype:trojan-activity;sid:84687218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.50.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824117/; classtype:trojan-activity;sid:84687217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"local-event6.rav8doxel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824116/; classtype:trojan-activity;sid:84687216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trip-advisor5.rav8doxel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824115/; classtype:trojan-activity;sid:84687215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beach-resort4.rav8doxel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824114/; classtype:trojan-activity;sid:84687214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tourist-map3.rav8doxel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824113/; classtype:trojan-activity;sid:84687213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.220.145.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824111/; classtype:trojan-activity;sid:84687211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.220.145.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824112/; classtype:trojan-activity;sid:84687212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.50.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824110/; classtype:trojan-activity;sid:84687210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hotel-booking2.rav8doxel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824109/; classtype:trojan-activity;sid:84687209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travel-guide1.rav8doxel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824108/; classtype:trojan-activity;sid:84687208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"final-grade6.mox3terin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824107/; classtype:trojan-activity;sid:84687207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"70.31.230.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824106/; classtype:trojan-activity;sid:84687206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"130.0.45.163"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824105/; classtype:trojan-activity;sid:84687205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"class-report5.mox3terin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824104/; classtype:trojan-activity;sid:84687204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"study-material4.mox3terin.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824103/; classtype:trojan-activity;sid:84687203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"online-course3.mox3terin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824102/; classtype:trojan-activity;sid:84687202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.153.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824101/; classtype:trojan-activity;sid:84687201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.11.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824100/; classtype:trojan-activity;sid:84687200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"student-form2.mox3terin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824099/; classtype:trojan-activity;sid:84687199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"public-lesson1.mox3terin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824098/; classtype:trojan-activity;sid:84687198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"byteash.chain-sinusit.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824097/; classtype:trojan-activity;sid:84687197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"130.0.45.163"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824096/; classtype:trojan-activity;sid:84687196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qu4nt-panel.chain-sinusit.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824095/; classtype:trojan-activity;sid:84687195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.192.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824094/; classtype:trojan-activity;sid:84687194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.19.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824093/; classtype:trojan-activity;sid:84687193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arraynotifier.chain-sinusit.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824092/; classtype:trojan-activity;sid:84687192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"28mp.chain-sinusit.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824091/; classtype:trojan-activity;sid:84687191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.230.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824090/; classtype:trojan-activity;sid:84687190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jhknytxr.chain-sinusit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824089/; classtype:trojan-activity;sid:84687189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.169.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824088/; classtype:trojan-activity;sid:84687188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"densefro.chain-sinusit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824087/; classtype:trojan-activity;sid:84687187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.222.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824086/; classtype:trojan-activity;sid:84687186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"167lo.fortene7vous.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824085/; classtype:trojan-activity;sid:84687185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.24.231"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824084/; classtype:trojan-activity;sid:84687184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qpp9.fortene7vous.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824083/; classtype:trojan-activity;sid:84687183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.19.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824082/; classtype:trojan-activity;sid:84687182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"torr3nt-layer.fortene7vous.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824081/; classtype:trojan-activity;sid:84687181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.99.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824080/; classtype:trojan-activity;sid:84687180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.156.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824079/; classtype:trojan-activity;sid:84687179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"star-ring.fortene7vous.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824078/; classtype:trojan-activity;sid:84687178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.230.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824077/; classtype:trojan-activity;sid:84687177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-cov.fortene7vous.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824076/; classtype:trojan-activity;sid:84687176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.222.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824075/; classtype:trojan-activity;sid:84687175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.64.242.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824074/; classtype:trojan-activity;sid:84687174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.24.231"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824073/; classtype:trojan-activity;sid:84687173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spedus.fortene7vous.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824072/; classtype:trojan-activity;sid:84687172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vvood-forge.savor-woman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824071/; classtype:trojan-activity;sid:84687171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"393llqb.savor-woman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824070/; classtype:trojan-activity;sid:84687170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kel-venor.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824069/; classtype:trojan-activity;sid:84687169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scalesign.savor-woman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824068/; classtype:trojan-activity;sid:84687168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-4uth.savor-woman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824067/; classtype:trojan-activity;sid:84687167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"175.107.205.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824066/; classtype:trojan-activity;sid:84687166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"norlithix3.savor-woman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824065/; classtype:trojan-activity;sid:84687165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"491ptjh.multi5ardina.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824064/; classtype:trojan-activity;sid:84687164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824063/; classtype:trojan-activity;sid:84687163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pa5tu-drive.multi5ardina.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824062/; classtype:trojan-activity;sid:84687162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.246.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824061/; classtype:trojan-activity;sid:84687161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fernretai.multi5ardina.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824060/; classtype:trojan-activity;sid:84687160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824059/; classtype:trojan-activity;sid:84687159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824049/; classtype:trojan-activity;sid:84687149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824050/; classtype:trojan-activity;sid:84687150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824051/; classtype:trojan-activity;sid:84687151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824052/; classtype:trojan-activity;sid:84687152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824053/; classtype:trojan-activity;sid:84687153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polyd"; depth:16; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824054/; classtype:trojan-activity;sid:84687154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824055/; classtype:trojan-activity;sid:84687155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824056/; classtype:trojan-activity;sid:84687156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824057/; classtype:trojan-activity;sid:84687157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824058/; classtype:trojan-activity;sid:84687158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824046/; classtype:trojan-activity;sid:84687146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824047/; classtype:trojan-activity;sid:84687147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824048/; classtype:trojan-activity;sid:84687148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sharpsummit.multi5ardina.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824045/; classtype:trojan-activity;sid:84687145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.127.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824044/; classtype:trojan-activity;sid:84687144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9waxfs6b.multi5ardina.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824043/; classtype:trojan-activity;sid:84687143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824041/; classtype:trojan-activity;sid:84687141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824042/; classtype:trojan-activity;sid:84687142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824036/; classtype:trojan-activity;sid:84687136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824037/; classtype:trojan-activity;sid:84687137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824038/; classtype:trojan-activity;sid:84687138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824039/; classtype:trojan-activity;sid:84687139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824040/; classtype:trojan-activity;sid:84687140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824034/; classtype:trojan-activity;sid:84687134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824035/; classtype:trojan-activity;sid:84687135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"45.9.156.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824033/; classtype:trojan-activity;sid:84687133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sketc-gate.multi5ardina.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824032/; classtype:trojan-activity;sid:84687132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824031/; classtype:trojan-activity;sid:84687131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velvenor9.expans-homeland.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824030/; classtype:trojan-activity;sid:84687130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.181.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824029/; classtype:trojan-activity;sid:84687129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zme1roui.expans-homeland.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824028/; classtype:trojan-activity;sid:84687128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solcore0ix.expans-homeland.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824027/; classtype:trojan-activity;sid:84687127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velspire3on.expans-homeland.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824026/; classtype:trojan-activity;sid:84687126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.90.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824025/; classtype:trojan-activity;sid:84687125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fsefumza.expans-homeland.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824024/; classtype:trojan-activity;sid:84687124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.253.80.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824023/; classtype:trojan-activity;sid:84687123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.247.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824022/; classtype:trojan-activity;sid:84687122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.23.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824021/; classtype:trojan-activity;sid:84687121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"labeltheory.expans-homeland.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824020/; classtype:trojan-activity;sid:84687120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solcorear.bo2rdreluct.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824019/; classtype:trojan-activity;sid:84687119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zen-nexos.bo2rdreluct.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824018/; classtype:trojan-activity;sid:84687118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.190.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824017/; classtype:trojan-activity;sid:84687117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.23.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824016/; classtype:trojan-activity;sid:84687116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.123.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824015/; classtype:trojan-activity;sid:84687115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rtrr.bo2rdreluct.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824014/; classtype:trojan-activity;sid:84687114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824013/; classtype:trojan-activity;sid:84687113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d43mon-field.bo2rdreluct.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824012/; classtype:trojan-activity;sid:84687112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.90.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824011/; classtype:trojan-activity;sid:84687111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mnwgjp.bo2rdreluct.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824010/; classtype:trojan-activity;sid:84687110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-nirnbl.bo2rdreluct.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824009/; classtype:trojan-activity;sid:84687109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"listeshap.red-sticker.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824008/; classtype:trojan-activity;sid:84687108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ae5z56.red-sticker.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824007/; classtype:trojan-activity;sid:84687107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.18.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824006/; classtype:trojan-activity;sid:84687106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"castexport.red-sticker.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824005/; classtype:trojan-activity;sid:84687105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"echoblend.red-sticker.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824004/; classtype:trojan-activity;sid:84687104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.211.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824003/; classtype:trojan-activity;sid:84687103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynamicsoun.red-sticker.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824002/; classtype:trojan-activity;sid:84687102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vaq4sdju.red-sticker.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824001/; classtype:trojan-activity;sid:84687101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hellenkamau197-gif/185/raw/refs/heads/main/4/9.json"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824000/; classtype:trojan-activity;sid:84687100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hellenkamau197-gif/185/refs/heads/main/4/9.json"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823999/; classtype:trojan-activity;sid:84687099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"174.34.242.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823998/; classtype:trojan-activity;sid:84687098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.78.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823997/; classtype:trojan-activity;sid:84687097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.173.90.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823996/; classtype:trojan-activity;sid:84687096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"peakree.dredg8asman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823995/; classtype:trojan-activity;sid:84687095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.223.252.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823994/; classtype:trojan-activity;sid:84687094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.9.139.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823993/; classtype:trojan-activity;sid:84687093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.211.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823992/; classtype:trojan-activity;sid:84687092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"roughengine.dredg8asman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823991/; classtype:trojan-activity;sid:84687091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"valu-span.dredg8asman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823990/; classtype:trojan-activity;sid:84687090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hellenkamau197-gif/3/raw/refs/heads/main/4/8.log"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823988/; classtype:trojan-activity;sid:84687088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hellenkamau197-gif/3/refs/heads/main/4/7.log"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823989/; classtype:trojan-activity;sid:84687089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hellenkamau197-gif/3/raw/refs/heads/main/4/7.log"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823986/; classtype:trojan-activity;sid:84687086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hellenkamau197-gif/3/refs/heads/main/4/8.log"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823987/; classtype:trojan-activity;sid:84687087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lummesh8or.dredg8asman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823985/; classtype:trojan-activity;sid:84687085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/raw/refs/heads/main/1/4.log"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823984/; classtype:trojan-activity;sid:84687084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/refs/heads/main/1/4.log"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823983/; classtype:trojan-activity;sid:84687083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/refs/heads/main/1/3.log"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823982/; classtype:trojan-activity;sid:84687082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/raw/refs/heads/main/1/3.log"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823981/; classtype:trojan-activity;sid:84687081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"driv3-array.dredg8asman.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823980/; classtype:trojan-activity;sid:84687080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tursin-xd/thediscordbot/raw/refs/heads/main/dressmakery/discordbot-the-v3.3.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823977/; classtype:trojan-activity;sid:84687077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tursin-xd/dontbeterm/raw/refs/heads/main/renderer/term_dontbe_3.1.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823978/; classtype:trojan-activity;sid:84687078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itzmesultan01/eventpipe/raw/refs/heads/main/src/formats/software_2.6.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823979/; classtype:trojan-activity;sid:84687079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/restaurant-management-saas/refs/heads/main/frontend/src/lib/management-restaurant-saas-superinnocent.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823974/; classtype:trojan-activity;sid:84687074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/secure-vault/refs/heads/main/node_modules/%40supabase/auth-ui-shared/dist/vault_secure_1.8-beta.2.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823975/; classtype:trojan-activity;sid:84687075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tursin-xd/thediscordbot/refs/heads/main/dressmakery/discordbot-the-v3.3.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823976/; classtype:trojan-activity;sid:84687076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/securevault-password-manager/raw/refs/heads/main/node_modules/typescript/lib/tr/password-manager-secure-vault-v3.7.zip"; depth:131; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823972/; classtype:trojan-activity;sid:84687072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/securevault-password-manager/refs/heads/main/node_modules/typescript/lib/tr/password-manager-secure-vault-v3.7.zip"; depth:127; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823973/; classtype:trojan-activity;sid:84687073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/secure-vault/raw/refs/heads/main/node_modules/@supabase/auth-ui-shared/dist/vault_secure_1.8-beta.2.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823967/; classtype:trojan-activity;sid:84687067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metasoftia/portforwarder/raw/refs/heads/main/x64/forwarder-port-1.2.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823968/; classtype:trojan-activity;sid:84687068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxdag5/gproxy-tool/refs/heads/main/bin/gproxy-tool-v1.7.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823969/; classtype:trojan-activity;sid:84687069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/spaceship-mcp/refs/heads/main/src/tools/mcp-spaceship-2.8.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823970/; classtype:trojan-activity;sid:84687070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metasoftia/portforwarder/refs/heads/main/x64/forwarder-port-1.2.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823971/; classtype:trojan-activity;sid:84687071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tursin-xd/dontbeterm/refs/heads/main/renderer/term_dontbe_3.1.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823966/; classtype:trojan-activity;sid:84687066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tursin-xd/thescriptstoroblox/refs/heads/main/gaiter/software-v3.1.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823961/; classtype:trojan-activity;sid:84687061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxdag5/gproxy-tool/raw/refs/heads/main/bin/gproxy-tool-v1.7.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823962/; classtype:trojan-activity;sid:84687062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tursin-xd/thescriptstoroblox/raw/refs/heads/main/gaiter/software-v3.1.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823963/; classtype:trojan-activity;sid:84687063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/spaceship-mcp/raw/refs/heads/main/src/tools/mcp-spaceship-2.8.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823964/; classtype:trojan-activity;sid:84687064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/restaurant-management-saas/raw/refs/heads/main/frontend/src/lib/management-restaurant-saas-superinnocent.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823965/; classtype:trojan-activity;sid:84687065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itzmesultan01/eventpipe/refs/heads/main/src/formats/software_2.6.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823958/; classtype:trojan-activity;sid:84687058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/smart-tutor/refs/heads/main/src/contexts/tutor_smart_v1.7.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823959/; classtype:trojan-activity;sid:84687059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/smart-tutor/raw/refs/heads/main/src/contexts/tutor_smart_v1.7.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823960/; classtype:trojan-activity;sid:84687060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.78.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823957/; classtype:trojan-activity;sid:84687057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.6.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823956/; classtype:trojan-activity;sid:84687056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.207.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823954/; classtype:trojan-activity;sid:84687054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.6.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823955/; classtype:trojan-activity;sid:84687055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"174.34.242.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823953/; classtype:trojan-activity;sid:84687053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"va11-route.nelma-report.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823950/; classtype:trojan-activity;sid:84687050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/was/raw/refs/heads/master/augurship/software-v1.3-beta.2.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823951/; classtype:trojan-activity;sid:84687051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"opt1-phase.dredg8asman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823952/; classtype:trojan-activity;sid:84687052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"30urtlmu.nelma-report.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823949/; classtype:trojan-activity;sid:84687049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.11.172.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823947/; classtype:trojan-activity;sid:84687047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.198.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823948/; classtype:trojan-activity;sid:84687048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/assslapbattle/raw/refs/heads/main/ontosophy/battle_ass_slap_v2.6.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823936/; classtype:trojan-activity;sid:84687036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sandro-beep/discord-message-forwarder/raw/refs/heads/main/septuplication/discord-forwarder-message-v2.8-beta.3.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823937/; classtype:trojan-activity;sid:84687037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jesusnnc/mtproxy/refs/heads/main/angiosporous/proxy_mt_v2.0.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823938/; classtype:trojan-activity;sid:84687038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-5har.nelma-report.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823939/; classtype:trojan-activity;sid:84687039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/slapbattlesglove/refs/heads/main/backsword/glove_battles_slap_v3.9.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823940/; classtype:trojan-activity;sid:84687040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/lara-weeb/raw/refs/heads/main/bootstrap/cache/lara_weeb_3.9-alpha.2.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823941/; classtype:trojan-activity;sid:84687041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jesusnnc/mtproxy/raw/refs/heads/main/angiosporous/proxy_mt_v2.0.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823942/; classtype:trojan-activity;sid:84687042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-forgeal.nelma-report.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823943/; classtype:trojan-activity;sid:84687043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/assslapbattle/refs/heads/main/ontosophy/battle_ass_slap_v2.6.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823944/; classtype:trojan-activity;sid:84687044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sandro-beep/discord-message-forwarder/refs/heads/main/septuplication/discord-forwarder-message-v2.8-beta.3.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823945/; classtype:trojan-activity;sid:84687045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/lara-weeb/refs/heads/main/bootstrap/cache/lara_weeb_3.9-alpha.2.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823946/; classtype:trojan-activity;sid:84687046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/happyview/refs/heads/master/yow/software_v2.0-beta.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823932/; classtype:trojan-activity;sid:84687032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saramc89mc/personal-website-template/raw/refs/heads/main/src/components/sections/about/personal_template_website_2.2.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823933/; classtype:trojan-activity;sid:84687033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xianleex/claude-api/raw/refs/heads/feat/manga-translator-mvp/ui/claude-api-vespertiliones.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823934/; classtype:trojan-activity;sid:84687034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/billydagreat/vps-git/refs/heads/main/ansible/roles/watchdog/templates/git_vps_3.0-beta.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823935/; classtype:trojan-activity;sid:84687035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alecyi/cache-components-granular/refs/heads/main/components/layout/notebook/page/components-cache-granular-v2.1.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823930/; classtype:trojan-activity;sid:84687030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/dandyworldhubupdate/refs/heads/main/duodenocholecystostomy/dandy_world_hub_update_3.9.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823931/; classtype:trojan-activity;sid:84687031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/reflectshaders/refs/heads/main/ambulomancy/software_3.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823929/; classtype:trojan-activity;sid:84687029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/slapbattlesglove/raw/refs/heads/main/backsword/glove_battles_slap_v3.9.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823927/; classtype:trojan-activity;sid:84687027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/dandyworldhubupdate/raw/refs/heads/main/duodenocholecystostomy/dandy_world_hub_update_3.9.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823928/; classtype:trojan-activity;sid:84687028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invertebratekinanesthesia779/aios-core/refs/heads/main/tests/unit/squad/fixtures/invalid-squad/core-aios-1.4.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823926/; classtype:trojan-activity;sid:84687026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/happyview/raw/refs/heads/master/yow/software_v2.0-beta.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823924/; classtype:trojan-activity;sid:84687024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/billydagreat/vps-git/raw/refs/heads/main/ansible/roles/watchdog/templates/git_vps_3.0-beta.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823925/; classtype:trojan-activity;sid:84687025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alecyi/cache-components-granular/raw/refs/heads/main/components/layout/notebook/page/components-cache-granular-v2.1.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823922/; classtype:trojan-activity;sid:84687022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gta509fx/scrappe-tout/raw/refs/heads/main/tests/e2e/scrappe-tout-2.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823923/; classtype:trojan-activity;sid:84687023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/was/refs/heads/master/augurship/software-v1.3-beta.2.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823921/; classtype:trojan-activity;sid:84687021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invertebratekinanesthesia779/aios-core/raw/refs/heads/main/tests/unit/squad/fixtures/invalid-squad/core-aios-1.4.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823919/; classtype:trojan-activity;sid:84687019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/reflectshaders/raw/refs/heads/main/ambulomancy/software_3.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823920/; classtype:trojan-activity;sid:84687020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/doorsscript/refs/heads/main/counterfessed/script-doors-v1.6.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823914/; classtype:trojan-activity;sid:84687014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/doorsscript/raw/refs/heads/main/counterfessed/script-doors-v1.6.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823915/; classtype:trojan-activity;sid:84687015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gta509fx/scrappe-tout/refs/heads/main/tests/e2e/scrappe-tout-2.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823916/; classtype:trojan-activity;sid:84687016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"livel-sou.nelma-report.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823917/; classtype:trojan-activity;sid:84687017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xianleex/claude-api/refs/heads/feat/manga-translator-mvp/ui/claude-api-vespertiliones.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823918/; classtype:trojan-activity;sid:84687018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/willywarriorportfolio/refs/heads/master/fonts/font-awesome-4.7.0/fonts/software-3.7.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823912/; classtype:trojan-activity;sid:84687012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/willywarriorportfolio/raw/refs/heads/master/fonts/font-awesome-4.7.0/fonts/software-3.7.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823913/; classtype:trojan-activity;sid:84687013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/homestead_new_backend/raw/refs/heads/master/validator/backend_homestead_new_v1.9-beta.5.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823911/; classtype:trojan-activity;sid:84687011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/homestead_new_backend/refs/heads/master/validator/backend_homestead_new_v1.9-beta.5.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823909/; classtype:trojan-activity;sid:84687009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/homestead/raw/refs/heads/master/images/funitture_icon/software-3.2-beta.4.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823910/; classtype:trojan-activity;sid:84687010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/45d5r/databricks-mcp-server/raw/refs/heads/main/databricks_mcp/resources/server_databricks_mcp_1.6.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823908/; classtype:trojan-activity;sid:84687008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saramc89mc/personal-website-template/refs/heads/main/src/components/sections/about/personal_template_website_2.2.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823907/; classtype:trojan-activity;sid:84687007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/45d5r/databricks-mcp-server/refs/heads/main/databricks_mcp/resources/server_databricks_mcp_1.6.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823905/; classtype:trojan-activity;sid:84687005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/homestead/refs/heads/master/images/funitture_icon/software-3.2-beta.4.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823906/; classtype:trojan-activity;sid:84687006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub0-hinge.nelma-report.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823904/; classtype:trojan-activity;sid:84687004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.99.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823903/; classtype:trojan-activity;sid:84687003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7774214998/qhmb2yg.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823902/; classtype:trojan-activity;sid:84687002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.207.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823901/; classtype:trojan-activity;sid:84687001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"abzxcp.gypsyw0od.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823900/; classtype:trojan-activity;sid:84687000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jdqn.gypsyw0od.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823899/; classtype:trojan-activity;sid:84686999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkcoreet9.gypsyw0od.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823898/; classtype:trojan-activity;sid:84686998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spd.exe"; depth:8; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823897/; classtype:trojan-activity;sid:84686997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tridraix5.gypsyw0od.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823896/; classtype:trojan-activity;sid:84686996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.11.172.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823895/; classtype:trojan-activity;sid:84686995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"01rx.gypsyw0od.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823894/; classtype:trojan-activity;sid:84686994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823893/; classtype:trojan-activity;sid:84686993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mernexen6.gypsyw0od.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823892/; classtype:trojan-activity;sid:84686992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823891/; classtype:trojan-activity;sid:84686991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823889/; classtype:trojan-activity;sid:84686989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823890/; classtype:trojan-activity;sid:84686990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823888/; classtype:trojan-activity;sid:84686988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86.exe"; depth:12; endswith; nocase; http.host; content:"45.135.193.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823887/; classtype:trojan-activity;sid:84686987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"echo-span.qyx7darem.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823886/; classtype:trojan-activity;sid:84686986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.145.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823885/; classtype:trojan-activity;sid:84686985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/efewefwewfew342234423234feweefwwefewefweffewwefewf.php|3f|file=333.exe/"; depth:186; endswith; nocase; http.host; content:"microservisetrue.vip"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823884/; classtype:trojan-activity;sid:84686984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ancientwav.qyx7darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823883/; classtype:trojan-activity;sid:84686983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"breezscrip.qyx7darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823882/; classtype:trojan-activity;sid:84686982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ch3ckp-route.qyx7darem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823881/; classtype:trojan-activity;sid:84686981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.45.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823880/; classtype:trojan-activity;sid:84686980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"plasm-spool.qyx7darem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823879/; classtype:trojan-activity;sid:84686979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"civillabel.qyx7darem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823878/; classtype:trojan-activity;sid:84686978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lvqpbk.bex5loran.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823877/; classtype:trojan-activity;sid:84686977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.15.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823876/; classtype:trojan-activity;sid:84686976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mer-corea.bex5loran.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823875/; classtype:trojan-activity;sid:84686975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.45.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823874/; classtype:trojan-activity;sid:84686974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sdkconve.bex5loran.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823873/; classtype:trojan-activity;sid:84686973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2vb5.bex5loran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823872/; classtype:trojan-activity;sid:84686972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.206.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823871/; classtype:trojan-activity;sid:84686971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"retailmicro.bex5loran.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823870/; classtype:trojan-activity;sid:84686970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grandalign.bex5loran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823869/; classtype:trojan-activity;sid:84686969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cacpulse.dax8sovel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823868/; classtype:trojan-activity;sid:84686968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hesq.dax8sovel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823867/; classtype:trojan-activity;sid:84686967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d6armypp.dax8sovel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823866/; classtype:trojan-activity;sid:84686966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.253.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823865/; classtype:trojan-activity;sid:84686965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.206.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823864/; classtype:trojan-activity;sid:84686964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynmeshex6.dax8sovel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823863/; classtype:trojan-activity;sid:84686963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruqcmwxx/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823862/; classtype:trojan-activity;sid:84686962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nk.exe"; depth:7; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823861/; classtype:trojan-activity;sid:84686961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c3dar-sync.dax8sovel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823860/; classtype:trojan-activity;sid:84686960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.96.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823859/; classtype:trojan-activity;sid:84686959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solingpass/rolly/-/raw/main/4j8576a0e8v3.exe"; depth:45; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823858/; classtype:trojan-activity;sid:84686958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lv32.dax8sovel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823857/; classtype:trojan-activity;sid:84686957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-ch3c.wex1miran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823856/; classtype:trojan-activity;sid:84686956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fabricpayload.wex1miran.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823855/; classtype:trojan-activity;sid:84686955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qt774.wex1miran.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823854/; classtype:trojan-activity;sid:84686954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.161.100.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823853/; classtype:trojan-activity;sid:84686953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tdjgv.wex1miran.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823852/; classtype:trojan-activity;sid:84686952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.aarch64"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823851/; classtype:trojan-activity;sid:84686951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.137.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823850/; classtype:trojan-activity;sid:84686950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"njf8.wex1miran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823849/; classtype:trojan-activity;sid:84686949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.89.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823848/; classtype:trojan-activity;sid:84686948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.148.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823847/; classtype:trojan-activity;sid:84686947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nbfkdj.wex1miran.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823846/; classtype:trojan-activity;sid:84686946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.148.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823845/; classtype:trojan-activity;sid:84686945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"winterwind.pyn6toral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823844/; classtype:trojan-activity;sid:84686944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.240.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823843/; classtype:trojan-activity;sid:84686943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nh48qkv.pyn6toral.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823842/; classtype:trojan-activity;sid:84686942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c299jq.pyn6toral.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823840/; classtype:trojan-activity;sid:84686940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.137.155.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823839/; classtype:trojan-activity;sid:84686939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.89.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823837/; classtype:trojan-activity;sid:84686937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.137.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823838/; classtype:trojan-activity;sid:84686938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.160.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823836/; classtype:trojan-activity;sid:84686936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shapemoral.pyn6toral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823835/; classtype:trojan-activity;sid:84686935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.69.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823834/; classtype:trojan-activity;sid:84686934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ubft6.pyn6toral.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823833/; classtype:trojan-activity;sid:84686933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.8.118.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823831/; classtype:trojan-activity;sid:84686931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.96.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823830/; classtype:trojan-activity;sid:84686930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fyxfe.pyn6toral.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823829/; classtype:trojan-activity;sid:84686929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.5.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823828/; classtype:trojan-activity;sid:84686928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"curi7-bridge.kro4liven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823827/; classtype:trojan-activity;sid:84686927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gsl4.kro4liven.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823826/; classtype:trojan-activity;sid:84686926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xa20yx.kro4liven.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823825/; classtype:trojan-activity;sid:84686925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x64"; depth:4; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823823/; classtype:trojan-activity;sid:84686923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823824/; classtype:trojan-activity;sid:84686924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pastureurban.kro4liven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823822/; classtype:trojan-activity;sid:84686922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.160.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823821/; classtype:trojan-activity;sid:84686921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.8.118.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823820/; classtype:trojan-activity;sid:84686920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.69.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823819/; classtype:trojan-activity;sid:84686919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trucarr.kro4liven.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823818/; classtype:trojan-activity;sid:84686918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auditgate.kro4liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823817/; classtype:trojan-activity;sid:84686917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"exposeatom.tix9sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823816/; classtype:trojan-activity;sid:84686916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quordraex5.tix9sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823815/; classtype:trojan-activity;sid:84686915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.126.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823814/; classtype:trojan-activity;sid:84686914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"outdock.tix9sorel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823813/; classtype:trojan-activity;sid:84686913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.1.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823812/; classtype:trojan-activity;sid:84686912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fyd10k.tix9sorel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823811/; classtype:trojan-activity;sid:84686911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mruyas.tix9sorel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823810/; classtype:trojan-activity;sid:84686910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.2.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823809/; classtype:trojan-activity;sid:84686909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.162.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823808/; classtype:trojan-activity;sid:84686908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gathe-tri.tix9sorel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823807/; classtype:trojan-activity;sid:84686907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.111.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823806/; classtype:trojan-activity;sid:84686906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ton0-vault.vyr2dalen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823805/; classtype:trojan-activity;sid:84686905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"binarymod.vyr2dalen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823804/; classtype:trojan-activity;sid:84686904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823803/; classtype:trojan-activity;sid:84686903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.156.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823802/; classtype:trojan-activity;sid:84686902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.162.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823801/; classtype:trojan-activity;sid:84686901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823800/; classtype:trojan-activity;sid:84686900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oshwcrk.vyr2dalen.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823799/; classtype:trojan-activity;sid:84686899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.55.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823798/; classtype:trojan-activity;sid:84686898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"birch2-pulse.vyr2dalen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823797/; classtype:trojan-activity;sid:84686897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qpmerz.vyr2dalen.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823796/; classtype:trojan-activity;sid:84686896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snow-ass.vyr2dalen.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823795/; classtype:trojan-activity;sid:84686895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.248.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823794/; classtype:trojan-activity;sid:84686894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823793/; classtype:trojan-activity;sid:84686893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"metriccivil.lix7morav.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823792/; classtype:trojan-activity;sid:84686892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"irpd79.lix7morav.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823791/; classtype:trojan-activity;sid:84686891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mpfpni4.lix7morav.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823790/; classtype:trojan-activity;sid:84686890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"merven6ex.lix7morav.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823789/; classtype:trojan-activity;sid:84686889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.133.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823788/; classtype:trojan-activity;sid:84686888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.169.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823786/; classtype:trojan-activity;sid:84686886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.216.250.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823787/; classtype:trojan-activity;sid:84686887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iciqx71.lix7morav.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823785/; classtype:trojan-activity;sid:84686885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b1rd-panel.lix7morav.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823784/; classtype:trojan-activity;sid:84686884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fix7-cast.zex3piral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823783/; classtype:trojan-activity;sid:84686883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wrwr.zex3piral.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823782/; classtype:trojan-activity;sid:84686882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.55.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823781/; classtype:trojan-activity;sid:84686881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.216.250.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823780/; classtype:trojan-activity;sid:84686880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"targetpasture.zex3piral.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823779/; classtype:trojan-activity;sid:84686879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.233.232.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823778/; classtype:trojan-activity;sid:84686878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"keltide4al.zex3piral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823777/; classtype:trojan-activity;sid:84686877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tnkjrebh.zex3piral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823776/; classtype:trojan-activity;sid:84686876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spli1-watch.zex3piral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823775/; classtype:trojan-activity;sid:84686875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bran-build.concent-shelm.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823774/; classtype:trojan-activity;sid:84686874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"afrqcy.concent-shelm.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823773/; classtype:trojan-activity;sid:84686873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ravenpalet.concent-shelm.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823772/; classtype:trojan-activity;sid:84686872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3776.concent-shelm.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823771/; classtype:trojan-activity;sid:84686871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"genomecomp.concent-shelm.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823770/; classtype:trojan-activity;sid:84686870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.248.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823769/; classtype:trojan-activity;sid:84686869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823768/; classtype:trojan-activity;sid:84686868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823767/; classtype:trojan-activity;sid:84686867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-w1ld.concent-shelm.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823766/; classtype:trojan-activity;sid:84686866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823765/; classtype:trojan-activity;sid:84686865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823762/; classtype:trojan-activity;sid:84686862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823763/; classtype:trojan-activity;sid:84686863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823764/; classtype:trojan-activity;sid:84686864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"92.112.127.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823761/; classtype:trojan-activity;sid:84686861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hidd3n-spark.barankad1sin.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823760/; classtype:trojan-activity;sid:84686860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.252.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823759/; classtype:trojan-activity;sid:84686859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"padaj0.barankad1sin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823758/; classtype:trojan-activity;sid:84686858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.35.78.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823757/; classtype:trojan-activity;sid:84686857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"assetinvoice.barankad1sin.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823756/; classtype:trojan-activity;sid:84686856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pwlmc.barankad1sin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823755/; classtype:trojan-activity;sid:84686855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.1.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823754/; classtype:trojan-activity;sid:84686854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sgwua7.barankad1sin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823753/; classtype:trojan-activity;sid:84686853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.133.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823752/; classtype:trojan-activity;sid:84686852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.55.198.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823750/; classtype:trojan-activity;sid:84686850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.252.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823751/; classtype:trojan-activity;sid:84686851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"s7sb939.barankad1sin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823749/; classtype:trojan-activity;sid:84686849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.165.236.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823748/; classtype:trojan-activity;sid:84686848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.145.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823747/; classtype:trojan-activity;sid:84686847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"go1d-leaf.inept-tail.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823746/; classtype:trojan-activity;sid:84686846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.46.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823744/; classtype:trojan-activity;sid:84686844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.183.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823745/; classtype:trojan-activity;sid:84686845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.13.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823743/; classtype:trojan-activity;sid:84686843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"form-plate.inept-tail.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823742/; classtype:trojan-activity;sid:84686842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.235.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823741/; classtype:trojan-activity;sid:84686841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ysrykt.inept-tail.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823740/; classtype:trojan-activity;sid:84686840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.36.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823739/; classtype:trojan-activity;sid:84686839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"handlerspool.inept-tail.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823738/; classtype:trojan-activity;sid:84686838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.165.236.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823737/; classtype:trojan-activity;sid:84686837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823735/; classtype:trojan-activity;sid:84686835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.235.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823736/; classtype:trojan-activity;sid:84686836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.145.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823734/; classtype:trojan-activity;sid:84686834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dcfn606z.inept-tail.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823733/; classtype:trojan-activity;sid:84686833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gran7-lab.inept-tail.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823732/; classtype:trojan-activity;sid:84686832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.13.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823731/; classtype:trojan-activity;sid:84686831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.219.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823730/; classtype:trojan-activity;sid:84686830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oblg.dish2rhumane.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823729/; classtype:trojan-activity;sid:84686829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nszftsfl.dish2rhumane.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823728/; classtype:trojan-activity;sid:84686828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"r0uter-sheet.dish2rhumane.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823727/; classtype:trojan-activity;sid:84686827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyn-markix.dish2rhumane.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823726/; classtype:trojan-activity;sid:84686826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.219.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823725/; classtype:trojan-activity;sid:84686825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenforgeos2.dish2rhumane.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823724/; classtype:trojan-activity;sid:84686824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"147.45.209.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823723/; classtype:trojan-activity;sid:84686823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.37.139.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823722/; classtype:trojan-activity;sid:84686822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glyph-prai.dish2rhumane.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823721/; classtype:trojan-activity;sid:84686821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.46.74.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823720/; classtype:trojan-activity;sid:84686820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.83.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823719/; classtype:trojan-activity;sid:84686819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fjzpcljo.agrotekh-home.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823718/; classtype:trojan-activity;sid:84686818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.93.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823717/; classtype:trojan-activity;sid:84686817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oxrv.agrotekh-home.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823716/; classtype:trojan-activity;sid:84686816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkmesh0ar.agrotekh-home.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823715/; classtype:trojan-activity;sid:84686815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solvaleet3.agrotekh-home.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823714/; classtype:trojan-activity;sid:84686814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"147.45.209.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823713/; classtype:trojan-activity;sid:84686813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.46.74.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823712/; classtype:trojan-activity;sid:84686812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.83.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823711/; classtype:trojan-activity;sid:84686811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"samplehidden.agrotekh-home.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823710/; classtype:trojan-activity;sid:84686810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.157.253.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823709/; classtype:trojan-activity;sid:84686809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.13.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823708/; classtype:trojan-activity;sid:84686808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.212.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823707/; classtype:trojan-activity;sid:84686807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"skbeju.agrotekh-home.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823706/; classtype:trojan-activity;sid:84686806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"28lk.wei8htunconq.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823705/; classtype:trojan-activity;sid:84686805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/hid/img_205037.png"; depth:23; endswith; nocase; http.host; content:"192.3.122.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823704/; classtype:trojan-activity;sid:84686804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"st0r3-scope.wei8htunconq.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823703/; classtype:trojan-activity;sid:84686803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.i586"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823702/; classtype:trojan-activity;sid:84686802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.sparc"; depth:12; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823697/; classtype:trojan-activity;sid:84686797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.x86"; depth:10; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823698/; classtype:trojan-activity;sid:84686798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.i686"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823699/; classtype:trojan-activity;sid:84686799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.sh4"; depth:10; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823700/; classtype:trojan-activity;sid:84686800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.mpsl"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823701/; classtype:trojan-activity;sid:84686801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.13.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823696/; classtype:trojan-activity;sid:84686796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"l0qq.wei8htunconq.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823695/; classtype:trojan-activity;sid:84686795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.197.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823694/; classtype:trojan-activity;sid:84686794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.131.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823693/; classtype:trojan-activity;sid:84686793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ucelrko.wei8htunconq.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823692/; classtype:trojan-activity;sid:84686792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.148.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823691/; classtype:trojan-activity;sid:84686791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d4wn-hinge.wei8htunconq.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823690/; classtype:trojan-activity;sid:84686790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.156.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823689/; classtype:trojan-activity;sid:84686789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.47.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823688/; classtype:trojan-activity;sid:84686788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lettedust.wei8htunconq.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823687/; classtype:trojan-activity;sid:84686787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.148.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823686/; classtype:trojan-activity;sid:84686786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.58.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823685/; classtype:trojan-activity;sid:84686785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorvaleis.cloth-guipure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823684/; classtype:trojan-activity;sid:84686784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.49.26.178"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823683/; classtype:trojan-activity;sid:84686783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.50.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823682/; classtype:trojan-activity;sid:84686782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"y3acxztp.cloth-guipure.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823681/; classtype:trojan-activity;sid:84686781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.197.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823680/; classtype:trojan-activity;sid:84686780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"servaleon.cloth-guipure.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823679/; classtype:trojan-activity;sid:84686779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.58.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823678/; classtype:trojan-activity;sid:84686778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tran5it-array.cloth-guipure.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823677/; classtype:trojan-activity;sid:84686777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823676/; classtype:trojan-activity;sid:84686776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"61rplpi.cloth-guipure.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823675/; classtype:trojan-activity;sid:84686775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.68.43.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823674/; classtype:trojan-activity;sid:84686774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ser-coreen.cloth-guipure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823673/; classtype:trojan-activity;sid:84686773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-r3por.lessonp7oceed.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823672/; classtype:trojan-activity;sid:84686772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cblootah/test/raw/refs/heads/main/crypted.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823671/; classtype:trojan-activity;sid:84686771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tinloos.lessonp7oceed.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823670/; classtype:trojan-activity;sid:84686770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.162.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823669/; classtype:trojan-activity;sid:84686769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ueuwt.lessonp7oceed.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823668/; classtype:trojan-activity;sid:84686768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.178.165.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823667/; classtype:trojan-activity;sid:84686767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823666/; classtype:trojan-activity;sid:84686766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.36.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823665/; classtype:trojan-activity;sid:84686765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bytecolum.lessonp7oceed.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823664/; classtype:trojan-activity;sid:84686764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.91.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823663/; classtype:trojan-activity;sid:84686763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vorven3um.lessonp7oceed.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823662/; classtype:trojan-activity;sid:84686762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.9.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823661/; classtype:trojan-activity;sid:84686761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wild-snaps.lessonp7oceed.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823660/; classtype:trojan-activity;sid:84686760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deploy2-vector.amygdala-fugue.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823659/; classtype:trojan-activity;sid:84686759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.118.240.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823658/; classtype:trojan-activity;sid:84686758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easgold.amygdala-fugue.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823657/; classtype:trojan-activity;sid:84686757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823656/; classtype:trojan-activity;sid:84686756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=rdaeyppwbuysrywt"; depth:27; endswith; nocase; http.host; content:"tw1f5ruc.ebensen-timent.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823655/; classtype:trojan-activity;sid:84686755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.178.165.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823654/; classtype:trojan-activity;sid:84686754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.123.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823653/; classtype:trojan-activity;sid:84686753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"frkoakq.amygdala-fugue.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823652/; classtype:trojan-activity;sid:84686752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kern-zone.amygdala-fugue.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823651/; classtype:trojan-activity;sid:84686751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.9.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823650/; classtype:trojan-activity;sid:84686750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"workerwar.amygdala-fugue.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823649/; classtype:trojan-activity;sid:84686749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823648/; classtype:trojan-activity;sid:84686748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.218.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823647/; classtype:trojan-activity;sid:84686747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"89.189.181.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823646/; classtype:trojan-activity;sid:84686746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"18qr.amygdala-fugue.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823645/; classtype:trojan-activity;sid:84686745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snapshotcrawler.burrowkislyat.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823644/; classtype:trojan-activity;sid:84686744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.34.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823643/; classtype:trojan-activity;sid:84686743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"runvv4y4-reach.burrowkislyat.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823642/; classtype:trojan-activity;sid:84686742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.123.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823641/; classtype:trojan-activity;sid:84686741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823637/; classtype:trojan-activity;sid:84686737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823638/; classtype:trojan-activity;sid:84686738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823639/; classtype:trojan-activity;sid:84686739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823640/; classtype:trojan-activity;sid:84686740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"83.142.209.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823636/; classtype:trojan-activity;sid:84686736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.162.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823635/; classtype:trojan-activity;sid:84686735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823634/; classtype:trojan-activity;sid:84686734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823631/; classtype:trojan-activity;sid:84686731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823632/; classtype:trojan-activity;sid:84686732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823633/; classtype:trojan-activity;sid:84686733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823630/; classtype:trojan-activity;sid:84686730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823628/; classtype:trojan-activity;sid:84686728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"friendlydomain.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823629/; classtype:trojan-activity;sid:84686729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/ps"; depth:7; endswith; nocase; http.host; content:"rapidinc.lol"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823627/; classtype:trojan-activity;sid:84686727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p.sh"; depth:5; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823626/; classtype:trojan-activity;sid:84686726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"94.189.222.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823612/; classtype:trojan-activity;sid:84686712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"145.255.196.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823613/; classtype:trojan-activity;sid:84686713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"145.255.196.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823614/; classtype:trojan-activity;sid:84686714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823615/; classtype:trojan-activity;sid:84686715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823616/; classtype:trojan-activity;sid:84686716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823617/; classtype:trojan-activity;sid:84686717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823618/; classtype:trojan-activity;sid:84686718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823619/; classtype:trojan-activity;sid:84686719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823620/; classtype:trojan-activity;sid:84686720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823621/; classtype:trojan-activity;sid:84686721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823622/; classtype:trojan-activity;sid:84686722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823623/; classtype:trojan-activity;sid:84686723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i486"; depth:23; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823624/; classtype:trojan-activity;sid:84686724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823625/; classtype:trojan-activity;sid:84686725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.m68k"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823610/; classtype:trojan-activity;sid:84686710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"94.189.222.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823611/; classtype:trojan-activity;sid:84686711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.arm4"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823608/; classtype:trojan-activity;sid:84686708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823609/; classtype:trojan-activity;sid:84686709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.arm5"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823601/; classtype:trojan-activity;sid:84686701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.ppc"; depth:10; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823602/; classtype:trojan-activity;sid:84686702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823603/; classtype:trojan-activity;sid:84686703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot.x86_64"; depth:16; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823604/; classtype:trojan-activity;sid:84686704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.mips"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823605/; classtype:trojan-activity;sid:84686705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.arm6"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823606/; classtype:trojan-activity;sid:84686706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okami.arm7"; depth:11; endswith; nocase; http.host; content:"2.27.12.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823607/; classtype:trojan-activity;sid:84686707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"buffer4-port.burrowkislyat.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823600/; classtype:trojan-activity;sid:84686700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.218.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823599/; classtype:trojan-activity;sid:84686699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.124.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823598/; classtype:trojan-activity;sid:84686698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.240.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823597/; classtype:trojan-activity;sid:84686697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.7.234.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823596/; classtype:trojan-activity;sid:84686696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.89.157.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823593/; classtype:trojan-activity;sid:84686693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.102.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823594/; classtype:trojan-activity;sid:84686694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.155.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823595/; classtype:trojan-activity;sid:84686695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.50.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823592/; classtype:trojan-activity;sid:84686692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.47.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823590/; classtype:trojan-activity;sid:84686690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.182.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823591/; classtype:trojan-activity;sid:84686691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.58.110.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823589/; classtype:trojan-activity;sid:84686689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.123.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823588/; classtype:trojan-activity;sid:84686688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.192.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823587/; classtype:trojan-activity;sid:84686687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.229.20.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823585/; classtype:trojan-activity;sid:84686685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.177.138.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823586/; classtype:trojan-activity;sid:84686686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.104.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823574/; classtype:trojan-activity;sid:84686674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.223.252.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823575/; classtype:trojan-activity;sid:84686675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.237.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823576/; classtype:trojan-activity;sid:84686676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.45.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823577/; classtype:trojan-activity;sid:84686677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.248.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823578/; classtype:trojan-activity;sid:84686678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.82.182.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823579/; classtype:trojan-activity;sid:84686679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823580/; classtype:trojan-activity;sid:84686680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.115.102.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823581/; classtype:trojan-activity;sid:84686681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.78.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823582/; classtype:trojan-activity;sid:84686682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.5.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823583/; classtype:trojan-activity;sid:84686683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.140.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823584/; classtype:trojan-activity;sid:84686684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.21.70.189"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823573/; classtype:trojan-activity;sid:84686673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.45.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823572/; classtype:trojan-activity;sid:84686672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.126.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823570/; classtype:trojan-activity;sid:84686670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.46.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823571/; classtype:trojan-activity;sid:84686671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.37.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823555/; classtype:trojan-activity;sid:84686655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.47.179"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823556/; classtype:trojan-activity;sid:84686656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.239.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823557/; classtype:trojan-activity;sid:84686657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.6.91.43"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823558/; classtype:trojan-activity;sid:84686658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823559/; classtype:trojan-activity;sid:84686659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.1.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823560/; classtype:trojan-activity;sid:84686660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.212.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823561/; classtype:trojan-activity;sid:84686661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.83.13.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823562/; classtype:trojan-activity;sid:84686662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.200.237.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823563/; classtype:trojan-activity;sid:84686663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.137.155.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823564/; classtype:trojan-activity;sid:84686664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.90.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823565/; classtype:trojan-activity;sid:84686665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.84.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823566/; classtype:trojan-activity;sid:84686666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.174.171.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823567/; classtype:trojan-activity;sid:84686667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.248.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823568/; classtype:trojan-activity;sid:84686668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.14.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823569/; classtype:trojan-activity;sid:84686669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.37.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823552/; classtype:trojan-activity;sid:84686652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.234.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823553/; classtype:trojan-activity;sid:84686653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.92.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823554/; classtype:trojan-activity;sid:84686654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.214.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823541/; classtype:trojan-activity;sid:84686641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823542/; classtype:trojan-activity;sid:84686642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.69.92.51"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823543/; classtype:trojan-activity;sid:84686643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.245.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823544/; classtype:trojan-activity;sid:84686644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.247.109.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823545/; classtype:trojan-activity;sid:84686645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.15.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823546/; classtype:trojan-activity;sid:84686646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.7.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823547/; classtype:trojan-activity;sid:84686647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823548/; classtype:trojan-activity;sid:84686648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.26.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823549/; classtype:trojan-activity;sid:84686649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.9.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823550/; classtype:trojan-activity;sid:84686650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.147.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823551/; classtype:trojan-activity;sid:84686651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.89.157.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823540/; classtype:trojan-activity;sid:84686640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.47.201.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823539/; classtype:trojan-activity;sid:84686639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.40.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823536/; classtype:trojan-activity;sid:84686636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.245.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823537/; classtype:trojan-activity;sid:84686637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.96.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823538/; classtype:trojan-activity;sid:84686638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.31.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823529/; classtype:trojan-activity;sid:84686629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"145.255.196.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823530/; classtype:trojan-activity;sid:84686630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823531/; classtype:trojan-activity;sid:84686631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.31.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823532/; classtype:trojan-activity;sid:84686632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.225.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823533/; classtype:trojan-activity;sid:84686633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"decoderill.burrowkislyat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823534/; classtype:trojan-activity;sid:84686634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.155.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823535/; classtype:trojan-activity;sid:84686635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.249.152.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823528/; classtype:trojan-activity;sid:84686628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.156.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823527/; classtype:trojan-activity;sid:84686627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.153.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823520/; classtype:trojan-activity;sid:84686620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.34.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823521/; classtype:trojan-activity;sid:84686621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.97.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823522/; classtype:trojan-activity;sid:84686622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.75.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823523/; classtype:trojan-activity;sid:84686623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.45.65"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823524/; classtype:trojan-activity;sid:84686624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.1.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823525/; classtype:trojan-activity;sid:84686625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.37.81.41"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823526/; classtype:trojan-activity;sid:84686626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.82.182.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823513/; classtype:trojan-activity;sid:84686613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.30.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823514/; classtype:trojan-activity;sid:84686614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.235.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823515/; classtype:trojan-activity;sid:84686615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.26.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823516/; classtype:trojan-activity;sid:84686616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.98.68.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823517/; classtype:trojan-activity;sid:84686617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.181.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823518/; classtype:trojan-activity;sid:84686618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.214.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823519/; classtype:trojan-activity;sid:84686619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.83.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823510/; classtype:trojan-activity;sid:84686610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.189.222.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823511/; classtype:trojan-activity;sid:84686611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823512/; classtype:trojan-activity;sid:84686612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.230.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823507/; classtype:trojan-activity;sid:84686607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.91.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823508/; classtype:trojan-activity;sid:84686608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.18.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823509/; classtype:trojan-activity;sid:84686609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4cnluiv.burrowkislyat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823506/; classtype:trojan-activity;sid:84686606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkspireor.burrowkislyat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823505/; classtype:trojan-activity;sid:84686605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.103.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823504/; classtype:trojan-activity;sid:84686604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823503/; classtype:trojan-activity;sid:84686603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-done6.crazy-talk.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823502/; classtype:trojan-activity;sid:84686602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823501/; classtype:trojan-activity;sid:84686601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.38.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823500/; classtype:trojan-activity;sid:84686600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.0.135"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823498/; classtype:trojan-activity;sid:84686598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.143.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823499/; classtype:trojan-activity;sid:84686599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"156.229.118.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823497/; classtype:trojan-activity;sid:84686597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"doome.crazy-talk.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823496/; classtype:trojan-activity;sid:84686596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.1.83"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823495/; classtype:trojan-activity;sid:84686595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823493/; classtype:trojan-activity;sid:84686593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823494/; classtype:trojan-activity;sid:84686594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.143.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823492/; classtype:trojan-activity;sid:84686592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823490/; classtype:trojan-activity;sid:84686590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823491/; classtype:trojan-activity;sid:84686591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.106.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823489/; classtype:trojan-activity;sid:84686589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823487/; classtype:trojan-activity;sid:84686587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86_64"; depth:13; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823488/; classtype:trojan-activity;sid:84686588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-pack5.crazy-talk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823486/; classtype:trojan-activity;sid:84686586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"short-word4.crazy-talk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823484/; classtype:trojan-activity;sid:84686584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sticky-note3.crazy-talk.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823485/; classtype:trojan-activity;sid:84686585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823479/; classtype:trojan-activity;sid:84686579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823480/; classtype:trojan-activity;sid:84686580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823481/; classtype:trojan-activity;sid:84686581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823482/; classtype:trojan-activity;sid:84686582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823483/; classtype:trojan-activity;sid:84686583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823469/; classtype:trojan-activity;sid:84686569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823470/; classtype:trojan-activity;sid:84686570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823471/; classtype:trojan-activity;sid:84686571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823472/; classtype:trojan-activity;sid:84686572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823473/; classtype:trojan-activity;sid:84686573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823474/; classtype:trojan-activity;sid:84686574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823475/; classtype:trojan-activity;sid:84686575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823476/; classtype:trojan-activity;sid:84686576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823477/; classtype:trojan-activity;sid:84686577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823478/; classtype:trojan-activity;sid:84686578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823466/; classtype:trojan-activity;sid:84686566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823467/; classtype:trojan-activity;sid:84686567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86_64"; depth:13; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823468/; classtype:trojan-activity;sid:84686568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823457/; classtype:trojan-activity;sid:84686557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823458/; classtype:trojan-activity;sid:84686558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823459/; classtype:trojan-activity;sid:84686559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823460/; classtype:trojan-activity;sid:84686560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"mail.atlcpatax.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823461/; classtype:trojan-activity;sid:84686561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823462/; classtype:trojan-activity;sid:84686562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823463/; classtype:trojan-activity;sid:84686563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"autodiscover.atlcpatax.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823464/; classtype:trojan-activity;sid:84686564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86_64"; depth:13; endswith; nocase; http.host; content:"autoconfig.atlcpatax.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823465/; classtype:trojan-activity;sid:84686565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"direct-send2.crazy-talk.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823456/; classtype:trojan-activity;sid:84686556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"express-mail1.crazy-talk.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823455/; classtype:trojan-activity;sid:84686555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.120.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823454/; classtype:trojan-activity;sid:84686554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.106.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823453/; classtype:trojan-activity;sid:84686553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solid-base6.overgr0wnsaval.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823452/; classtype:trojan-activity;sid:84686552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823450/; classtype:trojan-activity;sid:84686550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86_64"; depth:13; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823451/; classtype:trojan-activity;sid:84686551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rain-drop5.overgr0wnsaval.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823449/; classtype:trojan-activity;sid:84686549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823448/; classtype:trojan-activity;sid:84686548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-well4.overgr0wnsaval.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823447/; classtype:trojan-activity;sid:84686547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"river-flow3.overgr0wnsaval.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823446/; classtype:trojan-activity;sid:84686546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823445/; classtype:trojan-activity;sid:84686545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ocean-blue2.overgr0wnsaval.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823444/; classtype:trojan-activity;sid:84686544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.189.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823443/; classtype:trojan-activity;sid:84686543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-water1.overgr0wnsaval.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823442/; classtype:trojan-activity;sid:84686542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.182.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823441/; classtype:trojan-activity;sid:84686541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"group-join6.aim-national.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823440/; classtype:trojan-activity;sid:84686540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.77.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823438/; classtype:trojan-activity;sid:84686538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brief-meet5.aim-national.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823439/; classtype:trojan-activity;sid:84686539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_093212_ffmpeg-8.1-essentials_build.zip"; depth:57; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823437/; classtype:trojan-activity;sid:84686537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.216.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823436/; classtype:trojan-activity;sid:84686536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.138.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823434/; classtype:trojan-activity;sid:84686534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.189.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823435/; classtype:trojan-activity;sid:84686535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"phone-call3.aim-national.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823433/; classtype:trojan-activity;sid:84686533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_074824_backgroundtaskhost.exe"; depth:48; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823431/; classtype:trojan-activity;sid:84686531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"simple-form4.aim-national.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823432/; classtype:trojan-activity;sid:84686532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_095904_ffmpeg.zip"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823430/; classtype:trojan-activity;sid:84686530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_094108_ffmpeg.zip"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823429/; classtype:trojan-activity;sid:84686529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_074921_ckeyboardh.dll"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823428/; classtype:trojan-activity;sid:84686528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netinfo.exe"; depth:18; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823426/; classtype:trojan-activity;sid:84686526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_104113_ffmpeg.zip"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823427/; classtype:trojan-activity;sid:84686527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_062339_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823425/; classtype:trojan-activity;sid:84686525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_101715_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823421/; classtype:trojan-activity;sid:84686521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_061303_nview64.dll"; depth:37; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823422/; classtype:trojan-activity;sid:84686522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_061240_nview.exe"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823423/; classtype:trojan-activity;sid:84686523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/stil.bin"; depth:15; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823424/; classtype:trojan-activity;sid:84686524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_134016_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823420/; classtype:trojan-activity;sid:84686520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_094958_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823416/; classtype:trojan-activity;sid:84686516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/vnc.bin"; depth:14; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823417/; classtype:trojan-activity;sid:84686517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_103614_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823418/; classtype:trojan-activity;sid:84686518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/havan.bin"; depth:16; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823419/; classtype:trojan-activity;sid:84686519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_121642_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823408/; classtype:trojan-activity;sid:84686508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_054745_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823409/; classtype:trojan-activity;sid:84686509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_074901_backgroundtaskhost.exe"; depth:48; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823410/; classtype:trojan-activity;sid:84686510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_234412_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823411/; classtype:trojan-activity;sid:84686511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/runtime.bin"; depth:18; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823412/; classtype:trojan-activity;sid:84686512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_100744_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823413/; classtype:trojan-activity;sid:84686513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_112803_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823414/; classtype:trojan-activity;sid:84686514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_074157_kwpsoffice.exe"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823415/; classtype:trojan-activity;sid:84686515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_065159_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823405/; classtype:trojan-activity;sid:84686505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_095404_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823406/; classtype:trojan-activity;sid:84686506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_080409_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823407/; classtype:trojan-activity;sid:84686507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_063425_fixenroll.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823402/; classtype:trojan-activity;sid:84686502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_055856_kwpsoffice.exe"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823403/; classtype:trojan-activity;sid:84686503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_113305_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823404/; classtype:trojan-activity;sid:84686504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260408_113354_log_11675_files.zip"; depth:45; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823394/; classtype:trojan-activity;sid:84686494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_072851_kwpsoffice.exe"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823395/; classtype:trojan-activity;sid:84686495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_074604_kwpsoffice.exe"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823396/; classtype:trojan-activity;sid:84686496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_160048_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823397/; classtype:trojan-activity;sid:84686497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_073119_kwpsoffice.exe"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823398/; classtype:trojan-activity;sid:84686498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_063919_fixenroll.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823399/; classtype:trojan-activity;sid:84686499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_114010_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823400/; classtype:trojan-activity;sid:84686500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_073100_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823401/; classtype:trojan-activity;sid:84686501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/test_payload.exe"; depth:23; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823392/; classtype:trojan-activity;sid:84686492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_071319_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823393/; classtype:trojan-activity;sid:84686493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_071454_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823387/; classtype:trojan-activity;sid:84686487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_110618_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823388/; classtype:trojan-activity;sid:84686488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_131142_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823389/; classtype:trojan-activity;sid:84686489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_054903_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823390/; classtype:trojan-activity;sid:84686490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_215520_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823391/; classtype:trojan-activity;sid:84686491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_235032_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823385/; classtype:trojan-activity;sid:84686485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_094023_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823386/; classtype:trojan-activity;sid:84686486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_000355_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823375/; classtype:trojan-activity;sid:84686475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_072738_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823376/; classtype:trojan-activity;sid:84686476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_004127_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823377/; classtype:trojan-activity;sid:84686477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_125003_litewebcam.ps1"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823378/; classtype:trojan-activity;sid:84686478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_105947_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823379/; classtype:trojan-activity;sid:84686479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_080215_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823380/; classtype:trojan-activity;sid:84686480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_060321_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823381/; classtype:trojan-activity;sid:84686481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_001230_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823382/; classtype:trojan-activity;sid:84686482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"senior-staff2.aim-national.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823383/; classtype:trojan-activity;sid:84686483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_102136_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823384/; classtype:trojan-activity;sid:84686484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_220111_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823371/; classtype:trojan-activity;sid:84686471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_104940_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823372/; classtype:trojan-activity;sid:84686472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_055201_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823373/; classtype:trojan-activity;sid:84686473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_120148_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823374/; classtype:trojan-activity;sid:84686474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/chisel.bin"; depth:17; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823367/; classtype:trojan-activity;sid:84686467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_065342_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823368/; classtype:trojan-activity;sid:84686468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_062116_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823369/; classtype:trojan-activity;sid:84686469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_061213_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823370/; classtype:trojan-activity;sid:84686470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/output.exe"; depth:17; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823366/; classtype:trojan-activity;sid:84686466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_110300_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823356/; classtype:trojan-activity;sid:84686456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_233545_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823357/; classtype:trojan-activity;sid:84686457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/outputold.exe"; depth:20; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823358/; classtype:trojan-activity;sid:84686458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/test_update.exe"; depth:22; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823359/; classtype:trojan-activity;sid:84686459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_000429_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823360/; classtype:trojan-activity;sid:84686460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_052527_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823361/; classtype:trojan-activity;sid:84686461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260410_090604_start-socks5.vbs"; depth:42; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823362/; classtype:trojan-activity;sid:84686462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_072912_microsoft.windowsappruntime.bootstrap.dll"; depth:67; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823363/; classtype:trojan-activity;sid:84686463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_071702_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823364/; classtype:trojan-activity;sid:84686464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_101209_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823365/; classtype:trojan-activity;sid:84686465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_071549_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823343/; classtype:trojan-activity;sid:84686443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_235330_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823344/; classtype:trojan-activity;sid:84686444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_072542_ckeyboardh.dll"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823345/; classtype:trojan-activity;sid:84686445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_113856_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823346/; classtype:trojan-activity;sid:84686446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_232854_findadm.ps1"; depth:37; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823347/; classtype:trojan-activity;sid:84686447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/chelevat.bin"; depth:19; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823348/; classtype:trojan-activity;sid:84686448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_062231_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823349/; classtype:trojan-activity;sid:84686449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/rsocx.bin"; depth:16; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823350/; classtype:trojan-activity;sid:84686450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_120957_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823351/; classtype:trojan-activity;sid:84686451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_130244_litewebcam.ps1"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823352/; classtype:trojan-activity;sid:84686452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/webcam.bin"; depth:17; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823353/; classtype:trojan-activity;sid:84686453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_101517_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823354/; classtype:trojan-activity;sid:84686454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_074222_microsoft.windowsappruntime.bootstrap.dll"; depth:67; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823355/; classtype:trojan-activity;sid:84686455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_071232_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823339/; classtype:trojan-activity;sid:84686439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_123915_litewebcam.ps1"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823340/; classtype:trojan-activity;sid:84686440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_102219_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823341/; classtype:trojan-activity;sid:84686441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_135339_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823342/; classtype:trojan-activity;sid:84686442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/kluch.bin"; depth:16; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823334/; classtype:trojan-activity;sid:84686434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/hg8wxrg.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823335/; classtype:trojan-activity;sid:84686435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_130456_litewebcam.ps1"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823336/; classtype:trojan-activity;sid:84686436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_124307_litewebcam.ps1"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823337/; classtype:trojan-activity;sid:84686437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_105029_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823338/; classtype:trojan-activity;sid:84686438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_113541_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823331/; classtype:trojan-activity;sid:84686431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_094741_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823332/; classtype:trojan-activity;sid:84686432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_113750_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823333/; classtype:trojan-activity;sid:84686433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/malwar.exe"; depth:17; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823326/; classtype:trojan-activity;sid:84686426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_105133_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823327/; classtype:trojan-activity;sid:84686427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_101234_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823328/; classtype:trojan-activity;sid:84686428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_230643_output.exe"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823329/; classtype:trojan-activity;sid:84686429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_095241_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823330/; classtype:trojan-activity;sid:84686430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/ledger"; depth:13; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823325/; classtype:trojan-activity;sid:84686425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/favff4v3.exe"; depth:19; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823322/; classtype:trojan-activity;sid:84686422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_100633_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823323/; classtype:trojan-activity;sid:84686423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_010245_cbcheck.ps1"; depth:37; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823324/; classtype:trojan-activity;sid:84686424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_105658_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823319/; classtype:trojan-activity;sid:84686419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_103850_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823320/; classtype:trojan-activity;sid:84686420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_132157_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823321/; classtype:trojan-activity;sid:84686421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_120802_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823310/; classtype:trojan-activity;sid:84686410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_133701_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823311/; classtype:trojan-activity;sid:84686411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_102542_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823312/; classtype:trojan-activity;sid:84686412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/stealer.bin"; depth:18; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823313/; classtype:trojan-activity;sid:84686413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/version_proxy.dll"; depth:24; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823314/; classtype:trojan-activity;sid:84686414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260414_133641_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823315/; classtype:trojan-activity;sid:84686415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_055951_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823316/; classtype:trojan-activity;sid:84686416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_003937_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823317/; classtype:trojan-activity;sid:84686417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_100232_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823318/; classtype:trojan-activity;sid:84686418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_004008_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823303/; classtype:trojan-activity;sid:84686403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_105538_vns.vbs"; depth:33; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823304/; classtype:trojan-activity;sid:84686404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260410_090505_socks5.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823305/; classtype:trojan-activity;sid:84686405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_080249_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823306/; classtype:trojan-activity;sid:84686406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_094226_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823307/; classtype:trojan-activity;sid:84686407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_051105_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823308/; classtype:trojan-activity;sid:84686408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_124628_litewebcam.ps1"; depth:40; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823309/; classtype:trojan-activity;sid:84686409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_060421_microsoft.windowsappruntime.bootstrap.dll"; depth:67; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823300/; classtype:trojan-activity;sid:84686400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_072449_win32.vbs"; depth:35; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823301/; classtype:trojan-activity;sid:84686401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260415_080459_backgroundtaskhost.exe"; depth:48; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823302/; classtype:trojan-activity;sid:84686402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_223446_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823293/; classtype:trojan-activity;sid:84686393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_060657_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823294/; classtype:trojan-activity;sid:84686394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_104151_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823295/; classtype:trojan-activity;sid:84686395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_120214_clicknext.ps1"; depth:39; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823296/; classtype:trojan-activity;sid:84686396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_224710_scan.ps1"; depth:34; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823297/; classtype:trojan-activity;sid:84686397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_100811_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823298/; classtype:trojan-activity;sid:84686398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/debug.exe"; depth:16; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823299/; classtype:trojan-activity;sid:84686399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_220402_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823292/; classtype:trojan-activity;sid:84686392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_002801_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823285/; classtype:trojan-activity;sid:84686385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_121420_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823286/; classtype:trojan-activity;sid:84686386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260411_132508_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823287/; classtype:trojan-activity;sid:84686387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_053842_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823288/; classtype:trojan-activity;sid:84686388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_105235_webcam.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823289/; classtype:trojan-activity;sid:84686389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260413_125232_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823290/; classtype:trojan-activity;sid:84686390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fm_20260412_002019_enroll.ps1"; depth:36; endswith; nocase; http.host; content:"248bestmoon.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823291/; classtype:trojan-activity;sid:84686391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.27.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823284/; classtype:trojan-activity;sid:84686384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.39.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823283/; classtype:trojan-activity;sid:84686383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-team1.aim-national.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823282/; classtype:trojan-activity;sid:84686382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.159.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823281/; classtype:trojan-activity;sid:84686381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brand-mark6.guy5mist.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823280/; classtype:trojan-activity;sid:84686380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.68.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823279/; classtype:trojan-activity;sid:84686379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quick-cash5.guy5mist.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823278/; classtype:trojan-activity;sid:84686378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.138.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823277/; classtype:trojan-activity;sid:84686377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.244.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823276/; classtype:trojan-activity;sid:84686376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.56.238"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823275/; classtype:trojan-activity;sid:84686375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"info-desk4.guy5mist.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823274/; classtype:trojan-activity;sid:84686374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"empty-cart3.guy5mist.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823273/; classtype:trojan-activity;sid:84686373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"summer-sale2.guy5mist.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823272/; classtype:trojan-activity;sid:84686372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-food1.guy5mist.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823271/; classtype:trojan-activity;sid:84686371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.197.241.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823270/; classtype:trojan-activity;sid:84686370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.113.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823269/; classtype:trojan-activity;sid:84686369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"active-job6.empirical-tuna.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823268/; classtype:trojan-activity;sid:84686368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.244.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823267/; classtype:trojan-activity;sid:84686367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.1.83"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823266/; classtype:trojan-activity;sid:84686366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823260/; classtype:trojan-activity;sid:84686360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823261/; classtype:trojan-activity;sid:84686361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823262/; classtype:trojan-activity;sid:84686362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823263/; classtype:trojan-activity;sid:84686363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823264/; classtype:trojan-activity;sid:84686364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823265/; classtype:trojan-activity;sid:84686365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"whtempdomain.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823259/; classtype:trojan-activity;sid:84686359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.56.238"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823258/; classtype:trojan-activity;sid:84686358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.190.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823257/; classtype:trojan-activity;sid:84686357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"short-plan5.empirical-tuna.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823256/; classtype:trojan-activity;sid:84686356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.26.86.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823255/; classtype:trojan-activity;sid:84686355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"promo-card4.empirical-tuna.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823254/; classtype:trojan-activity;sid:84686354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.237.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823253/; classtype:trojan-activity;sid:84686353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"extra-coin3.empirical-tuna.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823252/; classtype:trojan-activity;sid:84686352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-bonus2.empirical-tuna.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823251/; classtype:trojan-activity;sid:84686351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.59.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823250/; classtype:trojan-activity;sid:84686350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.246.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823249/; classtype:trojan-activity;sid:84686349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lucky-gift1.empirical-tuna.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823248/; classtype:trojan-activity;sid:84686348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"front-gate6.benomkin5.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823247/; classtype:trojan-activity;sid:84686347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823246/; classtype:trojan-activity;sid:84686346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.113.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823245/; classtype:trojan-activity;sid:84686345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.91.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823244/; classtype:trojan-activity;sid:84686344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user-profile5.benomkin5.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823243/; classtype:trojan-activity;sid:84686343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-table4.benomkin5.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823242/; classtype:trojan-activity;sid:84686342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"prime-list3.benomkin5.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823241/; classtype:trojan-activity;sid:84686341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.126.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823240/; classtype:trojan-activity;sid:84686340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-point2.benomkin5.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823239/; classtype:trojan-activity;sid:84686339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-choice1.benomkin5.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823237/; classtype:trojan-activity;sid:84686337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823238/; classtype:trojan-activity;sid:84686338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"elpolacodelsur2.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823232/; classtype:trojan-activity;sid:84686332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"elpolacodelsur2.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823233/; classtype:trojan-activity;sid:84686333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"www.dllpluginmsbuild.duckdns.org"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823234/; classtype:trojan-activity;sid:84686334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"elpolacodelsur1.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823235/; classtype:trojan-activity;sid:84686335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"www.elpolacodelsur3.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823236/; classtype:trojan-activity;sid:84686336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"elpolacodelsur1.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823230/; classtype:trojan-activity;sid:84686330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"dllpluginmsbuild.duckdns.org"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823231/; classtype:trojan-activity;sid:84686331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"www.dllpluginmsbuild.duckdns.org"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823220/; classtype:trojan-activity;sid:84686320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"www.dllpluginmsbuild.duckdns.org"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823221/; classtype:trojan-activity;sid:84686321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"www.elpolacodelsur3.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823222/; classtype:trojan-activity;sid:84686322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"dllpluginmsbuild.duckdns.org"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823223/; classtype:trojan-activity;sid:84686323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"www.elpolacodelsur3.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823224/; classtype:trojan-activity;sid:84686324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"elpolacodelsur1.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823225/; classtype:trojan-activity;sid:84686325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"elpolacodelsur3.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823226/; classtype:trojan-activity;sid:84686326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"elpolacodelsur3.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823227/; classtype:trojan-activity;sid:84686327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"www.dllpluginmsbuild.duckdns.org"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823228/; classtype:trojan-activity;sid:84686328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"www.elpolacodelsur3.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823229/; classtype:trojan-activity;sid:84686329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"dllpluginmsbuild.duckdns.org"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823215/; classtype:trojan-activity;sid:84686315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"elpolacodelsur1.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823216/; classtype:trojan-activity;sid:84686316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"elpolacodelsur2.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823217/; classtype:trojan-activity;sid:84686317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"elpolacodelsur3.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823218/; classtype:trojan-activity;sid:84686318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"elpolacodelsur3.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823219/; classtype:trojan-activity;sid:84686319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"sostexampp.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823212/; classtype:trojan-activity;sid:84686312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"elpolacodelsur2.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823213/; classtype:trojan-activity;sid:84686313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"dllpluginmsbuild.duckdns.org"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823214/; classtype:trojan-activity;sid:84686314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-source6.acidity-inflame.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823211/; classtype:trojan-activity;sid:84686311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"www.elpolacodelsur2.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823210/; classtype:trojan-activity;sid:84686310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"www.elpolacodelsur2.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823209/; classtype:trojan-activity;sid:84686309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"www.elpolacodelsur2.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823208/; classtype:trojan-activity;sid:84686308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"www.elpolacodelsur2.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823206/; classtype:trojan-activity;sid:84686306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travel-blog5.acidity-inflame.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823207/; classtype:trojan-activity;sid:84686307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.0.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823205/; classtype:trojan-activity;sid:84686305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.138.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823204/; classtype:trojan-activity;sid:84686304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-map4.acidity-inflame.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823203/; classtype:trojan-activity;sid:84686303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.192.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823202/; classtype:trojan-activity;sid:84686302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.255.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823201/; classtype:trojan-activity;sid:84686301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"latest-news3.acidity-inflame.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823200/; classtype:trojan-activity;sid:84686300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823199/; classtype:trojan-activity;sid:84686299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.192.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823198/; classtype:trojan-activity;sid:84686298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.97.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823197/; classtype:trojan-activity;sid:84686297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scenic-spot2.acidity-inflame.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823196/; classtype:trojan-activity;sid:84686296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"72.194.227.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823195/; classtype:trojan-activity;sid:84686295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.240.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823194/; classtype:trojan-activity;sid:84686294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"urban-vision1.acidity-inflame.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823193/; classtype:trojan-activity;sid:84686293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/m"; depth:14; endswith; nocase; http.host; content:"91.92.242.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823192/; classtype:trojan-activity;sid:84686292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.126.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823191/; classtype:trojan-activity;sid:84686291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/shjef2avfde.exe"; depth:28; endswith; nocase; http.host; content:"91.92.242.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823190/; classtype:trojan-activity;sid:84686290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.138.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823189/; classtype:trojan-activity;sid:84686289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"global-site6.rol1erspeeding.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823188/; classtype:trojan-activity;sid:84686288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-street5.rol1erspeeding.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823187/; classtype:trojan-activity;sid:84686287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823182/; classtype:trojan-activity;sid:84686282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823183/; classtype:trojan-activity;sid:84686283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823184/; classtype:trojan-activity;sid:84686284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823185/; classtype:trojan-activity;sid:84686285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823186/; classtype:trojan-activity;sid:84686286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823179/; classtype:trojan-activity;sid:84686279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823180/; classtype:trojan-activity;sid:84686280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823181/; classtype:trojan-activity;sid:84686281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/ssad4edd!4d.exe"; depth:28; endswith; nocase; http.host; content:"ferwgf4er343.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823178/; classtype:trojan-activity;sid:84686278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/shjef2avfde.exe"; depth:28; endswith; nocase; http.host; content:"ferwgf4er343.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823177/; classtype:trojan-activity;sid:84686277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823175/; classtype:trojan-activity;sid:84686275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"77.221.153.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823176/; classtype:trojan-activity;sid:84686276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.97.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823174/; classtype:trojan-activity;sid:84686274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"total-summary4.rol1erspeeding.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823173/; classtype:trojan-activity;sid:84686273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"local-office3.rol1erspeeding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823172/; classtype:trojan-activity;sid:84686272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"large-parcel2.rol1erspeeding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823171/; classtype:trojan-activity;sid:84686271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.125.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823170/; classtype:trojan-activity;sid:84686270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.125.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823168/; classtype:trojan-activity;sid:84686268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-status1.rol1erspeeding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823169/; classtype:trojan-activity;sid:84686269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823166/; classtype:trojan-activity;sid:84686266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.191.16.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823167/; classtype:trojan-activity;sid:84686267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; endswith; nocase; http.host; content:"147.45.79.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823165/; classtype:trojan-activity;sid:84686265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-section6.domna-replenish.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823164/; classtype:trojan-activity;sid:84686264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"public-help5.domna-replenish.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823163/; classtype:trojan-activity;sid:84686263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"item-details4.domna-replenish.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823162/; classtype:trojan-activity;sid:84686262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823161/; classtype:trojan-activity;sid:84686261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.67.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823160/; classtype:trojan-activity;sid:84686260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media-gallery3.domna-replenish.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823159/; classtype:trojan-activity;sid:84686259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.161.248.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823158/; classtype:trojan-activity;sid:84686258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guest-portal2.domna-replenish.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823157/; classtype:trojan-activity;sid:84686257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823156/; classtype:trojan-activity;sid:84686256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"central-market1.domna-replenish.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823155/; classtype:trojan-activity;sid:84686255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"street-view6.kro2vilen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823154/; classtype:trojan-activity;sid:84686254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.227.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823153/; classtype:trojan-activity;sid:84686253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good-luck5.kro2vilen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823152/; classtype:trojan-activity;sid:84686252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.188.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823151/; classtype:trojan-activity;sid:84686251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sunny-day4.kro2vilen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823150/; classtype:trojan-activity;sid:84686250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.228.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823149/; classtype:trojan-activity;sid:84686249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bright-sun3.kro2vilen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823148/; classtype:trojan-activity;sid:84686248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/output.exe"; depth:17; endswith; nocase; http.host; content:"brukva.shop"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823147/; classtype:trojan-activity;sid:84686247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"health-care2.kro2vilen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823146/; classtype:trojan-activity;sid:84686246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.227.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823145/; classtype:trojan-activity;sid:84686245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sweet-home1.kro2vilen.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823144/; classtype:trojan-activity;sid:84686244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.3.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823143/; classtype:trojan-activity;sid:84686243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-done6.tix9larem.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823142/; classtype:trojan-activity;sid:84686242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/49yyrdi.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823140/; classtype:trojan-activity;sid:84686240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/g65chbx.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823141/; classtype:trojan-activity;sid:84686241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/kgvn4oy.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823139/; classtype:trojan-activity;sid:84686239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"heavy-pack5.tix9larem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823138/; classtype:trojan-activity;sid:84686238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.230.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823136/; classtype:trojan-activity;sid:84686236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.228.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823137/; classtype:trojan-activity;sid:84686237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.230.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823135/; classtype:trojan-activity;sid:84686235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.188.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823134/; classtype:trojan-activity;sid:84686234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"short-word4.tix9larem.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823133/; classtype:trojan-activity;sid:84686233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sticky-note3.tix9larem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823132/; classtype:trojan-activity;sid:84686232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"direct-send2.tix9larem.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823131/; classtype:trojan-activity;sid:84686231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"express-mail1.tix9larem.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823130/; classtype:trojan-activity;sid:84686230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solid-base6.bex1lorim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823129/; classtype:trojan-activity;sid:84686229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.177.220.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823128/; classtype:trojan-activity;sid:84686228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rain-drop5.bex1lorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823127/; classtype:trojan-activity;sid:84686227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.213.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823126/; classtype:trojan-activity;sid:84686226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.184.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823125/; classtype:trojan-activity;sid:84686225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.25.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823124/; classtype:trojan-activity;sid:84686224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deep-well4.bex1lorim.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823123/; classtype:trojan-activity;sid:84686223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"river-flow3.bex1lorim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823122/; classtype:trojan-activity;sid:84686222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ocean-blue2.bex1lorim.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823121/; classtype:trojan-activity;sid:84686221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-water1.bex1lorim.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823120/; classtype:trojan-activity;sid:84686220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.184.29.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823119/; classtype:trojan-activity;sid:84686219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.177.220.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823118/; classtype:trojan-activity;sid:84686218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"group-join6.dax6porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823117/; classtype:trojan-activity;sid:84686217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.213.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823116/; classtype:trojan-activity;sid:84686216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brief-meet5.dax6porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823115/; classtype:trojan-activity;sid:84686215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"simple-form4.dax6porel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823114/; classtype:trojan-activity;sid:84686214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"phone-call3.dax6porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823113/; classtype:trojan-activity;sid:84686213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"senior-staff2.dax6porel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823112/; classtype:trojan-activity;sid:84686212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.184.29.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823111/; classtype:trojan-activity;sid:84686211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-team1.dax6porel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823110/; classtype:trojan-activity;sid:84686210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.184.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823109/; classtype:trojan-activity;sid:84686209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brand-mark6.pyn9sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823108/; classtype:trojan-activity;sid:84686208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quick-cash5.pyn9sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823107/; classtype:trojan-activity;sid:84686207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.142.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823106/; classtype:trojan-activity;sid:84686206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.142.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823105/; classtype:trojan-activity;sid:84686205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"info-desk4.pyn9sorel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823104/; classtype:trojan-activity;sid:84686204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"empty-cart3.pyn9sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823103/; classtype:trojan-activity;sid:84686203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.185.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823102/; classtype:trojan-activity;sid:84686202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"summer-sale2.pyn9sorel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823101/; classtype:trojan-activity;sid:84686201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-food1.pyn9sorel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823100/; classtype:trojan-activity;sid:84686200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.224.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823099/; classtype:trojan-activity;sid:84686199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823098/; classtype:trojan-activity;sid:84686198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"active-job6.wex4tiral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823097/; classtype:trojan-activity;sid:84686197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"short-plan5.wex4tiral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823096/; classtype:trojan-activity;sid:84686196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.27.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823095/; classtype:trojan-activity;sid:84686195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.105.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823094/; classtype:trojan-activity;sid:84686194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"promo-card4.wex4tiral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823093/; classtype:trojan-activity;sid:84686193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823092/; classtype:trojan-activity;sid:84686192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823090/; classtype:trojan-activity;sid:84686190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823091/; classtype:trojan-activity;sid:84686191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823089/; classtype:trojan-activity;sid:84686189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.105.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823082/; classtype:trojan-activity;sid:84686182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"156.229.118.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823083/; classtype:trojan-activity;sid:84686183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823084/; classtype:trojan-activity;sid:84686184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823085/; classtype:trojan-activity;sid:84686185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823086/; classtype:trojan-activity;sid:84686186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823087/; classtype:trojan-activity;sid:84686187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"85.208.9.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823088/; classtype:trojan-activity;sid:84686188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"extra-coin3.wex4tiral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823081/; classtype:trojan-activity;sid:84686181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.250.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823080/; classtype:trojan-activity;sid:84686180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daily-bonus2.wex4tiral.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823079/; classtype:trojan-activity;sid:84686179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823078/; classtype:trojan-activity;sid:84686178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.7.168"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823076/; classtype:trojan-activity;sid:84686176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.0.135"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823077/; classtype:trojan-activity;sid:84686177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lucky-gift1.wex4tiral.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823075/; classtype:trojan-activity;sid:84686175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.149.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823074/; classtype:trojan-activity;sid:84686174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"front-gate6.tix7marel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823073/; classtype:trojan-activity;sid:84686173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user-profile5.tix7marel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823072/; classtype:trojan-activity;sid:84686172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.35.50.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823071/; classtype:trojan-activity;sid:84686171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.250.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823070/; classtype:trojan-activity;sid:84686170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"full-table4.tix7marel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823069/; classtype:trojan-activity;sid:84686169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.70.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823068/; classtype:trojan-activity;sid:84686168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"prime-list3.tix7marel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823067/; classtype:trojan-activity;sid:84686167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-point2.tix7marel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823066/; classtype:trojan-activity;sid:84686166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.149.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823065/; classtype:trojan-activity;sid:84686165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.140.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823064/; classtype:trojan-activity;sid:84686164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-choice1.tix7marel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823063/; classtype:trojan-activity;sid:84686163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-source6.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823062/; classtype:trojan-activity;sid:84686162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travel-blog5.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823061/; classtype:trojan-activity;sid:84686161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.217.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823060/; classtype:trojan-activity;sid:84686160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-map4.vyr3solen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823059/; classtype:trojan-activity;sid:84686159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.140.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823058/; classtype:trojan-activity;sid:84686158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.46.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823057/; classtype:trojan-activity;sid:84686157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.124.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823056/; classtype:trojan-activity;sid:84686156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"latest-news3.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823055/; classtype:trojan-activity;sid:84686155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scenic-spot2.vyr3solen.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823054/; classtype:trojan-activity;sid:84686154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"urban-vision1.vyr3solen.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823053/; classtype:trojan-activity;sid:84686153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"global-site6.lax8dorim.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823052/; classtype:trojan-activity;sid:84686152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-street5.lax8dorim.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823051/; classtype:trojan-activity;sid:84686151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"total-summary4.lax8dorim.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823050/; classtype:trojan-activity;sid:84686150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.48.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823049/; classtype:trojan-activity;sid:84686149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.38.134.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823048/; classtype:trojan-activity;sid:84686148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.235.249.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823047/; classtype:trojan-activity;sid:84686147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"local-office3.lax8dorim.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823046/; classtype:trojan-activity;sid:84686146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"large-parcel2.lax8dorim.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823045/; classtype:trojan-activity;sid:84686145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-status1.lax8dorim.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823044/; classtype:trojan-activity;sid:84686144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.217.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823043/; classtype:trojan-activity;sid:84686143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home-section6.zom5pirel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823042/; classtype:trojan-activity;sid:84686142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.238.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823041/; classtype:trojan-activity;sid:84686141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"public-help5.zom5pirel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823040/; classtype:trojan-activity;sid:84686140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.48.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823039/; classtype:trojan-activity;sid:84686139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.86.52.95"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823038/; classtype:trojan-activity;sid:84686138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.161.248.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823037/; classtype:trojan-activity;sid:84686137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"item-details4.zom5pirel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823036/; classtype:trojan-activity;sid:84686136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media-gallery3.zom5pirel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823035/; classtype:trojan-activity;sid:84686135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.122.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823034/; classtype:trojan-activity;sid:84686134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guest-portal2.zom5pirel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823033/; classtype:trojan-activity;sid:84686133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.188.138.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823032/; classtype:trojan-activity;sid:84686132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"central-market1.zom5pirel.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823031/; classtype:trojan-activity;sid:84686131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tri-fluxon.invert-manner.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823030/; classtype:trojan-activity;sid:84686130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.86.52.95"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823029/; classtype:trojan-activity;sid:84686129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"authsnapshot.invert-manner.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823028/; classtype:trojan-activity;sid:84686128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.15.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823027/; classtype:trojan-activity;sid:84686127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gutyx.invert-manner.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823026/; classtype:trojan-activity;sid:84686126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.254.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823025/; classtype:trojan-activity;sid:84686125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"87phs.invert-manner.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823024/; classtype:trojan-activity;sid:84686124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vscoj.invert-manner.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823023/; classtype:trojan-activity;sid:84686123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.102.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823022/; classtype:trojan-activity;sid:84686122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"11q31v.invert-manner.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823021/; classtype:trojan-activity;sid:84686121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p14sm-grid.racersta7ving.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823020/; classtype:trojan-activity;sid:84686120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.15.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823019/; classtype:trojan-activity;sid:84686119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9adl.racersta7ving.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823018/; classtype:trojan-activity;sid:84686118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"specapi.racersta7ving.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823017/; classtype:trojan-activity;sid:84686117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b1oo9-hold.racersta7ving.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823016/; classtype:trojan-activity;sid:84686116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ovumpg.racersta7ving.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823015/; classtype:trojan-activity;sid:84686115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iijbe.racersta7ving.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823014/; classtype:trojan-activity;sid:84686114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.188.138.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823013/; classtype:trojan-activity;sid:84686113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"npmx.photot-sudok.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823012/; classtype:trojan-activity;sid:84686112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sol-tidea.photot-sudok.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823011/; classtype:trojan-activity;sid:84686111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fbhi02d.photot-sudok.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823010/; classtype:trojan-activity;sid:84686110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.114.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823009/; classtype:trojan-activity;sid:84686109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"queu-crest.photot-sudok.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823008/; classtype:trojan-activity;sid:84686108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.153.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823007/; classtype:trojan-activity;sid:84686107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4cti-pulse.photot-sudok.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823006/; classtype:trojan-activity;sid:84686106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.224.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823005/; classtype:trojan-activity;sid:84686105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.239.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823004/; classtype:trojan-activity;sid:84686104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"povv3r3-sheet.photot-sudok.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823003/; classtype:trojan-activity;sid:84686103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"74vjq.go0duntenable.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823002/; classtype:trojan-activity;sid:84686102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rqwhul1.go0duntenable.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823001/; classtype:trojan-activity;sid:84686101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7048186296/adohojx.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3823000/; classtype:trojan-activity;sid:84686100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.114.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822999/; classtype:trojan-activity;sid:84686099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ridgetempo.go0duntenable.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822998/; classtype:trojan-activity;sid:84686098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solcorea8.go0duntenable.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822997/; classtype:trojan-activity;sid:84686097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|adguardpremiump6"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822986/; classtype:trojan-activity;sid:84686086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.244.8.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822985/; classtype:trojan-activity;sid:84686085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"op3n-cast.go0duntenable.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822984/; classtype:trojan-activity;sid:84686084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"187.45.95.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822983/; classtype:trojan-activity;sid:84686083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hfjivor0.go0duntenable.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822982/; classtype:trojan-activity;sid:84686082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.138.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822981/; classtype:trojan-activity;sid:84686081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ser-lineor.quant-splashes.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822980/; classtype:trojan-activity;sid:84686080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xuymf0.quant-splashes.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822979/; classtype:trojan-activity;sid:84686079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jerson78/erduo-skills/refs/heads/main/.claude/skills-erduo-2.9.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822977/; classtype:trojan-activity;sid:84686077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jerson78/erduo-skills/raw/refs/heads/main/.claude/skills-erduo-2.9.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822978/; classtype:trojan-activity;sid:84686078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jerson78/jerson78.github.io/raw/refs/heads/main/discina/io-jerson-github-2.1.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822975/; classtype:trojan-activity;sid:84686075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jerson78/jerson78.github.io/refs/heads/main/discina/io-jerson-github-2.1.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822976/; classtype:trojan-activity;sid:84686076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v24azaher2/github-runners/raw/refs/heads/master/docker/runners-github-mammal.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822972/; classtype:trojan-activity;sid:84686072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v24azaher2/v24azaher2.github.io/raw/refs/heads/main/fenceress/github_io_azaher_v_v3.8.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822973/; classtype:trojan-activity;sid:84686073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v24azaher2/github-runners/refs/heads/master/docker/runners-github-mammal.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822974/; classtype:trojan-activity;sid:84686074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v24azaher2/v24azaher2.github.io/refs/heads/main/fenceress/github_io_azaher_v_v3.8.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822970/; classtype:trojan-activity;sid:84686070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tshev.quant-splashes.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822971/; classtype:trojan-activity;sid:84686071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"312pl.quant-splashes.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822969/; classtype:trojan-activity;sid:84686069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.146.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822968/; classtype:trojan-activity;sid:84686068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f1nal-wave.quant-splashes.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822967/; classtype:trojan-activity;sid:84686067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.240.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822966/; classtype:trojan-activity;sid:84686066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.128.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822965/; classtype:trojan-activity;sid:84686065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zzx2x3.quant-splashes.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822964/; classtype:trojan-activity;sid:84686064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"servenum7.marinmort8ager.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822963/; classtype:trojan-activity;sid:84686063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"notifycrystal.marinmort8ager.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822962/; classtype:trojan-activity;sid:84686062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenvale0um.marinmort8ager.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822961/; classtype:trojan-activity;sid:84686061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.73.94"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822960/; classtype:trojan-activity;sid:84686060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splsh4"; depth:7; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822959/; classtype:trojan-activity;sid:84686059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splmips"; depth:8; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822948/; classtype:trojan-activity;sid:84686048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splppc"; depth:7; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822949/; classtype:trojan-activity;sid:84686049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f"; depth:2; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822950/; classtype:trojan-activity;sid:84686050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splx86"; depth:7; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822951/; classtype:trojan-activity;sid:84686051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splmpsl"; depth:8; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822952/; classtype:trojan-activity;sid:84686052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm6"; depth:8; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822953/; classtype:trojan-activity;sid:84686053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splspc"; depth:7; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822954/; classtype:trojan-activity;sid:84686054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm5"; depth:8; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822955/; classtype:trojan-activity;sid:84686055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm"; depth:7; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822956/; classtype:trojan-activity;sid:84686056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm7"; depth:8; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822957/; classtype:trojan-activity;sid:84686057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splm68k"; depth:8; endswith; nocase; http.host; content:"93.95.115.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822958/; classtype:trojan-activity;sid:84686058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.121.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822947/; classtype:trojan-activity;sid:84686047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5and-stack.marinmort8ager.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822946/; classtype:trojan-activity;sid:84686046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talcore4is.marinmort8ager.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822945/; classtype:trojan-activity;sid:84686045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.0.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822944/; classtype:trojan-activity;sid:84686044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.242.128.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822943/; classtype:trojan-activity;sid:84686043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ejwrfoig.marinmort8ager.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822942/; classtype:trojan-activity;sid:84686042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mpjim.parchm-susyuka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822941/; classtype:trojan-activity;sid:84686041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.73.94"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822940/; classtype:trojan-activity;sid:84686040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"driftvoic.parchm-susyuka.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822939/; classtype:trojan-activity;sid:84686039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"m0ti9-route.parchm-susyuka.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822938/; classtype:trojan-activity;sid:84686038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.0.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822937/; classtype:trojan-activity;sid:84686037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"187.45.95.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822936/; classtype:trojan-activity;sid:84686036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.242.128.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822935/; classtype:trojan-activity;sid:84686035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"civi1-flow.parchm-susyuka.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822934/; classtype:trojan-activity;sid:84686034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"un1oad-sync.parchm-susyuka.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822933/; classtype:trojan-activity;sid:84686033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/ts95sik.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822932/; classtype:trojan-activity;sid:84686032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu4"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822931/; classtype:trojan-activity;sid:84686031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu3"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822929/; classtype:trojan-activity;sid:84686029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu7"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822930/; classtype:trojan-activity;sid:84686030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu6"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822928/; classtype:trojan-activity;sid:84686028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu9"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822927/; classtype:trojan-activity;sid:84686027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu8"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822926/; classtype:trojan-activity;sid:84686026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu5"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822925/; classtype:trojan-activity;sid:84686025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu2"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822923/; classtype:trojan-activity;sid:84686023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in/|3f|kiddionsmodmenu1"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822922/; classtype:trojan-activity;sid:84686022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eydfdx4.parchm-susyuka.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822921/; classtype:trojan-activity;sid:84686021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmgytofficial/tmgytofficial.github.io/refs/heads/main/alop/github_io_tmgytofficial_1.3.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822920/; classtype:trojan-activity;sid:84686020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmgytofficial/aio-tvflix-builder/raw/refs/heads/main/metalline/aio_builder_tvflix_overwhisper.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822913/; classtype:trojan-activity;sid:84686013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lavadood6909/mql5-jetbrains/refs/heads/main/scutellae/jetbrains-mql-3.8-alpha.3.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822914/; classtype:trojan-activity;sid:84686014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oassyn.imperturbs1av.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822915/; classtype:trojan-activity;sid:84686015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lavadood6909/lavadood6909.github.io/raw/refs/heads/main/unsuitably/lavadood_io_github_2.0.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822916/; classtype:trojan-activity;sid:84686016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brave-sens.imperturbs1av.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822917/; classtype:trojan-activity;sid:84686017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmgytofficial/tmgytofficial.github.io/raw/refs/heads/main/alop/github_io_tmgytofficial_1.3.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822918/; classtype:trojan-activity;sid:84686018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mer-crestal.imperturbs1av.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822919/; classtype:trojan-activity;sid:84686019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lavadood6909/lavadood6909.github.io/refs/heads/main/unsuitably/lavadood_io_github_2.0.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822909/; classtype:trojan-activity;sid:84686009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lavadood6909/mql5-jetbrains/raw/refs/heads/main/scutellae/jetbrains-mql-3.8-alpha.3.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822910/; classtype:trojan-activity;sid:84686010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"euwt.imperturbs1av.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822911/; classtype:trojan-activity;sid:84686011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmgytofficial/aio-tvflix-builder/refs/heads/main/metalline/aio_builder_tvflix_overwhisper.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822912/; classtype:trojan-activity;sid:84686012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kunalkalia2610/antigravity-proxy/refs/heads/master/unbehaving/antigravity-proxy-3.2.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822908/; classtype:trojan-activity;sid:84686008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adidasyadebiras228/adidasyadebiras228.github.io/raw/refs/heads/main/gangsman/io-github-adidasyadebiras-v3.0.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822907/; classtype:trojan-activity;sid:84686007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.129.145.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822905/; classtype:trojan-activity;sid:84686005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.138.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822906/; classtype:trojan-activity;sid:84686006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.168.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822904/; classtype:trojan-activity;sid:84686004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enescoban43/enescoban43.github.io/raw/refs/heads/main/unbastilled/io-github-enescoban-1.1.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822901/; classtype:trojan-activity;sid:84686001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enescoban43/enescoban43.github.io/refs/heads/main/unbastilled/io-github-enescoban-1.1.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822902/; classtype:trojan-activity;sid:84686002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xcmw.imperturbs1av.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822903/; classtype:trojan-activity;sid:84686003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adidasyadebiras228/docker-nvidia-gpu-ml/raw/refs/heads/master/docs/gpu_docker_ml_nvidia_v2.0.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822896/; classtype:trojan-activity;sid:84685996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/planning-system/refs/heads/main/dev/plans/plugin-conversion/planning_system_v2.0.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822897/; classtype:trojan-activity;sid:84685997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggplayerp/ggplayerp.github.io/refs/heads/main/strangury/github_ggplayerp_io_v2.9.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822898/; classtype:trojan-activity;sid:84685998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggplayerp/ggplayerp.github.io/raw/refs/heads/main/strangury/github_ggplayerp_io_v2.9.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822899/; classtype:trojan-activity;sid:84685999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kunalkalia2610/antigravity-proxy/raw/refs/heads/master/unbehaving/antigravity-proxy-3.2.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822900/; classtype:trojan-activity;sid:84686000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggplayerp/amp-contrib/raw/refs/heads/main/.agents/skills/tmux/contrib_amp_auscultoscope.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822884/; classtype:trojan-activity;sid:84685984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bladerex24/bladerex24.github.io/refs/heads/main/bondwoman/github-bladerex-io-v2.0.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822885/; classtype:trojan-activity;sid:84685985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/rootth/raw/refs/heads/master/geggery/root_th_3.0.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822886/; classtype:trojan-activity;sid:84685986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adidasyadebiras228/adidasyadebiras228.github.io/refs/heads/main/gangsman/io-github-adidasyadebiras-v3.0.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822887/; classtype:trojan-activity;sid:84685987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/xmrig/raw/refs/heads/master/src/backend/opencl/runners/software-2.8.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822888/; classtype:trojan-activity;sid:84685988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bladerex24/simple-llm/raw/refs/heads/master/model/simple_llm_v3.7.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822889/; classtype:trojan-activity;sid:84685989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kunalkalia2610/kunalkalia2610.github.io/refs/heads/main/peridineae/io_github_kunalkalia_idosaccharic.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822890/; classtype:trojan-activity;sid:84685990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kunalkalia2610/kunalkalia2610.github.io/raw/refs/heads/main/peridineae/io_github_kunalkalia_idosaccharic.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822891/; classtype:trojan-activity;sid:84685991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/planning-system/raw/refs/heads/main/dev/plans/plugin-conversion/planning_system_v2.0.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822892/; classtype:trojan-activity;sid:84685992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enescoban43/system-constitution/raw/refs/heads/main/schema/system_constitution_v2.5.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822893/; classtype:trojan-activity;sid:84685993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bladerex24/bladerex24.github.io/raw/refs/heads/main/bondwoman/github-bladerex-io-v2.0.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822894/; classtype:trojan-activity;sid:84685994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rzgarothman/rzgarothman.github.io/raw/refs/heads/main/geological/io-github-rzgarothman-v2.2.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822895/; classtype:trojan-activity;sid:84685995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kunalkalia2610/pebblecreek-laravel/raw/refs/heads/master/bootstrap/pebblecreek_laravel_v2.3.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822874/; classtype:trojan-activity;sid:84685974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/rootth/refs/heads/master/geggery/root_th_3.0.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822875/; classtype:trojan-activity;sid:84685975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enescoban43/system-constitution/refs/heads/main/schema/system_constitution_v2.5.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822876/; classtype:trojan-activity;sid:84685976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adidasyadebiras228/docker-nvidia-gpu-ml/refs/heads/master/docs/gpu_docker_ml_nvidia_v2.0.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822877/; classtype:trojan-activity;sid:84685977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kunalkalia2610/pebblecreek-laravel/refs/heads/master/bootstrap/pebblecreek_laravel_v2.3.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822878/; classtype:trojan-activity;sid:84685978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/knigthfrodo.github.io/raw/refs/heads/main/assigned/github_io_knigthfrodo_disprove.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822879/; classtype:trojan-activity;sid:84685979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/knigthfrodo.github.io/refs/heads/main/assigned/github_io_knigthfrodo_disprove.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822880/; classtype:trojan-activity;sid:84685980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggplayerp/amp-contrib/refs/heads/main/.agents/skills/tmux/contrib_amp_auscultoscope.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822881/; classtype:trojan-activity;sid:84685981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bladerex24/simple-llm/refs/heads/master/model/simple_llm_v3.7.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822882/; classtype:trojan-activity;sid:84685982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knigthfrodo/xmrig/refs/heads/master/src/backend/opencl/runners/software-2.8.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822883/; classtype:trojan-activity;sid:84685983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dophinjet/dophinjet.github.io/refs/heads/main/ruficoccin/dophinjet_io_github_v3.5.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822870/; classtype:trojan-activity;sid:84685970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nguyenchuong-az/dproxy/refs/heads/main/wheelbarrowful/software_1.2.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822871/; classtype:trojan-activity;sid:84685971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul-raj-04/theemclock/raw/refs/heads/main/repressible/software_2.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822872/; classtype:trojan-activity;sid:84685972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glashado.imperturbs1av.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822873/; classtype:trojan-activity;sid:84685973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dophinjet/lunarlander-dqn-comparison/refs/heads/main/notebook/lunarlander_comparison_dqn_v2.2.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822858/; classtype:trojan-activity;sid:84685958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itextreme/itextreme.github.io/raw/refs/heads/main/unteasled/io-github-itextreme-v1.7.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822859/; classtype:trojan-activity;sid:84685959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itextreme/php-react-framework/raw/refs/heads/master/src/components/react-ph-framework-v1.1.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822860/; classtype:trojan-activity;sid:84685960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itextreme/itextreme.github.io/refs/heads/main/unteasled/io-github-itextreme-v1.7.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822861/; classtype:trojan-activity;sid:84685961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/victorrwyd/easeus-todo-pctrans-pro-repack/refs/heads/main/linguistics/pro_u_repack_ease_pc_todo_trans_v2.9.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822862/; classtype:trojan-activity;sid:84685962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dophinjet/dophinjet.github.io/raw/refs/heads/main/ruficoccin/dophinjet_io_github_v3.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822863/; classtype:trojan-activity;sid:84685963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/victorrwyd/victorrwyd.github.io/raw/refs/heads/main/winebibber/io-github-victorrwyd-3.1.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822864/; classtype:trojan-activity;sid:84685964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dophinjet/lunarlander-dqn-comparison/raw/refs/heads/main/notebook/lunarlander_comparison_dqn_v2.2.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822865/; classtype:trojan-activity;sid:84685965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul-raj-04/ecommerce/refs/heads/main/src/component/pageheader/software_electrodeless.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822866/; classtype:trojan-activity;sid:84685966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul-raj-04/netflix/raw/refs/heads/main/src/components/spinner/software_3.2.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822867/; classtype:trojan-activity;sid:84685967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul-raj-04/theemclock/refs/heads/main/repressible/software_2.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822868/; classtype:trojan-activity;sid:84685968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itextreme/php-react-framework/refs/heads/master/src/components/react-ph-framework-v1.1.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822869/; classtype:trojan-activity;sid:84685969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rzgarothman/rzgarothman.github.io/refs/heads/main/geological/io-github-rzgarothman-v2.2.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822845/; classtype:trojan-activity;sid:84685945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s11lmi/resume-polish/raw/refs/heads/main/src/resume-polish-3.9.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822846/; classtype:trojan-activity;sid:84685946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nguyenchuong-az/nguyenchuong-az.github.io/refs/heads/main/migration/github-nguyenchuong-io-az-v3.7-beta.3.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822847/; classtype:trojan-activity;sid:84685947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/victorrwyd/victorrwyd.github.io/refs/heads/main/winebibber/io-github-victorrwyd-3.1.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822848/; classtype:trojan-activity;sid:84685948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nguyenchuong-az/dproxy/raw/refs/heads/main/wheelbarrowful/software_1.2.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822849/; classtype:trojan-activity;sid:84685949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s11lmi/s11lmi.github.io/raw/refs/heads/main/bahay/io_s_github_lmi_v1.7.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822850/; classtype:trojan-activity;sid:84685950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rzgarothman/nanomlops/raw/refs/heads/master/alibangbang/software-v1.2.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822851/; classtype:trojan-activity;sid:84685951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s11lmi/kbgdlbbdh/raw/refs/heads/main/.github/software_1.8.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822852/; classtype:trojan-activity;sid:84685952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nguyenchuong-az/nguyenchuong-az.github.io/raw/refs/heads/main/migration/github-nguyenchuong-io-az-v3.7-beta.3.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822853/; classtype:trojan-activity;sid:84685953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul-raj-04/netflix/refs/heads/main/src/components/spinner/software_3.2.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822854/; classtype:trojan-activity;sid:84685954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/victorrwyd/easeus-todo-pctrans-pro-repack/raw/refs/heads/main/linguistics/pro_u_repack_ease_pc_todo_trans_v2.9.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822855/; classtype:trojan-activity;sid:84685955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s11lmi/kbgdlbbdh/refs/heads/main/.github/software_1.8.zip"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822856/; classtype:trojan-activity;sid:84685956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul-raj-04/ecommerce/raw/refs/heads/main/src/component/pageheader/software_electrodeless.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822857/; classtype:trojan-activity;sid:84685957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s11lmi/s11lmi.github.io/refs/heads/main/bahay/io_s_github_lmi_v1.7.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822842/; classtype:trojan-activity;sid:84685942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rzgarothman/nanomlops/refs/heads/master/alibangbang/software-v1.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822843/; classtype:trojan-activity;sid:84685943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s11lmi/resume-polish/refs/heads/main/src/resume-polish-3.9.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822844/; classtype:trojan-activity;sid:84685944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.10.133.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822841/; classtype:trojan-activity;sid:84685941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.10.133.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822840/; classtype:trojan-activity;sid:84685940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"partn4-bridge.expect-runes.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822839/; classtype:trojan-activity;sid:84685939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.132.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822838/; classtype:trojan-activity;sid:84685938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.129.145.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822837/; classtype:trojan-activity;sid:84685937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.15.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822836/; classtype:trojan-activity;sid:84685936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.14.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822835/; classtype:trojan-activity;sid:84685935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/cudaburner/refs/heads/main/utils/cuda_burner_v2.9-beta.1.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822831/; classtype:trojan-activity;sid:84685931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wnokm63.expect-runes.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822832/; classtype:trojan-activity;sid:84685932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rave3-layer.expect-runes.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822833/; classtype:trojan-activity;sid:84685933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"servena.expect-runes.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822834/; classtype:trojan-activity;sid:84685934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crazy444-yo/bgpsec-falcon512/raw/refs/heads/main/examples/bgpsec-falcon-v3.6.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822827/; classtype:trojan-activity;sid:84685927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/argyasr/auction-app-data-processing_aws-pipeline/raw/refs/heads/main/sql/auction_app_aw_data_processing_pipeline_v1.4.zip"; depth:122; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822828/; classtype:trojan-activity;sid:84685928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/golab-documentation/raw/refs/heads/main/content/golab-documentation-nondocumentary.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822829/; classtype:trojan-activity;sid:84685929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eggggx/85/raw/refs/heads/main/23/74/14.log"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822830/; classtype:trojan-activity;sid:84685930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/golab-documentation/refs/heads/main/content/golab-documentation-nondocumentary.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822826/; classtype:trojan-activity;sid:84685926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eggggx/85/raw/refs/heads/main/23/74/50.txt"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822823/; classtype:trojan-activity;sid:84685923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/html-css-javascript-projects-for-beginners/refs/heads/main/projects/background-video-project/projects-script-java-htm-cs-for-beginners-1.2.zip"; depth:156; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822824/; classtype:trojan-activity;sid:84685924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/cudaburner/raw/refs/heads/main/utils/cuda_burner_v2.9-beta.1.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822825/; classtype:trojan-activity;sid:84685925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eggggx/85/refs/heads/main/23/74/50.txt"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822822/; classtype:trojan-activity;sid:84685922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sushant6t9/sushant6t9.github.io/raw/refs/heads/main/undigestable/io_github_sushant_t_simiousness.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822819/; classtype:trojan-activity;sid:84685919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eggggx/85/refs/heads/main/23/74/14.log"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822820/; classtype:trojan-activity;sid:84685920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkarthik61/baxtureproject/raw/refs/heads/main/.vscode/baxture_project_v1.9.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822821/; classtype:trojan-activity;sid:84685921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkarthik61/baxtureproject/refs/heads/main/.vscode/baxture_project_v1.9.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822818/; classtype:trojan-activity;sid:84685918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/linkedin-playwright-auto-job-application-agent/raw/refs/heads/main/unlassoed/job-application-linkedin-playwright-auto-agent-v1.1.zip"; depth:146; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822817/; classtype:trojan-activity;sid:84685917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/celin213/fastapitutorials/raw/refs/heads/main/example_06/domain/api-tutorials-fast-v1.5.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822816/; classtype:trojan-activity;sid:84685916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/argyasr/auction-app-data-processing_aws-pipeline/refs/heads/main/sql/auction_app_aw_data_processing_pipeline_v1.4.zip"; depth:118; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822814/; classtype:trojan-activity;sid:84685914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkarthik61/nkarthik61.github.io/refs/heads/main/ventripotential/nkarthik-io-github-v1.8-alpha.2.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822815/; classtype:trojan-activity;sid:84685915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crazy444-yo/bgpsec-falcon512/refs/heads/main/examples/bgpsec-falcon-v3.6.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822813/; classtype:trojan-activity;sid:84685913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shubham-dds/p2m/raw/refs/heads/main/conda_setup/etc/m_v1.5.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822809/; classtype:trojan-activity;sid:84685909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmeborromeo/pmeborromeo.github.io/refs/heads/main/acrodont/io_pmeborromeo_github_v3.5.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822810/; classtype:trojan-activity;sid:84685910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkarthik61/nkarthik61.github.io/raw/refs/heads/main/ventripotential/nkarthik-io-github-v1.8-alpha.2.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822811/; classtype:trojan-activity;sid:84685911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmeborromeo/fastapi-microservice-template/refs/heads/main/biographize/template-microservice-fastapi-v1.9.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822812/; classtype:trojan-activity;sid:84685912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crazy444-yo/crazy444-yo.github.io/refs/heads/main/highlight/crazy-io-github-yo-v1.1.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822802/; classtype:trojan-activity;sid:84685902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/hacking/refs/heads/main/screendom/software-2.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822803/; classtype:trojan-activity;sid:84685903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shubham-dds/shubham-dds.github.io/raw/refs/heads/main/teaman/io_shubham_github_dds_2.6.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822804/; classtype:trojan-activity;sid:84685904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/defense/raw/refs/heads/main/bourignianist/software_2.7-alpha.3.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822805/; classtype:trojan-activity;sid:84685905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sushant6t9/inngest-course/raw/refs/heads/main/chapter02/inngest_course_3.2.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822806/; classtype:trojan-activity;sid:84685906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sushant6t9/inngest-course/refs/heads/main/chapter02/inngest_course_3.2.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822807/; classtype:trojan-activity;sid:84685907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmeborromeo/pmeborromeo.github.io/raw/refs/heads/main/acrodont/io_pmeborromeo_github_v3.5.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822808/; classtype:trojan-activity;sid:84685908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/vanillawebprojects/refs/heads/master/speech-text-reader/software-3.5.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822793/; classtype:trojan-activity;sid:84685893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shubham-dds/p2m/refs/heads/main/conda_setup/etc/m_v1.5.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822794/; classtype:trojan-activity;sid:84685894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/hacking/raw/refs/heads/main/screendom/software-2.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822795/; classtype:trojan-activity;sid:84685895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/html-css-javascript-projects-for-beginners/raw/refs/heads/main/projects/background-video-project/projects-script-java-htm-cs-for-beginners-1.2.zip"; depth:160; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822796/; classtype:trojan-activity;sid:84685896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/celin213/fastapitutorials/refs/heads/main/example_06/domain/api-tutorials-fast-v1.5.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822797/; classtype:trojan-activity;sid:84685897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/defense/refs/heads/main/bourignianist/software_2.7-alpha.3.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822798/; classtype:trojan-activity;sid:84685898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crazy444-yo/crazy444-yo.github.io/raw/refs/heads/main/highlight/crazy-io-github-yo-v1.1.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822799/; classtype:trojan-activity;sid:84685899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/phishingattack/refs/heads/main/undeferentially/phishing_attack_2.6.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822800/; classtype:trojan-activity;sid:84685900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sushant6t9/sushant6t9.github.io/refs/heads/main/undigestable/io_github_sushant_t_simiousness.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822801/; classtype:trojan-activity;sid:84685901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/fullstack-open/raw/refs/heads/master/part1-react/anecdotes/open_fullstack_v3.7.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822787/; classtype:trojan-activity;sid:84685887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shubham-dds/shubham-dds.github.io/refs/heads/main/teaman/io_shubham_github_dds_2.6.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822788/; classtype:trojan-activity;sid:84685888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/fullstack-open/refs/heads/master/part1-react/anecdotes/open_fullstack_v3.7.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822789/; classtype:trojan-activity;sid:84685889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hariprakash2005/phishingattack/raw/refs/heads/main/undeferentially/phishing_attack_2.6.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822790/; classtype:trojan-activity;sid:84685890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/vanillawebprojects/raw/refs/heads/master/speech-text-reader/software-3.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822791/; classtype:trojan-activity;sid:84685891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmeborromeo/fastapi-microservice-template/raw/refs/heads/main/biographize/template-microservice-fastapi-v1.9.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822792/; classtype:trojan-activity;sid:84685892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/facundonimes/linkedin-playwright-auto-job-application-agent/refs/heads/main/unlassoed/job-application-linkedin-playwright-auto-agent-v1.1.zip"; depth:142; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822786/; classtype:trojan-activity;sid:84685886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=cyhuuffcxbmzgtpx"; depth:27; endswith; nocase; http.host; content:"2cpd365m.plaque5tucco.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822785/; classtype:trojan-activity;sid:84685885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.183.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822780/; classtype:trojan-activity;sid:84685880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.65.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822781/; classtype:trojan-activity;sid:84685881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.7.168"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822782/; classtype:trojan-activity;sid:84685882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.14.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822783/; classtype:trojan-activity;sid:84685883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.134.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822784/; classtype:trojan-activity;sid:84685884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.31.201.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822779/; classtype:trojan-activity;sid:84685879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.93.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822778/; classtype:trojan-activity;sid:84685878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyndraex.expect-runes.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822774/; classtype:trojan-activity;sid:84685874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"invoicecel.factpre5ent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822775/; classtype:trojan-activity;sid:84685875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/fdgdfg/raw/refs/heads/main/.github/workflows/software_v3.3-alpha.5.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822776/; classtype:trojan-activity;sid:84685876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-dec0d.expect-runes.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822777/; classtype:trojan-activity;sid:84685877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nikhildaharwal2004/context.nvim/raw/refs/heads/main/lua/nvim_context_2.5-beta.4.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822769/; classtype:trojan-activity;sid:84685869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"69cy8114.factpre5ent.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822770/; classtype:trojan-activity;sid:84685870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/html-portfolioes/raw/refs/heads/main/someone/html_portfolioes_1.1.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822771/; classtype:trojan-activity;sid:84685871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/dark-thema-saas/refs/heads/main/assets/images/people/thema-saas-dark-v3.0.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822772/; classtype:trojan-activity;sid:84685872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nikhildaharwal2004/context.nvim/refs/heads/main/lua/nvim_context_2.5-beta.4.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822773/; classtype:trojan-activity;sid:84685873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/djast/raw/refs/heads/main/4.3%20html%20porfolio%20project/software_2.5.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822765/; classtype:trojan-activity;sid:84685865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gma/raw/refs/heads/main/aegrotant/software-1.3-alpha.2.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822766/; classtype:trojan-activity;sid:84685866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/joni/raw/refs/heads/main/epiklesis/software-1.5.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822767/; classtype:trojan-activity;sid:84685867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/dark-thema-saas/raw/refs/heads/main/assets/images/people/thema-saas-dark-v3.0.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822768/; classtype:trojan-activity;sid:84685868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gma/refs/heads/main/aegrotant/software-1.3-alpha.2.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822760/; classtype:trojan-activity;sid:84685860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/git-demo/raw/refs/heads/main/unresponsiveness/demo_git_v2.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822761/; classtype:trojan-activity;sid:84685861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/git-demo/refs/heads/main/unresponsiveness/demo_git_v2.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822762/; classtype:trojan-activity;sid:84685862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/fdgdfg/refs/heads/main/.github/workflows/software_v3.3-alpha.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822763/; classtype:trojan-activity;sid:84685863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gmmms/raw/refs/heads/main/chegoe/software_v2.5-alpha.1.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822764/; classtype:trojan-activity;sid:84685864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/djast/refs/heads/main/4.3%20html%20porfolio%20project/software_2.5.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822755/; classtype:trojan-activity;sid:84685855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/kids-drag-drop-game2/raw/refs/heads/main/ethmophysal/kids_drop_game_drag_v3.4-alpha.4.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822756/; classtype:trojan-activity;sid:84685856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/kids-drag-drop-game2/refs/heads/main/ethmophysal/kids_drop_game_drag_v3.4-alpha.4.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822757/; classtype:trojan-activity;sid:84685857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gmmms/refs/heads/main/chegoe/software_v2.5-alpha.1.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822758/; classtype:trojan-activity;sid:84685858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/html-portfolioes/refs/heads/main/someone/html_portfolioes_1.1.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822759/; classtype:trojan-activity;sid:84685859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.132.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822754/; classtype:trojan-activity;sid:84685854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/kws-project/raw/refs/heads/main/pics/project_kw_1.6.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822747/; classtype:trojan-activity;sid:84685847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/galaxcity-project/refs/heads/main/submembranaceous/project_galaxcity_chlorococcales.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822748/; classtype:trojan-activity;sid:84685848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/kws-project/refs/heads/main/pics/project_kw_1.6.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822749/; classtype:trojan-activity;sid:84685849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/java-journey/refs/heads/main/oracle_jdk-24/journey_jav_2.7.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822750/; classtype:trojan-activity;sid:84685850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guitupetidutra-ship-it/dr-tulu/raw/refs/heads/main/agent/evaluation/genetic_diseases_eval/tulu-dr-v2.8.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822751/; classtype:trojan-activity;sid:84685851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"39rd.factpre5ent.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822752/; classtype:trojan-activity;sid:84685852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nv7cx.factpre5ent.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822753/; classtype:trojan-activity;sid:84685853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/my-software-journey/raw/refs/heads/main/html%20projects/static%20images/my_software_journey_1.1.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822745/; classtype:trojan-activity;sid:84685845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/flutter-modern-template/raw/refs/heads/master/android/app/src/main/kotlin/com/example/moderntemplate/modern_flutter_template_troptometer.zip"; depth:154; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822746/; classtype:trojan-activity;sid:84685846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawnspe/custom-plugin-devops/raw/refs/heads/master/.github/workflows/plugin-devops-custom-2.6.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822735/; classtype:trojan-activity;sid:84685835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reddinton95/custom-plugin-backend/raw/refs/heads/main/agents/02-database-management/backend-plugin-custom-1.2.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822736/; classtype:trojan-activity;sid:84685836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guitupetidutra-ship-it/dr-tulu/refs/heads/main/agent/evaluation/genetic_diseases_eval/tulu-dr-v2.8.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822737/; classtype:trojan-activity;sid:84685837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/test-practice/raw/refs/heads/master/embrail/test_practice_1.4.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822738/; classtype:trojan-activity;sid:84685838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reddinton95/custom-plugin-backend/refs/heads/main/agents/02-database-management/backend-plugin-custom-1.2.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822739/; classtype:trojan-activity;sid:84685839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/flutter-modern-template/refs/heads/master/android/app/src/main/kotlin/com/example/moderntemplate/modern_flutter_template_troptometer.zip"; depth:150; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822740/; classtype:trojan-activity;sid:84685840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/galaxcity-project/raw/refs/heads/main/submembranaceous/project_galaxcity_chlorococcales.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822741/; classtype:trojan-activity;sid:84685841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/java-journey/raw/refs/heads/main/oracle_jdk-24/journey_jav_2.7.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822742/; classtype:trojan-activity;sid:84685842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/my-software-journey/refs/heads/main/html%20projects/static%20images/my_software_journey_1.1.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822743/; classtype:trojan-activity;sid:84685843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/test-practice/refs/heads/master/embrail/test_practice_1.4.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822744/; classtype:trojan-activity;sid:84685844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/assignment-2/refs/heads/main/img/assignment_shelyak.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822726/; classtype:trojan-activity;sid:84685826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/assignment-2/raw/refs/heads/main/img/assignment_shelyak.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822727/; classtype:trojan-activity;sid:84685827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/assignment-1/raw/refs/heads/main/img/assignment-2.3.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822728/; classtype:trojan-activity;sid:84685828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawnspe/custom-plugin-devops/refs/heads/master/.github/workflows/plugin-devops-custom-2.6.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822729/; classtype:trojan-activity;sid:84685829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/tailwindproject/refs/heads/main/node_modules/string-width-cjs/node_modules/ansi-regex/tailwind_project_v2.2.zip"; depth:126; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822730/; classtype:trojan-activity;sid:84685830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/gemini_cli_skill/raw/refs/heads/main/mammillation/cli_skill_gemini_v3.8.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822731/; classtype:trojan-activity;sid:84685831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaacww/var-lighter-auto-tool/raw/refs/heads/main/turbinatoglobose/tool-lighter-var-auto-v3.6-beta.3.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822732/; classtype:trojan-activity;sid:84685832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/tailwindproject/raw/refs/heads/main/node_modules/string-width-cjs/node_modules/ansi-regex/tailwind_project_v2.2.zip"; depth:130; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822733/; classtype:trojan-activity;sid:84685833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaacww/var-lighter-auto-tool/refs/heads/main/turbinatoglobose/tool-lighter-var-auto-v3.6-beta.3.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822734/; classtype:trojan-activity;sid:84685834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kingfahmee12/aind-workshops/raw/refs/heads/main/devcon25nyc/examples/ain_workshops_v2.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822722/; classtype:trojan-activity;sid:84685822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kingfahmee12/aind-workshops/refs/heads/main/devcon25nyc/examples/ain_workshops_v2.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822723/; classtype:trojan-activity;sid:84685823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/assignment-1/refs/heads/main/img/assignment-2.3.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822724/; classtype:trojan-activity;sid:84685824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/gemini_cli_skill/refs/heads/main/mammillation/cli_skill_gemini_v3.8.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822725/; classtype:trojan-activity;sid:84685825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hibcn.factpre5ent.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822721/; classtype:trojan-activity;sid:84685821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flix-ux/powersub-demo-7484/refs/heads/main/transpeer/powersub_demo_v3.7.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822718/; classtype:trojan-activity;sid:84685818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/arweave-academy/raw/refs/heads/main/submissions/xmevan%202/challenge2/node_modules/kleur/academy-arweave-v1.9-beta.3.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822719/; classtype:trojan-activity;sid:84685819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/entregafinal/raw/refs/heads/main/css/final-entrega-3.0.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822720/; classtype:trojan-activity;sid:84685820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/entreganumero2/raw/refs/heads/main/sulphohydrate/numero-entrega-mandua.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822717/; classtype:trojan-activity;sid:84685817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/godie09/laravel-12-routeserviceprovider-configuration-tutorial/refs/heads/main/database/configuration_laravel_tutorial_routeserviceprovider_v2.8.zip"; depth:149; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822704/; classtype:trojan-activity;sid:84685804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gseu41/powersub-demo-1000/refs/heads/main/antasphyctic/demo-powersub-v1.8.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822705/; classtype:trojan-activity;sid:84685805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/powersub-demo-9758/refs/heads/main/ericales/demo_powersub_3.1.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822706/; classtype:trojan-activity;sid:84685806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/entregafinal/refs/heads/main/css/final-entrega-3.0.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822707/; classtype:trojan-activity;sid:84685807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/godie09/laravel-12-routeserviceprovider-configuration-tutorial/raw/refs/heads/main/database/configuration_laravel_tutorial_routeserviceprovider_v2.8.zip"; depth:153; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822708/; classtype:trojan-activity;sid:84685808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/diagrama/raw/refs/heads/main/leptocephalic/software-1.3.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822709/; classtype:trojan-activity;sid:84685809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/powersub-demo-9758/raw/refs/heads/main/ericales/demo_powersub_3.1.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822710/; classtype:trojan-activity;sid:84685810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/ai-etl-anomaly-detection/raw/refs/heads/main/data/anomaly_etl_ai_detection_2.1.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822711/; classtype:trojan-activity;sid:84685811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gseu41/powersub-demo-1000/raw/refs/heads/main/antasphyctic/demo-powersub-v1.8.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822712/; classtype:trojan-activity;sid:84685812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flix-ux/powersub-demo-7484/raw/refs/heads/main/transpeer/powersub_demo_v3.7.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822713/; classtype:trojan-activity;sid:84685813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/diagrama/refs/heads/main/leptocephalic/software-1.3.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822714/; classtype:trojan-activity;sid:84685814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cemanosdesolidao/hedged-rpc-client/raw/refs/heads/main/src/client_hedged_rpc_v2.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822715/; classtype:trojan-activity;sid:84685815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/ai-etl-anomaly-detection/refs/heads/main/data/anomaly_etl_ai_detection_2.1.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822716/; classtype:trojan-activity;sid:84685816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cemanosdesolidao/hedged-rpc-client/refs/heads/main/src/client_hedged_rpc_v2.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822701/; classtype:trojan-activity;sid:84685801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/entreganumero2/refs/heads/main/sulphohydrate/numero-entrega-mandua.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822702/; classtype:trojan-activity;sid:84685802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/arweave-academy/refs/heads/main/submissions/xmevan%202/challenge2/node_modules/kleur/academy-arweave-v1.9-beta.3.zip"; depth:131; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822703/; classtype:trojan-activity;sid:84685803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dispgua.factpre5ent.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822700/; classtype:trojan-activity;sid:84685800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solmeshos.qen8lorix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822699/; classtype:trojan-activity;sid:84685799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rizkiameli/blog-starter-template/raw/refs/heads/main/lib/blog_template_starter_2.4.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822698/; classtype:trojan-activity;sid:84685798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rizkiameli/blog-starter-template/refs/heads/main/lib/blog_template_starter_2.4.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822697/; classtype:trojan-activity;sid:84685797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/menor1111/iscsi-setup-tutorial-on-linux-mint/refs/heads/main/deloul/linux-on-tutorial-mint-i-setup-scs-unclosable.zip"; depth:118; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822696/; classtype:trojan-activity;sid:84685796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longphamok1323/2025doubao-free-api/refs/heads/master/public/doubao_api_free_inanga.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822678/; classtype:trojan-activity;sid:84685778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roseannspastic496/pyspark-etl-automation/raw/refs/heads/main/pridelessly/etl-automation-pyspark-3.4-alpha.1.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822679/; classtype:trojan-activity;sid:84685779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavbarskar/pluralsight-aws-data-pipelines-orchestrating-automating/raw/refs/heads/main/module-2/module-2-demo-3-parallel-map/lambdas/generate-datasets/automating_data_pipelines_aws_orchestrating_pluralsight_2.8.zip"; depth:218; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822680/; classtype:trojan-activity;sid:84685780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cocklelaceration337/simakin/refs/heads/main/app/software-unshot.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822681/; classtype:trojan-activity;sid:84685781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"duskparce.qen8lorix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822682/; classtype:trojan-activity;sid:84685782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roseannspastic496/pyspark-etl-automation/refs/heads/main/pridelessly/etl-automation-pyspark-3.4-alpha.1.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822683/; classtype:trojan-activity;sid:84685783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsbs20/claude-code-aso-skill/raw/refs/heads/main/.claude/skills/code-aso-claude-skill-v2.7.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822684/; classtype:trojan-activity;sid:84685784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikexell/react-express-docker/refs/heads/main/client/src/react-express-docker-v1.0-alpha.2.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822685/; classtype:trojan-activity;sid:84685785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123luka123/k3s-proxmox-terraform/raw/refs/heads/main/docs/terraform-s-k-proxmox-frontierlike.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822686/; classtype:trojan-activity;sid:84685786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hardcore-bioengineering120/think/refs/heads/master/gestative/software_v1.8.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822687/; classtype:trojan-activity;sid:84685787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kartik944/relizy/refs/heads/main/src/core/__tests__/software_v2.1.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822688/; classtype:trojan-activity;sid:84685788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novice-cloud/workflow/refs/heads/main/packages/world-postgres/src/drizzle/migrations/software_v1.3.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822689/; classtype:trojan-activity;sid:84685789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavbarskar/pluralsight-aws-data-pipelines-orchestrating-automating/refs/heads/main/module-2/module-2-demo-3-parallel-map/lambdas/generate-datasets/automating_data_pipelines_aws_orchestrating_pluralsight_2.8.zip"; depth:214; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822690/; classtype:trojan-activity;sid:84685790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsbs20/claude-code-aso-skill/refs/heads/main/.claude/skills/code-aso-claude-skill-v2.7.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822691/; classtype:trojan-activity;sid:84685791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"subtcav.qen8lorix.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822692/; classtype:trojan-activity;sid:84685792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/menor1111/iscsi-setup-tutorial-on-linux-mint/raw/refs/heads/main/deloul/linux-on-tutorial-mint-i-setup-scs-unclosable.zip"; depth:122; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822693/; classtype:trojan-activity;sid:84685793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longphamok1323/2025doubao-free-api/raw/refs/heads/master/public/doubao_api_free_inanga.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822694/; classtype:trojan-activity;sid:84685794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/superdev699/cheatsheet-llm/raw/refs/heads/main/textbook_create/textbook-pdf/sheet_cheat_llm_2.6.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822695/; classtype:trojan-activity;sid:84685795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gustavomnhee/lima/raw/refs/heads/master/pkg/localpathutil/software_v2.7.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822675/; classtype:trojan-activity;sid:84685775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gustavomnhee/lima/refs/heads/master/pkg/localpathutil/software_v2.7.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822676/; classtype:trojan-activity;sid:84685776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.134.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822677/; classtype:trojan-activity;sid:84685777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kartik944/relizy/raw/refs/heads/main/src/core/__tests__/software_v2.1.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822671/; classtype:trojan-activity;sid:84685771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zebulenlithophytic371/algorithmic-trading-platform/refs/heads/main/agents/algorithmic-trading-platform-1.4.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822672/; classtype:trojan-activity;sid:84685772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novice-cloud/workflow/raw/refs/heads/main/packages/world-postgres/src/drizzle/migrations/software_v1.3.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822673/; classtype:trojan-activity;sid:84685773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hardcore-bioengineering120/think/raw/refs/heads/master/gestative/software_v1.8.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822674/; classtype:trojan-activity;sid:84685774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zebulenlithophytic371/algorithmic-trading-platform/raw/refs/heads/main/agents/algorithmic-trading-platform-1.4.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822669/; classtype:trojan-activity;sid:84685769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"s0ck-spool.qen8lorix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822670/; classtype:trojan-activity;sid:84685770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikexell/react-express-docker/raw/refs/heads/main/client/src/react-express-docker-v1.0-alpha.2.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822666/; classtype:trojan-activity;sid:84685766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikelzlll/migraine-solana-pumpfun-aio-bot/raw/refs/heads/main/underconsume/bot-aio-migraine-pumpfun-solana-dinosaurian.zip"; depth:123; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822667/; classtype:trojan-activity;sid:84685767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.62.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822668/; classtype:trojan-activity;sid:84685768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikelzlll/migraine-solana-pumpfun-aio-bot/refs/heads/main/underconsume/bot-aio-migraine-pumpfun-solana-dinosaurian.zip"; depth:119; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822665/; classtype:trojan-activity;sid:84685765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123luka123/k3s-proxmox-terraform/refs/heads/main/docs/terraform-s-k-proxmox-frontierlike.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822659/; classtype:trojan-activity;sid:84685759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sionetukuafu919-design/mev-by-jaredfromsubway/refs/heads/main/sussultatory/subway-jared-from-me-by-2.3.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822660/; classtype:trojan-activity;sid:84685760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sionetukuafu919-design/mev-by-jaredfromsubway/raw/refs/heads/main/sussultatory/subway-jared-from-me-by-2.3.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822661/; classtype:trojan-activity;sid:84685761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s2d0n/bnb-copy-trading-bot-go/raw/refs/heads/main/retinula/trading_bot_copy_go_bnb_3.2.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822662/; classtype:trojan-activity;sid:84685762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cocklelaceration337/simakin/raw/refs/heads/main/app/software-unshot.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822663/; classtype:trojan-activity;sid:84685763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s2d0n/bnb-copy-trading-bot-go/refs/heads/main/retinula/trading_bot_copy_go_bnb_3.2.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822664/; classtype:trojan-activity;sid:84685764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notghost634-cyber/rbust/raw/refs/heads/main/src/r_bust_v3.0.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822653/; classtype:trojan-activity;sid:84685753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwetamoe/sailarr-installer/refs/heads/main/config/autoscan/installer_sailarr_3.5.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822654/; classtype:trojan-activity;sid:84685754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwetamoe/sailarr-installer/raw/refs/heads/main/config/autoscan/installer_sailarr_3.5.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822655/; classtype:trojan-activity;sid:84685755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k12trappy/bifrost/refs/heads/main/src/utils/software_subchondral.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822656/; classtype:trojan-activity;sid:84685756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sunxholejabi/bc-game-crash-predictor/refs/heads/main/crashpredictor.test/markup/predictor-crash-game-bc-2.0.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822657/; classtype:trojan-activity;sid:84685757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k12trappy/bifrost/raw/refs/heads/main/src/utils/software_subchondral.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822658/; classtype:trojan-activity;sid:84685758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/sillytavern-moonlitechoestheme/refs/heads/main/i18n/echoes_silly_tavern_moonlit_theme_3.8.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822641/; classtype:trojan-activity;sid:84685741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/oai-proxy-mod/raw/refs/heads/main/src/proxy/middleware/request/mutators/mod_oai_proxy_v1.3-beta.4.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822642/; classtype:trojan-activity;sid:84685742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightdopper/skill-codex/refs/heads/master/irrationality/skill_codex_sentient.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822643/; classtype:trojan-activity;sid:84685743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/oai-proxy-mod/refs/heads/main/src/proxy/middleware/request/mutators/mod_oai_proxy_v1.3-beta.4.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822644/; classtype:trojan-activity;sid:84685744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/chatgpt_telegram_bot/refs/heads/main/bot/bot-chatgpt-telegram-2.2.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822645/; classtype:trojan-activity;sid:84685745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sunxholejabi/bc-game-crash-predictor/raw/refs/heads/main/crashpredictor.test/markup/predictor-crash-game-bc-2.0.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822646/; classtype:trojan-activity;sid:84685746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brazilian-willametteriver232/llama.swift/refs/heads/main/sources/llama-swift-v2.7-beta.4.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822647/; classtype:trojan-activity;sid:84685747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightdopper/skill-codex/raw/refs/heads/master/irrationality/skill_codex_sentient.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822648/; classtype:trojan-activity;sid:84685748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ittaloakk/cursor/raw/refs/heads/main/heterotaxic/software_v1.0.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822649/; classtype:trojan-activity;sid:84685749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/sillytavern-moonlitechoestheme/raw/refs/heads/main/i18n/echoes_silly_tavern_moonlit_theme_3.8.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822650/; classtype:trojan-activity;sid:84685750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eskibabble/tensr/raw/refs/heads/main/src/io/software-1.0.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822651/; classtype:trojan-activity;sid:84685751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/chatgpt_telegram_bot/raw/refs/heads/main/bot/bot-chatgpt-telegram-2.2.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822652/; classtype:trojan-activity;sid:84685752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vnx12/zetian/refs/heads/develop/src/zetian/models/eventargs/software_v1.8.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822635/; classtype:trojan-activity;sid:84685735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hymieincorrupt440/ideate/refs/heads/main/packages/eslint-config/software-v1.2.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822636/; classtype:trojan-activity;sid:84685736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hymieincorrupt440/ideate/raw/refs/heads/main/packages/eslint-config/software-v1.2.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822637/; classtype:trojan-activity;sid:84685737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luizin507/fourmeme-trading-bot/refs/heads/main/img/fourmeme-trading-bot-v2.9.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822638/; classtype:trojan-activity;sid:84685738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/sillytavern-docker/raw/refs/heads/main/maidenhair/silly-docker-tavern-midtap.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822639/; classtype:trojan-activity;sid:84685739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nottvixn/devops-journey/raw/refs/heads/main/projects/journey-devops-1.9.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822640/; classtype:trojan-activity;sid:84685740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brazilian-willametteriver232/llama.swift/raw/refs/heads/main/sources/llama-swift-v2.7-beta.4.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822633/; classtype:trojan-activity;sid:84685733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luizin507/fourmeme-trading-bot/raw/refs/heads/main/img/fourmeme-trading-bot-v2.9.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822634/; classtype:trojan-activity;sid:84685734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notghost634-cyber/rbust/refs/heads/main/src/r_bust_v3.0.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822625/; classtype:trojan-activity;sid:84685725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.26.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822626/; classtype:trojan-activity;sid:84685726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apothegmatic-whiskfern276/autosteer/raw/refs/heads/main/src/stores/__tests__/software-2.4.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822627/; classtype:trojan-activity;sid:84685727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apothegmatic-whiskfern276/autosteer/refs/heads/main/src/stores/__tests__/software-2.4.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822628/; classtype:trojan-activity;sid:84685728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vnx12/zetian/raw/refs/heads/develop/src/zetian/models/eventargs/software_v1.8.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822629/; classtype:trojan-activity;sid:84685729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/claude-proxy-flask/raw/refs/heads/main/api/flask_claude_proxy_2.3.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822630/; classtype:trojan-activity;sid:84685730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/sillytavern-docker/refs/heads/main/maidenhair/silly-docker-tavern-midtap.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822631/; classtype:trojan-activity;sid:84685731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nottvixn/devops-journey/refs/heads/main/projects/journey-devops-1.9.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822632/; classtype:trojan-activity;sid:84685732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/netflix-n-hack/refs/heads/main/payloads/hack_netflix_3.5.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822621/; classtype:trojan-activity;sid:84685721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ittaloakk/cursor/refs/heads/main/heterotaxic/software_v1.0.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822622/; classtype:trojan-activity;sid:84685722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/claude-proxy-flask/refs/heads/main/api/flask_claude_proxy_2.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822623/; classtype:trojan-activity;sid:84685723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yomyoms/netflix-n-hack/raw/refs/heads/main/payloads/hack_netflix_3.5.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822624/; classtype:trojan-activity;sid:84685724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eskibabble/tensr/refs/heads/main/src/io/software-1.0.zip"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822619/; classtype:trojan-activity;sid:84685719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/superdev699/cheatsheet-llm/refs/heads/main/textbook_create/textbook-pdf/sheet_cheat_llm_2.6.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822620/; classtype:trojan-activity;sid:84685720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.235.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822618/; classtype:trojan-activity;sid:84685718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.217.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822617/; classtype:trojan-activity;sid:84685717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unitecres.qen8lorix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822616/; classtype:trojan-activity;sid:84685716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"planslow.qen8lorix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822615/; classtype:trojan-activity;sid:84685715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.29.232"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822614/; classtype:trojan-activity;sid:84685714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.arm"; depth:52; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822613/; classtype:trojan-activity;sid:84685713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/duck/modulo/foto.jpg"; depth:21; endswith; nocase; http.host; content:"photgridyelow.site"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822612/; classtype:trojan-activity;sid:84685712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vel-spireex.bri4talin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822611/; classtype:trojan-activity;sid:84685711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.sh4"; depth:52; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822602/; classtype:trojan-activity;sid:84685702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.spc"; depth:52; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822603/; classtype:trojan-activity;sid:84685703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.arm7"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822604/; classtype:trojan-activity;sid:84685704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.x86_64"; depth:55; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822605/; classtype:trojan-activity;sid:84685705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.mpsl"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822606/; classtype:trojan-activity;sid:84685706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.m68k"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822607/; classtype:trojan-activity;sid:84685707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.ppc"; depth:52; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822608/; classtype:trojan-activity;sid:84685708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.arm5"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822609/; classtype:trojan-activity;sid:84685709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822610/; classtype:trojan-activity;sid:84685710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.arm6"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822601/; classtype:trojan-activity;sid:84685701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/owz3sdy6gmyni1jlhrsdw/mugiwara_installer.exe|3f|rlkey=3ohsmwu2wd3mqxrnpjdti27et|7c|26|7c|st=awdrtify|7c|26|7c|dl=1"; depth:122; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822599/; classtype:trojan-activity;sid:84685699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/std.txt"; depth:8; endswith; nocase; http.host; content:"187.77.255.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822597/; classtype:trojan-activity;sid:84685697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/script.php"; depth:11; endswith; nocase; http.host; content:"187.77.255.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822598/; classtype:trojan-activity;sid:84685698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd/0/get/c-pqouyr-pjao-1qfletzqk8lgaovrlonpdre7fi4iwabdwg1kog5zzjj7cvj7vg-du_im6tsgkcvzzg1ug5ih3eqlzmjakucfd4qjoeg9rw7tik0-jonictfxk-1oi0hx8w-dloq6ao1ageh2cpgq15/file|3f|dl=1"; depth:175; endswith; nocase; http.host; content:"uc9b6922e6f1f1bf6572fc66063e.dl.dropboxusercontent.com"; depth:54; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822590/; classtype:trojan-activity;sid:84685690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.arc"; depth:52; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822591/; classtype:trojan-activity;sid:84685691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.mips"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822592/; classtype:trojan-activity;sid:84685692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xkcnhy4g8rcypb.sh"; depth:18; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822593/; classtype:trojan-activity;sid:84685693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.x86"; depth:52; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822594/; classtype:trojan-activity;sid:84685694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd/0/get/c-krzdlkn33pxvucpo4-fj7dbpl86lgc1hyki6h6ksfs9o30pffftegcekvgy9wantb5ridrorxgjie71lenl07vsqdsqdwrjsozvlb-eqzxtwuwuqp3qdyuso5099btb8fqbof5xgmqwqr6kcqurd9o/file|3f|dl=1"; depth:175; endswith; nocase; http.host; content:"uc11ec97a00822a6a1724fc7f4c0.dl.dropboxusercontent.com"; depth:54; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822595/; classtype:trojan-activity;sid:84685695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.i686"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822596/; classtype:trojan-activity;sid:84685696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vye32gss2g38ekhmakrlddjgrnf2ybt4/fgx8snca4txepa.i468"; depth:53; endswith; nocase; http.host; content:"196.199.55.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822589/; classtype:trojan-activity;sid:84685689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t1ny-point.bri4talin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822588/; classtype:trojan-activity;sid:84685688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-forgear.bri4talin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822587/; classtype:trojan-activity;sid:84685687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.170.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822586/; classtype:trojan-activity;sid:84685686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.26.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822585/; classtype:trojan-activity;sid:84685685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qhbvndc7.bri4talin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822584/; classtype:trojan-activity;sid:84685684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2ffmg.bri4talin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822583/; classtype:trojan-activity;sid:84685683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.217.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822582/; classtype:trojan-activity;sid:84685682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.75.73"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822581/; classtype:trojan-activity;sid:84685681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.25.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822580/; classtype:trojan-activity;sid:84685680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ioncove.bri4talin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822579/; classtype:trojan-activity;sid:84685679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.17.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822577/; classtype:trojan-activity;sid:84685677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.254.8.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822578/; classtype:trojan-activity;sid:84685678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.17.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822576/; classtype:trojan-activity;sid:84685676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camm1ls/deviloff/raw/refs/heads/main/4j8576a0e8v3.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822575/; classtype:trojan-activity;sid:84685675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camm1ls/deviloff/refs/heads/main/4j8576a0e8v3.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822574/; classtype:trojan-activity;sid:84685674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shallo-uni.dru6moxin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822573/; classtype:trojan-activity;sid:84685673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/cm1g9kde"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822572/; classtype:trojan-activity;sid:84685672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ihrydwg.dru6moxin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822571/; classtype:trojan-activity;sid:84685671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.240.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822570/; classtype:trojan-activity;sid:84685670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.194.122.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822569/; classtype:trojan-activity;sid:84685669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"011kep.dru6moxin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822568/; classtype:trojan-activity;sid:84685668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flyretths/heavenlis/-/raw/main/4j8576a0e8v3.exe"; depth:48; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822567/; classtype:trojan-activity;sid:84685667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.27.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822566/; classtype:trojan-activity;sid:84685666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.78.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822565/; classtype:trojan-activity;sid:84685665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.120.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822564/; classtype:trojan-activity;sid:84685664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fr0st-branch.dru6moxin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822563/; classtype:trojan-activity;sid:84685663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.27.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822562/; classtype:trojan-activity;sid:84685662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.211.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822561/; classtype:trojan-activity;sid:84685661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.80.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822560/; classtype:trojan-activity;sid:84685660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fornessa/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822557/; classtype:trojan-activity;sid:84685657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/landeliur/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822558/; classtype:trojan-activity;sid:84685658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hopeinfully/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822559/; classtype:trojan-activity;sid:84685659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hopeinfully/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822555/; classtype:trojan-activity;sid:84685655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/landeliur/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822556/; classtype:trojan-activity;sid:84685656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fornessa/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822554/; classtype:trojan-activity;sid:84685654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trimarket.dru6moxin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822553/; classtype:trojan-activity;sid:84685653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.254.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822552/; classtype:trojan-activity;sid:84685652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.23.104.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822550/; classtype:trojan-activity;sid:84685650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822551/; classtype:trojan-activity;sid:84685651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jjfcpkvh.dru6moxin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822549/; classtype:trojan-activity;sid:84685649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tlnsb.zor2laven.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822548/; classtype:trojan-activity;sid:84685648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.115.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822547/; classtype:trojan-activity;sid:84685647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.211.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822546/; classtype:trojan-activity;sid:84685646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lps08.zor2laven.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822545/; classtype:trojan-activity;sid:84685645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proxyeas.zor2laven.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822544/; classtype:trojan-activity;sid:84685644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822542/; classtype:trojan-activity;sid:84685642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.211.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822543/; classtype:trojan-activity;sid:84685643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.80.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822541/; classtype:trojan-activity;sid:84685641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"h4rve5-loop.zor2laven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822540/; classtype:trojan-activity;sid:84685640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822539/; classtype:trojan-activity;sid:84685639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.91.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822538/; classtype:trojan-activity;sid:84685638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.203.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822537/; classtype:trojan-activity;sid:84685637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bm1rtmr.zor2laven.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822536/; classtype:trojan-activity;sid:84685636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xxvxsk4x.zor2laven.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822535/; classtype:trojan-activity;sid:84685635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.95.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822534/; classtype:trojan-activity;sid:84685634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.211.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822533/; classtype:trojan-activity;sid:84685633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mervaleon1.prax9vitor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822532/; classtype:trojan-activity;sid:84685632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vialstr.prax9vitor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822531/; classtype:trojan-activity;sid:84685631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822530/; classtype:trojan-activity;sid:84685630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.115.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822529/; classtype:trojan-activity;sid:84685629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lnrjp.prax9vitor.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822528/; classtype:trojan-activity;sid:84685628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"par5e-array.prax9vitor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822527/; classtype:trojan-activity;sid:84685627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arrayshore.prax9vitor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822526/; classtype:trojan-activity;sid:84685626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nnid.prax9vitor.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822525/; classtype:trojan-activity;sid:84685625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshstorage.kry3qelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822524/; classtype:trojan-activity;sid:84685624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.29.232"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822523/; classtype:trojan-activity;sid:84685623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-tok3.kry3qelin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822522/; classtype:trojan-activity;sid:84685622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proto-dynam1.kry3qelin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822521/; classtype:trojan-activity;sid:84685621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.193.144.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822520/; classtype:trojan-activity;sid:84685620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"massivespectra.kry3qelin.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822519/; classtype:trojan-activity;sid:84685619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solnex0ex.kry3qelin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822518/; classtype:trojan-activity;sid:84685618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"registryfaithful.kry3qelin.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822517/; classtype:trojan-activity;sid:84685617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.202.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822516/; classtype:trojan-activity;sid:84685616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wilpol.tul7morax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822515/; classtype:trojan-activity;sid:84685615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.193.144.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822514/; classtype:trojan-activity;sid:84685614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"birdout.tul7morax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822513/; classtype:trojan-activity;sid:84685613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822512/; classtype:trojan-activity;sid:84685612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"queryguard.tul7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822511/; classtype:trojan-activity;sid:84685611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.15.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822510/; classtype:trojan-activity;sid:84685610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.202.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822509/; classtype:trojan-activity;sid:84685609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bay-banne.tul7morax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822508/; classtype:trojan-activity;sid:84685608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sercore2or.tul7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822507/; classtype:trojan-activity;sid:84685607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.249.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822506/; classtype:trojan-activity;sid:84685606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ync-lab.tul7morax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822505/; classtype:trojan-activity;sid:84685605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"encodersensor.vex1laxon.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822504/; classtype:trojan-activity;sid:84685604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shiftcascade.vex1laxon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822503/; classtype:trojan-activity;sid:84685603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.158.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822502/; classtype:trojan-activity;sid:84685602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flovv-chain.vex1laxon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822501/; classtype:trojan-activity;sid:84685601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.249.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822500/; classtype:trojan-activity;sid:84685600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ychgg.vex1laxon.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822499/; classtype:trojan-activity;sid:84685599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1blfqyva/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822498/; classtype:trojan-activity;sid:84685598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"streambreeze.vex1laxon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822497/; classtype:trojan-activity;sid:84685597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.58.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822496/; classtype:trojan-activity;sid:84685596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822495/; classtype:trojan-activity;sid:84685595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.233.58.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822494/; classtype:trojan-activity;sid:84685594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velline0os.vex1laxon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822493/; classtype:trojan-activity;sid:84685593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zdjine7o.nor8tavil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822492/; classtype:trojan-activity;sid:84685592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.158.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822491/; classtype:trojan-activity;sid:84685591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"syxnh65t.nor8tavil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822490/; classtype:trojan-activity;sid:84685590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talfluxen3.nor8tavil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822489/; classtype:trojan-activity;sid:84685589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/%e6%96%87%e6%a1%a382524.exe"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822488/; classtype:trojan-activity;sid:84685588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822487/; classtype:trojan-activity;sid:84685587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sketchneuron.nor8tavil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822486/; classtype:trojan-activity;sid:84685586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fi3rce7-watch.nor8tavil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822485/; classtype:trojan-activity;sid:84685585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.57.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822484/; classtype:trojan-activity;sid:84685584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"valleydispatcher.nor8tavil.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822483/; classtype:trojan-activity;sid:84685583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.3.70.107"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822482/; classtype:trojan-activity;sid:84685582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t0mbk.xel5navin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822481/; classtype:trojan-activity;sid:84685581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//wp-admin/maint/image.png"; depth:26; endswith; nocase; http.host; content:"gtps4change.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822480/; classtype:trojan-activity;sid:84685580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deskes.png"; depth:11; endswith; nocase; http.host; content:"corwineagles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822479/; classtype:trojan-activity;sid:84685579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vor-coreum.xel5navin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822478/; classtype:trojan-activity;sid:84685578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.227.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822477/; classtype:trojan-activity;sid:84685577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sirdee.ps1"; depth:11; endswith; nocase; http.host; content:"stylegeneration.ma"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822476/; classtype:trojan-activity;sid:84685576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"motmolecu.xel5navin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822475/; classtype:trojan-activity;sid:84685575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822474/; classtype:trojan-activity;sid:84685574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.40.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822473/; classtype:trojan-activity;sid:84685573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fundoasis.xel5navin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822472/; classtype:trojan-activity;sid:84685572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.193.107.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822471/; classtype:trojan-activity;sid:84685571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qrexf0.ps1"; depth:11; endswith; nocase; http.host; content:"files.catbox.moe"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822470/; classtype:trojan-activity;sid:84685570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agyayzkwcah149.bin"; depth:19; endswith; nocase; http.host; content:"172.245.95.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822468/; classtype:trojan-activity;sid:84685568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gonio.dwp"; depth:10; endswith; nocase; http.host; content:"172.245.95.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822469/; classtype:trojan-activity;sid:84685569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ice-mark.xel5navin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822467/; classtype:trojan-activity;sid:84685567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cqr69.png"; depth:10; endswith; nocase; http.host; content:"dump.win"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822466/; classtype:trojan-activity;sid:84685566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.227.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822465/; classtype:trojan-activity;sid:84685565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynflux6al.xel5navin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822464/; classtype:trojan-activity;sid:84685564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"next.qen7tavil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822463/; classtype:trojan-activity;sid:84685563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3r1v7cs1"; depth:9; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822462/; classtype:trojan-activity;sid:84685562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/img_015451.png"; depth:18; endswith; nocase; http.host; content:"172.245.95.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822461/; classtype:trojan-activity;sid:84685561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vera.qen7tavil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822460/; classtype:trojan-activity;sid:84685560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"saqo.qen7tavil.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822459/; classtype:trojan-activity;sid:84685559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822457/; classtype:trojan-activity;sid:84685557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cblootah/test/raw/refs/heads/main/payload.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822458/; classtype:trojan-activity;sid:84685558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/test/raw/refs/heads/main/connectwisecontrol.clientsetup%20(6).msi"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822452/; classtype:trojan-activity;sid:84685552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/screen/raw/refs/heads/main/ragap.vbs"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822453/; classtype:trojan-activity;sid:84685553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/test/raw/refs/heads/main/clientsetup.msi"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822454/; classtype:trojan-activity;sid:84685554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/screen/raw/refs/heads/main/connectwisecontrol.clientsetup.msi"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822455/; classtype:trojan-activity;sid:84685555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/screen/raw/refs/heads/main/ragap.msi"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822456/; classtype:trojan-activity;sid:84685556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/screen/raw/refs/heads/main/setup.msi"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822451/; classtype:trojan-activity;sid:84685551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/screen/raw/refs/heads/main/panel82.vbs"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822450/; classtype:trojan-activity;sid:84685550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/screen/raw/refs/heads/main/rmm.vbs"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822449/; classtype:trojan-activity;sid:84685549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/test/raw/refs/heads/main/setup.msi"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822448/; classtype:trojan-activity;sid:84685548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/kr/raw/refs/heads/main/clientsetup.msi"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822447/; classtype:trojan-activity;sid:84685547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/test/raw/refs/heads/main/ssa.vbs"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822445/; classtype:trojan-activity;sid:84685545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemo828/test/raw/refs/heads/main/truckcontroller.clientsetup.msi"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822446/; classtype:trojan-activity;sid:84685546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.93.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822444/; classtype:trojan-activity;sid:84685544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.34.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822443/; classtype:trojan-activity;sid:84685543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.242.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822442/; classtype:trojan-activity;sid:84685542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.107.16.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822441/; classtype:trojan-activity;sid:84685541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.194.122.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822440/; classtype:trojan-activity;sid:84685540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.238.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822439/; classtype:trojan-activity;sid:84685539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.8.231"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822438/; classtype:trojan-activity;sid:84685538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zsj7xqo.qen7tavil.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822437/; classtype:trojan-activity;sid:84685537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.93.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822436/; classtype:trojan-activity;sid:84685536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sxbrp.bri1laxon.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822435/; classtype:trojan-activity;sid:84685535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822434/; classtype:trojan-activity;sid:84685534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822433/; classtype:trojan-activity;sid:84685533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822431/; classtype:trojan-activity;sid:84685531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822432/; classtype:trojan-activity;sid:84685532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822430/; classtype:trojan-activity;sid:84685530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"weedhack.xyz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822429/; classtype:trojan-activity;sid:84685529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"columnapi.dru9vexon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822428/; classtype:trojan-activity;sid:84685528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.242.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822427/; classtype:trojan-activity;sid:84685527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nimblehon.zor4melax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822426/; classtype:trojan-activity;sid:84685526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.107.16.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822425/; classtype:trojan-activity;sid:84685525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gp0zfju.prax5litor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822424/; classtype:trojan-activity;sid:84685524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.9.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822423/; classtype:trojan-activity;sid:84685523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-f0rge.kry6navex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822422/; classtype:trojan-activity;sid:84685522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.30.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822421/; classtype:trojan-activity;sid:84685521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"routerwago.tul2qorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822420/; classtype:trojan-activity;sid:84685520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/goodthingswithbestspeakforme.hta"; depth:36; endswith; nocase; http.host; content:"172.245.95.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822419/; classtype:trojan-activity;sid:84685519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"il2l4822.vex8talin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822418/; classtype:trojan-activity;sid:84685518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.200.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822417/; classtype:trojan-activity;sid:84685517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svchost-update.exe"; depth:19; endswith; nocase; http.host; content:"138.124.61.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822416/; classtype:trojan-activity;sid:84685516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"m0ss5-watch.nor3liven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822415/; classtype:trojan-activity;sid:84685515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8717422379/phu1ykl.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822414/; classtype:trojan-activity;sid:84685514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meshagents|3f|id=3|7c|26|7c|meshid=g3qqmguuqeukcwatxqj2kfrnavgyuymibgilecxmmuisabwlmubigllxjaocx30b|7c|26|7c|installflags=3"; depth:124; endswith; nocase; http.host; content:"dwkch.ru"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822413/; classtype:trojan-activity;sid:84685513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setup.ps1"; depth:10; endswith; nocase; http.host; content:"138.124.61.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822412/; classtype:trojan-activity;sid:84685512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.236.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822411/; classtype:trojan-activity;sid:84685511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ind3-spool.xel7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822410/; classtype:trojan-activity;sid:84685510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.246.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822409/; classtype:trojan-activity;sid:84685509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.9.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822408/; classtype:trojan-activity;sid:84685508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dr1ve-trail.qen7tavil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822407/; classtype:trojan-activity;sid:84685507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822406/; classtype:trojan-activity;sid:84685506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.3.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822405/; classtype:trojan-activity;sid:84685505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"emuwa.qen7tavil.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822404/; classtype:trojan-activity;sid:84685504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"normarkis2.qen7tavil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822403/; classtype:trojan-activity;sid:84685503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quordraa.qen7tavil.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822402/; classtype:trojan-activity;sid:84685502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.219.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822401/; classtype:trojan-activity;sid:84685501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cortex_setup.exe"; depth:17; endswith; nocase; http.host; content:"185.125.102.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822400/; classtype:trojan-activity;sid:84685500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cortex_demo_setup.exe"; depth:22; endswith; nocase; http.host; content:"185.125.102.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822399/; classtype:trojan-activity;sid:84685499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.232.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822398/; classtype:trojan-activity;sid:84685498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.232.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822397/; classtype:trojan-activity;sid:84685497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7048186296/tyx9odo.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822396/; classtype:trojan-activity;sid:84685496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.236.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822395/; classtype:trojan-activity;sid:84685495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clusterbright.qen7tavil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822394/; classtype:trojan-activity;sid:84685494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.245.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822393/; classtype:trojan-activity;sid:84685493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.246.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822392/; classtype:trojan-activity;sid:84685492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.140.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822391/; classtype:trojan-activity;sid:84685491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fibulae.afm"; depth:12; endswith; nocase; http.host; content:"172.245.95.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822390/; classtype:trojan-activity;sid:84685490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nrtjbsnchhkahi148.bin"; depth:22; endswith; nocase; http.host; content:"172.245.95.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822389/; classtype:trojan-activity;sid:84685489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.89.54.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822388/; classtype:trojan-activity;sid:84685488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"opt13-mesh.qen7tavil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822387/; classtype:trojan-activity;sid:84685487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.239.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822386/; classtype:trojan-activity;sid:84685486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenmark1a.bri1laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822385/; classtype:trojan-activity;sid:84685485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.20.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822384/; classtype:trojan-activity;sid:84685484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.150.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822383/; classtype:trojan-activity;sid:84685483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.234.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822382/; classtype:trojan-activity;sid:84685482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumnex7os.bri1laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822381/; classtype:trojan-activity;sid:84685481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.237.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822380/; classtype:trojan-activity;sid:84685480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.65.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822379/; classtype:trojan-activity;sid:84685479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.167.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822378/; classtype:trojan-activity;sid:84685478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.6.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822377/; classtype:trojan-activity;sid:84685477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zecyxfgt.bri1laxon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822376/; classtype:trojan-activity;sid:84685476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.245.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822375/; classtype:trojan-activity;sid:84685475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.140.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822374/; classtype:trojan-activity;sid:84685474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"k3rne-signal.bri1laxon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822373/; classtype:trojan-activity;sid:84685473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822372/; classtype:trojan-activity;sid:84685472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.89.54.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822371/; classtype:trojan-activity;sid:84685471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1ndex2-gate.bri1laxon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822370/; classtype:trojan-activity;sid:84685470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.126.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822369/; classtype:trojan-activity;sid:84685469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ar2ymo.bri1laxon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822368/; classtype:trojan-activity;sid:84685468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.114.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822365/; classtype:trojan-activity;sid:84685465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.239.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822366/; classtype:trojan-activity;sid:84685466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.126.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822367/; classtype:trojan-activity;sid:84685467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tenquarr.dru9vexon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822364/; classtype:trojan-activity;sid:84685464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.150.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822363/; classtype:trojan-activity;sid:84685463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822362/; classtype:trojan-activity;sid:84685462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.219.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822361/; classtype:trojan-activity;sid:84685461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.167.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822360/; classtype:trojan-activity;sid:84685460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lively-obser.dru9vexon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822359/; classtype:trojan-activity;sid:84685459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.140.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822358/; classtype:trojan-activity;sid:84685458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qu4r9-scope.dru9vexon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822357/; classtype:trojan-activity;sid:84685457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"g4th2-mount.dru9vexon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822356/; classtype:trojan-activity;sid:84685456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8468794285/trcuarc.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822355/; classtype:trojan-activity;sid:84685455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.114.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822354/; classtype:trojan-activity;sid:84685454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.33.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822353/; classtype:trojan-activity;sid:84685453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hpryikjw.dru9vexon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822352/; classtype:trojan-activity;sid:84685452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hardscript.dru9vexon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822351/; classtype:trojan-activity;sid:84685451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.107.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822350/; classtype:trojan-activity;sid:84685450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xoqairj.zor4melax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822349/; classtype:trojan-activity;sid:84685449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.140.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822348/; classtype:trojan-activity;sid:84685448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pwmyu.zor4melax.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822347/; classtype:trojan-activity;sid:84685447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.196.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822346/; classtype:trojan-activity;sid:84685446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"compre-node.zor4melax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822345/; classtype:trojan-activity;sid:84685445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.145.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822344/; classtype:trojan-activity;sid:84685444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c0rnpute-stream.zor4melax.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822343/; classtype:trojan-activity;sid:84685443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822341/; classtype:trojan-activity;sid:84685441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.252.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822342/; classtype:trojan-activity;sid:84685442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wygb7.zor4melax.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822340/; classtype:trojan-activity;sid:84685440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.68.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822338/; classtype:trojan-activity;sid:84685438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5pro4-vector.zor4melax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822339/; classtype:trojan-activity;sid:84685439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tfovt.prax5litor.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822337/; classtype:trojan-activity;sid:84685437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.137.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822336/; classtype:trojan-activity;sid:84685436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.196.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822335/; classtype:trojan-activity;sid:84685435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sprbridg.prax5litor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822334/; classtype:trojan-activity;sid:84685434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bridge0-crest.prax5litor.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822333/; classtype:trojan-activity;sid:84685433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.252.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822332/; classtype:trojan-activity;sid:84685432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trimark4or.prax5litor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822331/; classtype:trojan-activity;sid:84685431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"observ-phase.prax5litor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822330/; classtype:trojan-activity;sid:84685430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.137.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822329/; classtype:trojan-activity;sid:84685429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"server-vall.prax5litor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822328/; classtype:trojan-activity;sid:84685428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/direct/cad2b711-6299-4806-9b5a-c439bf6b2e5d/logmeinresolve_unattended.msi"; depth:83; endswith; nocase; http.host; content:"store9.gofile.io"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822327/; classtype:trojan-activity;sid:84685427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobeinstaller.msi"; depth:19; endswith; nocase; http.host; content:"pub-fc10525f25d247e4a38787b5b64673ec.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822326/; classtype:trojan-activity;sid:84685426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hdphyvg6/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822325/; classtype:trojan-activity;sid:84685425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/images/crystal/image/image.png"; depth:43; endswith; nocase; http.host; content:"gtps4change.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822324/; classtype:trojan-activity;sid:84685424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.232.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822323/; classtype:trojan-activity;sid:84685423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvtwhwzaqj_06_04_meus_arquivosdetexto//01.txt"; depth:46; endswith; nocase; http.host; content:"andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br"; depth:65; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822322/; classtype:trojan-activity;sid:84685422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvtwhwzaqj_06_04_meus_arquivosdetexto//03.txt"; depth:46; endswith; nocase; http.host; content:"andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br"; depth:65; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822321/; classtype:trojan-activity;sid:84685421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvtwhwzaqj_06_04_meus_arquivosdetexto//02.txt"; depth:46; endswith; nocase; http.host; content:"andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br"; depth:65; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822319/; classtype:trojan-activity;sid:84685419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bl.txt"; depth:7; endswith; nocase; http.host; content:"catalogo.castrouria.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822320/; classtype:trojan-activity;sid:84685420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mptprkvq/luisscore.png"; depth:23; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822318/; classtype:trojan-activity;sid:84685418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/putty2.txt"; depth:11; endswith; nocase; http.host; content:"frostcrypt.org"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822317/; classtype:trojan-activity;sid:84685417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vel-markon.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822316/; classtype:trojan-activity;sid:84685416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enter/image.png"; depth:16; endswith; nocase; http.host; content:"zorvex.life"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822315/; classtype:trojan-activity;sid:84685415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.79.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822314/; classtype:trojan-activity;sid:84685414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.47.121.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822313/; classtype:trojan-activity;sid:84685413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3yon6yq8yur914"; depth:16; endswith; nocase; http.host; content:"hasteb.in"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822312/; classtype:trojan-activity;sid:84685412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deelct2f/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822311/; classtype:trojan-activity;sid:84685411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diiv4ccl/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822310/; classtype:trojan-activity;sid:84685410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"engine-switch.kry6navex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822309/; classtype:trojan-activity;sid:84685409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/rodriakd-8413d.appspot.com/o/dll%2fdllnew.txt|3f|alt=media|7c|26|7c|token=630e2807-b89c-4645-b3dc-dc407ccae141"; depth:116; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822308/; classtype:trojan-activity;sid:84685408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nsrc9g6c"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822307/; classtype:trojan-activity;sid:84685407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/y4vf6wvi"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822306/; classtype:trojan-activity;sid:84685406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27/greatattitudeforme.hta"; depth:26; endswith; nocase; http.host; content:"172.245.155.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822305/; classtype:trojan-activity;sid:84685405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.87.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822303/; classtype:trojan-activity;sid:84685403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/initkj"; depth:7; endswith; nocase; http.host; content:"pc24.app"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822304/; classtype:trojan-activity;sid:84685404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prood/kolodial.dat"; depth:19; endswith; nocase; http.host; content:"dubaitechnicalservice.ae"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822302/; classtype:trojan-activity;sid:84685402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129/goodthingsforbetterforme.hta"; depth:33; endswith; nocase; http.host; content:"66.63.170.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822301/; classtype:trojan-activity;sid:84685401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t1de-vault.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822300/; classtype:trojan-activity;sid:84685400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"list4.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822299/; classtype:trojan-activity;sid:84685399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sailbreeze.xel7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822298/; classtype:trojan-activity;sid:84685398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"c87x.xel7morax.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822289/; classtype:trojan-activity;sid:84685389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"link1-wire.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822290/; classtype:trojan-activity;sid:84685390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zone3-view.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822291/; classtype:trojan-activity;sid:84685391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"gate6.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822292/; classtype:trojan-activity;sid:84685392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sort3-item.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822293/; classtype:trojan-activity;sid:84685393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"top3.smartchoice.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822294/; classtype:trojan-activity;sid:84685394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"best2.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822295/; classtype:trojan-activity;sid:84685395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"blog3.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822296/; classtype:trojan-activity;sid:84685396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"event2-log.daily-report-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822297/; classtype:trojan-activity;sid:84685397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"topic3-base.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822287/; classtype:trojan-activity;sid:84685387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"darkspark.zen4qorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822288/; classtype:trojan-activity;sid:84685388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"base6-door.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822284/; classtype:trojan-activity;sid:84685384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"news1-wire.daily-report-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822285/; classtype:trojan-activity;sid:84685385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"serlineos8.xel7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822286/; classtype:trojan-activity;sid:84685386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"user5.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822283/; classtype:trojan-activity;sid:84685383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"gift1.daily-bonus.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822282/; classtype:trojan-activity;sid:84685382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"front6-gate.prime-sector-unit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822280/; classtype:trojan-activity;sid:84685380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"cover6-link.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822281/; classtype:trojan-activity;sid:84685381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"area2-find.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822279/; classtype:trojan-activity;sid:84685379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"upzr.zen4qorin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822277/; classtype:trojan-activity;sid:84685377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"order1-list.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822278/; classtype:trojan-activity;sid:84685378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"map4.urbanview.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822273/; classtype:trojan-activity;sid:84685373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"open6.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822274/; classtype:trojan-activity;sid:84685374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"news5.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822275/; classtype:trojan-activity;sid:84685375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sheet5-view.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822276/; classtype:trojan-activity;sid:84685376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.134.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822271/; classtype:trojan-activity;sid:84685371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"site4-info.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822272/; classtype:trojan-activity;sid:84685372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"time1-out.global-server-sync.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822269/; classtype:trojan-activity;sid:84685369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"itncq.xelvorimax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822270/; classtype:trojan-activity;sid:84685370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"client1-zone.smart-logic-trade.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822262/; classtype:trojan-activity;sid:84685362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"table4-data.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822263/; classtype:trojan-activity;sid:84685363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sandsto.pra5noxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822264/; classtype:trojan-activity;sid:84685364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"node2-ssh.remote-access-node.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822265/; classtype:trojan-activity;sid:84685365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"note3-base.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822266/; classtype:trojan-activity;sid:84685366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auth7-core.kry6navex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822267/; classtype:trojan-activity;sid:84685367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"plan3-item.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822268/; classtype:trojan-activity;sid:84685368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"work6-host.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822261/; classtype:trojan-activity;sid:84685361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"task1-core.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822260/; classtype:trojan-activity;sid:84685360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mark5-logo.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822259/; classtype:trojan-activity;sid:84685359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"cinem-graph.xelvorimax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822257/; classtype:trojan-activity;sid:84685357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vor-nexal.drumirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822258/; classtype:trojan-activity;sid:84685358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"card2-fast.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822256/; classtype:trojan-activity;sid:84685356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"city1-spot.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822255/; classtype:trojan-activity;sid:84685355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"step2-flow.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822252/; classtype:trojan-activity;sid:84685352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"genome2-line.xelvorimax.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822253/; classtype:trojan-activity;sid:84685353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tun1-pipe.secure-proxy-way.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822254/; classtype:trojan-activity;sid:84685354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"29mpmnz7.pra5noxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822250/; classtype:trojan-activity;sid:84685350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"view2-data.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822251/; classtype:trojan-activity;sid:84685351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"file1-raw.cloud-storage-unit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822249/; classtype:trojan-activity;sid:84685349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pc/bootservice.php|3f|tag=2136|7c|26|7c|query=1"; depth:48; endswith; nocase; http.host; content:"check.nid-log.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822248/; classtype:trojan-activity;sid:84685348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_053925.png"; depth:15; endswith; nocase; http.host; content:"aumri.ae"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822247/; classtype:trojan-activity;sid:84685347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vtdlwy.kry6navex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822246/; classtype:trojan-activity;sid:84685346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rump1_msi.png"; depth:14; endswith; nocase; http.host; content:"aumri.ae"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822245/; classtype:trojan-activity;sid:84685345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822244/; classtype:trojan-activity;sid:84685344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/jt-0635.scr"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822243/; classtype:trojan-activity;sid:84685343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/fd-830-0054.pif"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822236/; classtype:trojan-activity;sid:84685336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/xe.js"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822237/; classtype:trojan-activity;sid:84685337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/xwormclient44.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822238/; classtype:trojan-activity;sid:84685338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/robin_harker@btconnect.com.rar"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822239/; classtype:trojan-activity;sid:84685339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/au2025-0097.7z"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822240/; classtype:trojan-activity;sid:84685340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ft3763pdf.scr"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822241/; classtype:trojan-activity;sid:84685341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ht-0037.scr"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822242/; classtype:trojan-activity;sid:84685342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ft-26436du(2).pif"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822234/; classtype:trojan-activity;sid:84685334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ht02528_8w77.js"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822235/; classtype:trojan-activity;sid:84685335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/smtb-73443.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822224/; classtype:trojan-activity;sid:84685324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/update.ps1"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822225/; classtype:trojan-activity;sid:84685325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/robin_harker@btconnect.com.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822226/; classtype:trojan-activity;sid:84685326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/at-35560.exe"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822227/; classtype:trojan-activity;sid:84685327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/bin.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822228/; classtype:trojan-activity;sid:84685328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/update1.ps1"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822229/; classtype:trojan-activity;sid:84685329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/client.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822230/; classtype:trojan-activity;sid:84685330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/a-2025-03545.7z"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822231/; classtype:trojan-activity;sid:84685331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/at5423.7z"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822232/; classtype:trojan-activity;sid:84685332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/st982.rar"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822233/; classtype:trojan-activity;sid:84685333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/cerealisordersv"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822218/; classtype:trojan-activity;sid:84685318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ht-0035.scr"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822219/; classtype:trojan-activity;sid:84685319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/bosshyperaw(1).zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822220/; classtype:trojan-activity;sid:84685320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/bosshyperaw.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822221/; classtype:trojan-activity;sid:84685321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/bosshyperaw.exe.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822222/; classtype:trojan-activity;sid:84685322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/bolicfile.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822223/; classtype:trojan-activity;sid:84685323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/dxxqbzem.scr"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822215/; classtype:trojan-activity;sid:84685315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ht-2725.rar"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822216/; classtype:trojan-activity;sid:84685316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/jt-0635.rar"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822217/; classtype:trojan-activity;sid:84685317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/a89667.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822213/; classtype:trojan-activity;sid:84685313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/bvx1tflm4cxqqx8.pif"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822214/; classtype:trojan-activity;sid:84685314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/a-739pcs.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822210/; classtype:trojan-activity;sid:84685310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/lanpb.scr"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822211/; classtype:trojan-activity;sid:84685311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ht9262.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822212/; classtype:trojan-activity;sid:84685312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/sv"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822206/; classtype:trojan-activity;sid:84685306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/po"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822207/; classtype:trojan-activity;sid:84685307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/doc"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822208/; classtype:trojan-activity;sid:84685308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/con"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822209/; classtype:trojan-activity;sid:84685309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/ht-8272.rar"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822205/; classtype:trojan-activity;sid:84685305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/a-835pcs.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822202/; classtype:trojan-activity;sid:84685302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/st"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822203/; classtype:trojan-activity;sid:84685303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/raw/refs/heads/main/sv"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822204/; classtype:trojan-activity;sid:84685304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-r0ut.kry6navex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822201/; classtype:trojan-activity;sid:84685301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.79.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822200/; classtype:trojan-activity;sid:84685300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hyperbolic531/makethen/refs/heads/main/miahdoo.txt"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822199/; classtype:trojan-activity;sid:84685299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r01gw6zd/snake.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822198/; classtype:trojan-activity;sid:84685298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"inn35-dock.tul2qorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822197/; classtype:trojan-activity;sid:84685297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/478469/update.ps1"; depth:18; endswith; nocase; http.host; content:"krikadoo.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822196/; classtype:trojan-activity;sid:84685296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/rodriakd-8413d.appspot.com/o/dll%2fjs.txt|3f|alt=media|7c|26|7c|token=09ada575-efa9-4dc8-b331-404723b5997a"; depth:112; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822195/; classtype:trojan-activity;sid:84685295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwoxeq.vmp.msi"; depth:15; endswith; nocase; http.host; content:"bitcoins.homes"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822194/; classtype:trojan-activity;sid:84685294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kwdhur.vmp.msi"; depth:15; endswith; nocase; http.host; content:"sfunited.club"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822193/; classtype:trojan-activity;sid:84685293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/network/update.ps1"; depth:28; endswith; nocase; http.host; content:"krikadoo.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822192/; classtype:trojan-activity;sid:84685292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nesrmp.png"; depth:11; endswith; nocase; http.host; content:"107.173.143.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822191/; classtype:trojan-activity;sid:84685291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blrkm.png"; depth:10; endswith; nocase; http.host; content:"dump.win"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822190/; classtype:trojan-activity;sid:84685290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.230.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822189/; classtype:trojan-activity;sid:84685289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.47.121.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822188/; classtype:trojan-activity;sid:84685288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.84.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822187/; classtype:trojan-activity;sid:84685287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"reagent-publ.tul2qorin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822186/; classtype:trojan-activity;sid:84685286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.98.97.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822185/; classtype:trojan-activity;sid:84685285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yil5.tul2qorin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822184/; classtype:trojan-activity;sid:84685284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oboapril.png"; depth:13; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822183/; classtype:trojan-activity;sid:84685283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rumpdbkfire.png"; depth:16; endswith; nocase; http.host; content:"84.38.130.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822182/; classtype:trojan-activity;sid:84685282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"84.38.130.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822181/; classtype:trojan-activity;sid:84685281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"njt8hire.tul2qorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822180/; classtype:trojan-activity;sid:84685280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/update.mso|3f|tk=862f0dc11e2f77a809083b3bc818b6a5"; depth:58; endswith; nocase; http.host; content:"thomphon.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822179/; classtype:trojan-activity;sid:84685279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.245.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822177/; classtype:trojan-activity;sid:84685277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822178/; classtype:trojan-activity;sid:84685278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822175/; classtype:trojan-activity;sid:84685275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822176/; classtype:trojan-activity;sid:84685276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dokumen-perusahaan.exe"; depth:23; endswith; nocase; http.host; content:"ersesytuhbo.it.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822174/; classtype:trojan-activity;sid:84685274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvizhok.zip"; depth:12; endswith; nocase; http.host; content:"149.248.79.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822173/; classtype:trojan-activity;sid:84685273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rump222.png"; depth:12; endswith; nocase; http.host; content:"172.245.95.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822172/; classtype:trojan-activity;sid:84685272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-x86_64"; depth:11; endswith; nocase; http.host; content:"5.182.87.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822171/; classtype:trojan-activity;sid:84685271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lbkonz.tul2qorin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822170/; classtype:trojan-activity;sid:84685270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"203.203.86.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822169/; classtype:trojan-activity;sid:84685269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zencresten5.tul2qorin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822168/; classtype:trojan-activity;sid:84685268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.223.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822167/; classtype:trojan-activity;sid:84685267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nky0.vex8talin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822166/; classtype:trojan-activity;sid:84685266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.134.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822165/; classtype:trojan-activity;sid:84685265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mcfupmvl.vex8talin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822164/; classtype:trojan-activity;sid:84685264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xlknp.vex8talin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822163/; classtype:trojan-activity;sid:84685263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822161/; classtype:trojan-activity;sid:84685261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.46.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822162/; classtype:trojan-activity;sid:84685262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winreg.exe"; depth:11; endswith; nocase; http.host; content:"45.92.1.242"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822160/; classtype:trojan-activity;sid:84685260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ofhbm4.vex8talin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822159/; classtype:trojan-activity;sid:84685259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.47.190.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822158/; classtype:trojan-activity;sid:84685258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kla.bin"; depth:8; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822157/; classtype:trojan-activity;sid:84685257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.27.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822156/; classtype:trojan-activity;sid:84685256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sorna.bin"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822149/; classtype:trojan-activity;sid:84685249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simpo.png"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822150/; classtype:trojan-activity;sid:84685250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javav.exe"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822151/; classtype:trojan-activity;sid:84685251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rena.bin"; depth:9; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822152/; classtype:trojan-activity;sid:84685252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/srapert.exe"; depth:12; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822153/; classtype:trojan-activity;sid:84685253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abrams.exe"; depth:11; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822154/; classtype:trojan-activity;sid:84685254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cputr.exe"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822155/; classtype:trojan-activity;sid:84685255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samso.png"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822147/; classtype:trojan-activity;sid:84685247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open.exe"; depth:9; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822148/; classtype:trojan-activity;sid:84685248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leas.txt"; depth:9; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822145/; classtype:trojan-activity;sid:84685245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jasdo.txt"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822146/; classtype:trojan-activity;sid:84685246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savaw.txt"; depth:10; endswith; nocase; http.host; content:"84.21.189.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822144/; classtype:trojan-activity;sid:84685244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lcr1.vex8talin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822143/; classtype:trojan-activity;sid:84685243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.223.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822142/; classtype:trojan-activity;sid:84685242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"casualquant.vex8talin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822141/; classtype:trojan-activity;sid:84685241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.239.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822140/; classtype:trojan-activity;sid:84685240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sol-draet.nor3liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822139/; classtype:trojan-activity;sid:84685239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.89.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822138/; classtype:trojan-activity;sid:84685238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"globalotter.nor3liven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822137/; classtype:trojan-activity;sid:84685237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.168.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822136/; classtype:trojan-activity;sid:84685236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serlinear.nor3liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822135/; classtype:trojan-activity;sid:84685235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.51.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822134/; classtype:trojan-activity;sid:84685234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b4rk-panel.nor3liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822133/; classtype:trojan-activity;sid:84685233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trailerbinary.nor3liven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822132/; classtype:trojan-activity;sid:84685232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.89.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822131/; classtype:trojan-activity;sid:84685231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winreg.exe"; depth:11; endswith; nocase; http.host; content:"45.92.1.242"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822130/; classtype:trojan-activity;sid:84685230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobe.js"; depth:9; endswith; nocase; http.host; content:"45.92.1.242"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822129/; classtype:trojan-activity;sid:84685229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pebcpxb.nor3liven.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822128/; classtype:trojan-activity;sid:84685228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.173.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822127/; classtype:trojan-activity;sid:84685227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sharpreel.xel7morax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822126/; classtype:trojan-activity;sid:84685226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.173.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822124/; classtype:trojan-activity;sid:84685224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"du5t3-forge.xel7morax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822125/; classtype:trojan-activity;sid:84685225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.51.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822123/; classtype:trojan-activity;sid:84685223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.180.38.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822122/; classtype:trojan-activity;sid:84685222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"icematrix.xel7morax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822121/; classtype:trojan-activity;sid:84685221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serlineos8.xel7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822120/; classtype:trojan-activity;sid:84685220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sailbreeze.xel7morax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822119/; classtype:trojan-activity;sid:84685219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c87x.xel7morax.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822118/; classtype:trojan-activity;sid:84685218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gift1.daily-bonus.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822117/; classtype:trojan-activity;sid:84685217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.131.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822116/; classtype:trojan-activity;sid:84685216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822115/; classtype:trojan-activity;sid:84685215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.33.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822114/; classtype:trojan-activity;sid:84685214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.180.38.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822113/; classtype:trojan-activity;sid:84685213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user5.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822112/; classtype:trojan-activity;sid:84685212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"list4.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822111/; classtype:trojan-activity;sid:84685211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top3.smartchoice.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822110/; classtype:trojan-activity;sid:84685210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.19.106"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822109/; classtype:trojan-activity;sid:84685209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.154.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822108/; classtype:trojan-activity;sid:84685208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best2.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822107/; classtype:trojan-activity;sid:84685207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822106/; classtype:trojan-activity;sid:84685206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"good1.smartchoice.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822105/; classtype:trojan-activity;sid:84685205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822104/; classtype:trojan-activity;sid:84685204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open6.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822103/; classtype:trojan-activity;sid:84685203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.69.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822102/; classtype:trojan-activity;sid:84685202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"news5.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822101/; classtype:trojan-activity;sid:84685201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"map4.urbanview.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822100/; classtype:trojan-activity;sid:84685200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.154.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822098/; classtype:trojan-activity;sid:84685198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.3.19.106"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822099/; classtype:trojan-activity;sid:84685199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blog3.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822097/; classtype:trojan-activity;sid:84685197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.36.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822096/; classtype:trojan-activity;sid:84685196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.23.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822095/; classtype:trojan-activity;sid:84685195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.90.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822094/; classtype:trojan-activity;sid:84685194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"spot2.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822093/; classtype:trojan-activity;sid:84685193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.254.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822092/; classtype:trojan-activity;sid:84685192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"area1.urbanview.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822091/; classtype:trojan-activity;sid:84685191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site6.fast-delivery.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822090/; classtype:trojan-activity;sid:84685190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.69.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822089/; classtype:trojan-activity;sid:84685189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city5.fast-delivery.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822088/; classtype:trojan-activity;sid:84685188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.185.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822087/; classtype:trojan-activity;sid:84685187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"total4.fast-delivery.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822086/; classtype:trojan-activity;sid:84685186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.135.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822085/; classtype:trojan-activity;sid:84685185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"post3.fast-delivery.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822084/; classtype:trojan-activity;sid:84685184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.250.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822083/; classtype:trojan-activity;sid:84685183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"box2.fast-delivery.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822082/; classtype:trojan-activity;sid:84685182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.248.33.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822081/; classtype:trojan-activity;sid:84685181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.9.150"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822080/; classtype:trojan-activity;sid:84685180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order1.fast-delivery.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822079/; classtype:trojan-activity;sid:84685179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.9.150"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822078/; classtype:trojan-activity;sid:84685178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822077/; classtype:trojan-activity;sid:84685177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822076/; classtype:trojan-activity;sid:84685176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main6.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822075/; classtype:trojan-activity;sid:84685175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.31.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822074/; classtype:trojan-activity;sid:84685174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.219.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822073/; classtype:trojan-activity;sid:84685173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.219.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822070/; classtype:trojan-activity;sid:84685170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.6.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822071/; classtype:trojan-activity;sid:84685171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.237.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822072/; classtype:trojan-activity;sid:84685172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.175.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822061/; classtype:trojan-activity;sid:84685161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.209.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822062/; classtype:trojan-activity;sid:84685162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.108.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822063/; classtype:trojan-activity;sid:84685163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.0.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822064/; classtype:trojan-activity;sid:84685164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.193.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822065/; classtype:trojan-activity;sid:84685165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.84.28.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822066/; classtype:trojan-activity;sid:84685166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.254.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822067/; classtype:trojan-activity;sid:84685167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.31.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822068/; classtype:trojan-activity;sid:84685168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.127.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822069/; classtype:trojan-activity;sid:84685169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.130.24.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822055/; classtype:trojan-activity;sid:84685155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822056/; classtype:trojan-activity;sid:84685156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.138.135.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822057/; classtype:trojan-activity;sid:84685157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.29.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822058/; classtype:trojan-activity;sid:84685158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.155.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822059/; classtype:trojan-activity;sid:84685159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.64.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822060/; classtype:trojan-activity;sid:84685160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.86.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822054/; classtype:trojan-activity;sid:84685154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822053/; classtype:trojan-activity;sid:84685153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.140.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822052/; classtype:trojan-activity;sid:84685152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"153.37.227.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822051/; classtype:trojan-activity;sid:84685151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.10.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822045/; classtype:trojan-activity;sid:84685145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.133.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822046/; classtype:trojan-activity;sid:84685146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.221.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822047/; classtype:trojan-activity;sid:84685147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.32.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822048/; classtype:trojan-activity;sid:84685148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.174.246.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822049/; classtype:trojan-activity;sid:84685149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"help5.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822050/; classtype:trojan-activity;sid:84685150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.41.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822033/; classtype:trojan-activity;sid:84685133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.204.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822034/; classtype:trojan-activity;sid:84685134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.32.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822035/; classtype:trojan-activity;sid:84685135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.95.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822036/; classtype:trojan-activity;sid:84685136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.130.121.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822037/; classtype:trojan-activity;sid:84685137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822038/; classtype:trojan-activity;sid:84685138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.243.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822039/; classtype:trojan-activity;sid:84685139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.120.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822040/; classtype:trojan-activity;sid:84685140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.221.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822041/; classtype:trojan-activity;sid:84685141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.54.29.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822042/; classtype:trojan-activity;sid:84685142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.173.90.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822043/; classtype:trojan-activity;sid:84685143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.213.219.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822044/; classtype:trojan-activity;sid:84685144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.61.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822032/; classtype:trojan-activity;sid:84685132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822031/; classtype:trojan-activity;sid:84685131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.254.8.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822030/; classtype:trojan-activity;sid:84685130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.135.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822029/; classtype:trojan-activity;sid:84685129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.250.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822028/; classtype:trojan-activity;sid:84685128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.175.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822021/; classtype:trojan-activity;sid:84685121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.128.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822022/; classtype:trojan-activity;sid:84685122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.57.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822023/; classtype:trojan-activity;sid:84685123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.184.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822024/; classtype:trojan-activity;sid:84685124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.184.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822025/; classtype:trojan-activity;sid:84685125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.151.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822026/; classtype:trojan-activity;sid:84685126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.189.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822027/; classtype:trojan-activity;sid:84685127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.120.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821999/; classtype:trojan-activity;sid:84685099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.65.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822000/; classtype:trojan-activity;sid:84685100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822001/; classtype:trojan-activity;sid:84685101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.249.194.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822002/; classtype:trojan-activity;sid:84685102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.26.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822003/; classtype:trojan-activity;sid:84685103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822004/; classtype:trojan-activity;sid:84685104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.255.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822005/; classtype:trojan-activity;sid:84685105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.121.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822006/; classtype:trojan-activity;sid:84685106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.177.33.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822007/; classtype:trojan-activity;sid:84685107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.240.132"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822008/; classtype:trojan-activity;sid:84685108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.134.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822009/; classtype:trojan-activity;sid:84685109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.209.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822010/; classtype:trojan-activity;sid:84685110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.41.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822011/; classtype:trojan-activity;sid:84685111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.48.166.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822012/; classtype:trojan-activity;sid:84685112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.138.135.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822013/; classtype:trojan-activity;sid:84685113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.232.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822014/; classtype:trojan-activity;sid:84685114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.241.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822015/; classtype:trojan-activity;sid:84685115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.128.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822016/; classtype:trojan-activity;sid:84685116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.69.92.51"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822017/; classtype:trojan-activity;sid:84685117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.11.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822018/; classtype:trojan-activity;sid:84685118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.151.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822019/; classtype:trojan-activity;sid:84685119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.86.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822020/; classtype:trojan-activity;sid:84685120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.163.134.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821996/; classtype:trojan-activity;sid:84685096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.10.44.142"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821997/; classtype:trojan-activity;sid:84685097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821998/; classtype:trojan-activity;sid:84685098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.139.35.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821995/; classtype:trojan-activity;sid:84685095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"item4.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821994/; classtype:trojan-activity;sid:84685094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.aarch64"; depth:22; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821993/; classtype:trojan-activity;sid:84685093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sassy-cats.sh"; depth:14; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821992/; classtype:trojan-activity;sid:84685092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.arc"; depth:17; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821989/; classtype:trojan-activity;sid:84685089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.sparc"; depth:19; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821990/; classtype:trojan-activity;sid:84685090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.armv6l"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821991/; classtype:trojan-activity;sid:84685091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.powerpc"; depth:22; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821988/; classtype:trojan-activity;sid:84685088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.sparc"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821987/; classtype:trojan-activity;sid:84685087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.mips"; depth:19; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821985/; classtype:trojan-activity;sid:84685085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.armv6l"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821986/; classtype:trojan-activity;sid:84685086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.mipsel"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821982/; classtype:trojan-activity;sid:84685082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.x86_64"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821983/; classtype:trojan-activity;sid:84685083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.i486"; depth:19; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821984/; classtype:trojan-activity;sid:84685084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.aarch64"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821979/; classtype:trojan-activity;sid:84685079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.armv4l"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821980/; classtype:trojan-activity;sid:84685080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.mipsel"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821981/; classtype:trojan-activity;sid:84685081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.armv4l"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821969/; classtype:trojan-activity;sid:84685069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.armv5l"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821970/; classtype:trojan-activity;sid:84685070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.sh4"; depth:18; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821971/; classtype:trojan-activity;sid:84685071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.armv7l"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821972/; classtype:trojan-activity;sid:84685072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy.aarch64"; depth:15; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821973/; classtype:trojan-activity;sid:84685073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.armv7l"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821974/; classtype:trojan-activity;sid:84685074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.armv5l"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821975/; classtype:trojan-activity;sid:84685075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.m68k"; depth:18; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821976/; classtype:trojan-activity;sid:84685076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.m68k"; depth:19; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821977/; classtype:trojan-activity;sid:84685077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/.sassy.arc"; depth:18; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821978/; classtype:trojan-activity;sid:84685078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.x86_64"; depth:20; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821964/; classtype:trojan-activity;sid:84685064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.i486"; depth:18; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821965/; classtype:trojan-activity;sid:84685065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.mips"; depth:18; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821966/; classtype:trojan-activity;sid:84685066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.sh4"; depth:17; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821967/; classtype:trojan-activity;sid:84685067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.sassy/sassy.powerpc"; depth:21; endswith; nocase; http.host; content:"46.101.46.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821968/; classtype:trojan-activity;sid:84685068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media3.puremarket.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821963/; classtype:trojan-activity;sid:84685063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.248.33.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821962/; classtype:trojan-activity;sid:84685062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.250.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821961/; classtype:trojan-activity;sid:84685061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guest2.puremarket.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821960/; classtype:trojan-activity;sid:84685060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shop1.puremarket.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821959/; classtype:trojan-activity;sid:84685059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.149.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821958/; classtype:trojan-activity;sid:84685058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.54.95.49"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821957/; classtype:trojan-activity;sid:84685057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-link.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821956/; classtype:trojan-activity;sid:84685056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.236.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821955/; classtype:trojan-activity;sid:84685055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"push5-sync.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821954/; classtype:trojan-activity;sid:84685054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file4-path.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821953/; classtype:trojan-activity;sid:84685053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sort3-item.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821952/; classtype:trojan-activity;sid:84685052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.3.70.107"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821951/; classtype:trojan-activity;sid:84685051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.63.140.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821950/; classtype:trojan-activity;sid:84685050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.201.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821949/; classtype:trojan-activity;sid:84685049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.236.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821948/; classtype:trojan-activity;sid:84685048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view2-data.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821947/; classtype:trojan-activity;sid:84685047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x2gv5tlkca"; depth:11; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821946/; classtype:trojan-activity;sid:84685046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.149.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821945/; classtype:trojan-activity;sid:84685045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow1-open.clear-stream-web.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821944/; classtype:trojan-activity;sid:84685044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"drop6-main.speed-route-track.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821943/; classtype:trojan-activity;sid:84685043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821942/; classtype:trojan-activity;sid:84685042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pack5-unit.speed-route-track.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821941/; classtype:trojan-activity;sid:84685041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"load4-byte.speed-route-track.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821940/; classtype:trojan-activity;sid:84685040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.63.140.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821939/; classtype:trojan-activity;sid:84685039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"park3-area.speed-route-track.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821938/; classtype:trojan-activity;sid:84685038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.110.17.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821937/; classtype:trojan-activity;sid:84685037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ship2-move.speed-route-track.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821936/; classtype:trojan-activity;sid:84685036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trip1-road.speed-route-track.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821935/; classtype:trojan-activity;sid:84685035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"call6-root.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821934/; classtype:trojan-activity;sid:84685034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.232.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821933/; classtype:trojan-activity;sid:84685033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.253.80.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821932/; classtype:trojan-activity;sid:84685032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.54.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821931/; classtype:trojan-activity;sid:84685031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mail5-send.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821930/; classtype:trojan-activity;sid:84685030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.232.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821929/; classtype:trojan-activity;sid:84685029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sign4-icon.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821928/; classtype:trojan-activity;sid:84685028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7556497175/qklijhu.bat"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821927/; classtype:trojan-activity;sid:84685027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"note3-base.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821926/; classtype:trojan-activity;sid:84685026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821925/; classtype:trojan-activity;sid:84685025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"card2-fast.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821924/; classtype:trojan-activity;sid:84685024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"59.88.232.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821923/; classtype:trojan-activity;sid:84685023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.201.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821922/; classtype:trojan-activity;sid:84685022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.54.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821921/; classtype:trojan-activity;sid:84685021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link1-wire.brief-point-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821920/; classtype:trojan-activity;sid:84685020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base6-door.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821919/; classtype:trojan-activity;sid:84685019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mark5-logo.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821918/; classtype:trojan-activity;sid:84685018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.175.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821917/; classtype:trojan-activity;sid:84685017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.141.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821916/; classtype:trojan-activity;sid:84685016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.200.218.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821915/; classtype:trojan-activity;sid:84685015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site4-info.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821914/; classtype:trojan-activity;sid:84685014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zone3-view.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821913/; classtype:trojan-activity;sid:84685013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"area2-find.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821912/; classtype:trojan-activity;sid:84685012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city1-spot.local-vision-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821911/; classtype:trojan-activity;sid:84685011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.84.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821910/; classtype:trojan-activity;sid:84685010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.30.56"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821909/; classtype:trojan-activity;sid:84685009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.243.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821908/; classtype:trojan-activity;sid:84685008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.200.218.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821907/; classtype:trojan-activity;sid:84685007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work6-host.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821906/; classtype:trojan-activity;sid:84685006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.235.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821905/; classtype:trojan-activity;sid:84685005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.235.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821904/; classtype:trojan-activity;sid:84685004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goal5-list.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821903/; classtype:trojan-activity;sid:84685003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"term4-text.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821902/; classtype:trojan-activity;sid:84685002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"plan3-item.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821901/; classtype:trojan-activity;sid:84685001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.118.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821900/; classtype:trojan-activity;sid:84685000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step2-flow.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821899/; classtype:trojan-activity;sid:84684999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"task1-core.active-phase-net.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821898/; classtype:trojan-activity;sid:84684998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cover6-link.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821897/; classtype:trojan-activity;sid:84684997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.203.169.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821896/; classtype:trojan-activity;sid:84684996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.86.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821895/; classtype:trojan-activity;sid:84684995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sheet5-view.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821894/; classtype:trojan-activity;sid:84684994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"table4-data.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821893/; classtype:trojan-activity;sid:84684993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.86.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821892/; classtype:trojan-activity;sid:84684992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.245.195.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821891/; classtype:trojan-activity;sid:84684991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"topic3-base.daily-report-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821890/; classtype:trojan-activity;sid:84684990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.168.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821889/; classtype:trojan-activity;sid:84684989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"event2-log.daily-report-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821888/; classtype:trojan-activity;sid:84684988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.118.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821887/; classtype:trojan-activity;sid:84684987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.203.169.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821886/; classtype:trojan-activity;sid:84684986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"news1-wire.daily-report-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821885/; classtype:trojan-activity;sid:84684985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"front6-gate.prime-sector-unit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821884/; classtype:trojan-activity;sid:84684984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"piece5-load.prime-sector-unit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821883/; classtype:trojan-activity;sid:84684983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"layer4-show.prime-sector-unit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821882/; classtype:trojan-activity;sid:84684982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.183.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821881/; classtype:trojan-activity;sid:84684981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"frame3-work.prime-sector-unit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3821880/; classtype:trojan-activity;sid:84684980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.102.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821879/; classtype:trojan-activity;sid:84684979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"211.158.212.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821878/; classtype:trojan-activity;sid:84684978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"block2-text.prime-sector-unit.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821877/; classtype:trojan-activity;sid:84684977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.245.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821876/; classtype:trojan-activity;sid:84684976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"place6-hub.urban-motion-app.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821875/; classtype:trojan-activity;sid:84684975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.129.184.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821874/; classtype:trojan-activity;sid:84684974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cycle5-time.urban-motion-app.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821873/; classtype:trojan-activity;sid:84684973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.129.184.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821872/; classtype:trojan-activity;sid:84684972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"store4-data.urban-motion-app.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821871/; classtype:trojan-activity;sid:84684971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8424601462/pu9pbui.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821870/; classtype:trojan-activity;sid:84684970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.215.246.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821869/; classtype:trojan-activity;sid:84684969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"track3-info.urban-motion-app.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821868/; classtype:trojan-activity;sid:84684968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"point2-map.urban-motion-app.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821867/; classtype:trojan-activity;sid:84684967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"route1-path.urban-motion-app.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821866/; classtype:trojan-activity;sid:84684966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.43.135.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821865/; classtype:trojan-activity;sid:84684965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stage6-main.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821864/; classtype:trojan-activity;sid:84684964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.215.246.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821863/; classtype:trojan-activity;sid:84684963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brand5-post.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821862/; classtype:trojan-activity;sid:84684962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"total4-view.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821861/; classtype:trojan-activity;sid:84684961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brief3-form.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821860/; classtype:trojan-activity;sid:84684960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stock2-item.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821859/; classtype:trojan-activity;sid:84684959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821858/; classtype:trojan-activity;sid:84684958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.202.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821857/; classtype:trojan-activity;sid:84684957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order1-list.global-export-base.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821856/; classtype:trojan-activity;sid:84684956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"entry6-site.smart-logic-trade.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821855/; classtype:trojan-activity;sid:84684955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.53.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821854/; classtype:trojan-activity;sid:84684954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"staff5-help.smart-logic-trade.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821853/; classtype:trojan-activity;sid:84684953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.114.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821852/; classtype:trojan-activity;sid:84684952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"media4-file.smart-logic-trade.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821851/; classtype:trojan-activity;sid:84684951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.53.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821850/; classtype:trojan-activity;sid:84684950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.166.39.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821849/; classtype:trojan-activity;sid:84684949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.146.185.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821848/; classtype:trojan-activity;sid:84684948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"index3-page.smart-logic-trade.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821847/; classtype:trojan-activity;sid:84684947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guest2-area.smart-logic-trade.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821846/; classtype:trojan-activity;sid:84684946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"client1-zone.smart-logic-trade.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821845/; classtype:trojan-activity;sid:84684945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.202.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821844/; classtype:trojan-activity;sid:84684944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.1.26.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821843/; classtype:trojan-activity;sid:84684943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.114.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821842/; classtype:trojan-activity;sid:84684942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.92.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821841/; classtype:trojan-activity;sid:84684941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"70.31.230.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821840/; classtype:trojan-activity;sid:84684940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.115.221.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821839/; classtype:trojan-activity;sid:84684939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.246.146.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821838/; classtype:trojan-activity;sid:84684938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.245.195.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821837/; classtype:trojan-activity;sid:84684937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6730435251/fyxpxpd.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821836/; classtype:trojan-activity;sid:84684936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.123.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821835/; classtype:trojan-activity;sid:84684935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.102.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821834/; classtype:trojan-activity;sid:84684934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.115.221.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821833/; classtype:trojan-activity;sid:84684933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.127.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821832/; classtype:trojan-activity;sid:84684932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.102.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821831/; classtype:trojan-activity;sid:84684931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.122.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821830/; classtype:trojan-activity;sid:84684930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821829/; classtype:trojan-activity;sid:84684929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.169.115.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821828/; classtype:trojan-activity;sid:84684928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.122.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821827/; classtype:trojan-activity;sid:84684927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821826/; classtype:trojan-activity;sid:84684926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fscan"; depth:6; endswith; nocase; http.host; content:"101.43.204.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821825/; classtype:trojan-activity;sid:84684925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lucifer.elf"; depth:12; endswith; nocase; http.host; content:"101.43.204.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821821/; classtype:trojan-activity;sid:84684921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g64.exe"; depth:8; endswith; nocase; http.host; content:"101.43.204.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821822/; classtype:trojan-activity;sid:84684922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.122.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821823/; classtype:trojan-activity;sid:84684923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.169.115.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821824/; classtype:trojan-activity;sid:84684924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.30.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821820/; classtype:trojan-activity;sid:84684920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7640890992/ku5ujka.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821819/; classtype:trojan-activity;sid:84684919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.24.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821818/; classtype:trojan-activity;sid:84684918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"72.255.32.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821816/; classtype:trojan-activity;sid:84684916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bin_dir/nullnet_load.mips"; depth:34; endswith; nocase; http.host; content:"srv1471368.hstgr.cloud"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821817/; classtype:trojan-activity;sid:84684917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"83.168.95.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821814/; classtype:trojan-activity;sid:84684914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bin_dir/nullnet_load.mips"; depth:34; endswith; nocase; http.host; content:"187.77.144.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821815/; classtype:trojan-activity;sid:84684915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.235.49.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821813/; classtype:trojan-activity;sid:84684913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oxpdxnaob113/assets/js/qauask2ad8"; depth:34; endswith; nocase; http.host; content:"46.151.182.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821812/; classtype:trojan-activity;sid:84684912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.160.197.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821811/; classtype:trojan-activity;sid:84684911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.221.175.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821809/; classtype:trojan-activity;sid:84684909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"static-103-160-197-181.unpl.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821810/; classtype:trojan-activity;sid:84684910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"103.213.112.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821808/; classtype:trojan-activity;sid:84684908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"85.11.167.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821807/; classtype:trojan-activity;sid:84684907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.229.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821806/; classtype:trojan-activity;sid:84684906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"171.25.158.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821804/; classtype:trojan-activity;sid:84684904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm64"; depth:11; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821805/; classtype:trojan-activity;sid:84684905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"46.107.230.43.in-addr.arpa"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821803/; classtype:trojan-activity;sid:84684903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"ip-2422.proline.net.ua"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821802/; classtype:trojan-activity;sid:84684902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"45.141.26.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821792/; classtype:trojan-activity;sid:84684892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"142.248.228.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821793/; classtype:trojan-activity;sid:84684893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.61.15.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821794/; classtype:trojan-activity;sid:84684894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"223.123.73.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821795/; classtype:trojan-activity;sid:84684895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"179.43.175.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821796/; classtype:trojan-activity;sid:84684896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"31.134.16.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821797/; classtype:trojan-activity;sid:84684897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"85.11.167.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821798/; classtype:trojan-activity;sid:84684898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"85.11.167.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821799/; classtype:trojan-activity;sid:84684899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"85.11.167.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821800/; classtype:trojan-activity;sid:84684900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"66.167.147.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821801/; classtype:trojan-activity;sid:84684901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"202.141.43.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821791/; classtype:trojan-activity;sid:84684891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"43.230.107.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821790/; classtype:trojan-activity;sid:84684890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"///arm5"; depth:7; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821788/; classtype:trojan-activity;sid:84684888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821789/; classtype:trojan-activity;sid:84684889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"58.74.6.14"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821787/; classtype:trojan-activity;sid:84684887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.119.62.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821786/; classtype:trojan-activity;sid:84684886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nullpointer.mips"; depth:22; endswith; nocase; http.host; content:"91.218.66.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821783/; classtype:trojan-activity;sid:84684883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"157.245.158.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821784/; classtype:trojan-activity;sid:84684884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fit075kmyvo3/assets/js/3tipr96698"; depth:34; endswith; nocase; http.host; content:"130.12.180.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821785/; classtype:trojan-activity;sid:84684885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"103.186.147.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821779/; classtype:trojan-activity;sid:84684879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.123.43.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821780/; classtype:trojan-activity;sid:84684880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.123.43.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821781/; classtype:trojan-activity;sid:84684881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"223.123.43.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821782/; classtype:trojan-activity;sid:84684882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r.txt"; depth:6; endswith; nocase; http.host; content:"192so3245.vybrelease.cn.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821778/; classtype:trojan-activity;sid:84684878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nad.sh"; depth:7; endswith; nocase; http.host; content:"5.175.223.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821777/; classtype:trojan-activity;sid:84684877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"56.63.32.95.dsl-dynamic.vsi.ru"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821776/; classtype:trojan-activity;sid:84684876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/sora.mips64"; depth:24; endswith; nocase; http.host; content:"176.65.148.189.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821775/; classtype:trojan-activity;sid:84684875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/sora.arm7"; depth:22; endswith; nocase; http.host; content:"176.65.148.189.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821773/; classtype:trojan-activity;sid:84684873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.bri7tanon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821774/; classtype:trojan-activity;sid:84684874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/sora.sparc"; depth:23; endswith; nocase; http.host; content:"176.65.148.189.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821771/; classtype:trojan-activity;sid:84684871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/sora.arm5"; depth:22; endswith; nocase; http.host; content:"176.65.148.189.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821772/; classtype:trojan-activity;sid:84684872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/sora.arm6"; depth:22; endswith; nocase; http.host; content:"176.65.148.189.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821770/; classtype:trojan-activity;sid:84684870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"158.94.208.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821768/; classtype:trojan-activity;sid:84684868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"152.42.183.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821769/; classtype:trojan-activity;sid:84684869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821765/; classtype:trojan-activity;sid:84684865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arc"; depth:10; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821766/; classtype:trojan-activity;sid:84684866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arm7"; depth:20; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821767/; classtype:trojan-activity;sid:84684867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.armv6l"; depth:13; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821763/; classtype:trojan-activity;sid:84684863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.mpsl"; depth:20; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821764/; classtype:trojan-activity;sid:84684864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.armv4l"; depth:22; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821761/; classtype:trojan-activity;sid:84684861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sparc"; depth:12; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821762/; classtype:trojan-activity;sid:84684862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821760/; classtype:trojan-activity;sid:84684860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.i686"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821742/; classtype:trojan-activity;sid:84684842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arm7"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821743/; classtype:trojan-activity;sid:84684843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arm5"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821744/; classtype:trojan-activity;sid:84684844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.amd64"; depth:21; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821745/; classtype:trojan-activity;sid:84684845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.sparc"; depth:21; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821746/; classtype:trojan-activity;sid:84684846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arc"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821747/; classtype:trojan-activity;sid:84684847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.mpsl"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821748/; classtype:trojan-activity;sid:84684848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.i486"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821749/; classtype:trojan-activity;sid:84684849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.armv4l"; depth:13; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821750/; classtype:trojan-activity;sid:84684850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.mpsl"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821751/; classtype:trojan-activity;sid:84684851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arm7"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821752/; classtype:trojan-activity;sid:84684852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86_64"; depth:13; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821753/; classtype:trojan-activity;sid:84684853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821754/; classtype:trojan-activity;sid:84684854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.x86"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821755/; classtype:trojan-activity;sid:84684855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.x86"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821756/; classtype:trojan-activity;sid:84684856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.i486"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821757/; classtype:trojan-activity;sid:84684857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.x86_64"; depth:22; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821758/; classtype:trojan-activity;sid:84684858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.123.43.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821759/; classtype:trojan-activity;sid:84684859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xd.arm4"; depth:8; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821740/; classtype:trojan-activity;sid:84684840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.i486"; depth:20; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821739/; classtype:trojan-activity;sid:84684839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arm5"; depth:20; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821737/; classtype:trojan-activity;sid:84684837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440fp"; depth:15; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821738/; classtype:trojan-activity;sid:84684838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.m68k"; depth:20; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821736/; classtype:trojan-activity;sid:84684836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.armv4l"; depth:13; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821733/; classtype:trojan-activity;sid:84684833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.armv6l"; depth:22; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821734/; classtype:trojan-activity;sid:84684834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.ppc"; depth:19; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821735/; classtype:trojan-activity;sid:84684835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.sh4"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821719/; classtype:trojan-activity;sid:84684819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arc"; depth:10; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821720/; classtype:trojan-activity;sid:84684820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.ppc"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821721/; classtype:trojan-activity;sid:84684821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821722/; classtype:trojan-activity;sid:84684822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821723/; classtype:trojan-activity;sid:84684823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.m68k"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821724/; classtype:trojan-activity;sid:84684824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.ppc440fp"; depth:24; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821725/; classtype:trojan-activity;sid:84684825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arc"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821726/; classtype:trojan-activity;sid:84684826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821727/; classtype:trojan-activity;sid:84684827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.ppc440fp"; depth:24; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821728/; classtype:trojan-activity;sid:84684828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821729/; classtype:trojan-activity;sid:84684829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.armv4l"; depth:13; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821730/; classtype:trojan-activity;sid:84684830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.amd64"; depth:12; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821731/; classtype:trojan-activity;sid:84684831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.x86_64"; depth:22; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821732/; classtype:trojan-activity;sid:84684832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arc"; depth:19; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821718/; classtype:trojan-activity;sid:84684818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821717/; classtype:trojan-activity;sid:84684817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821716/; classtype:trojan-activity;sid:84684816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.ppc440fp"; depth:24; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821715/; classtype:trojan-activity;sid:84684815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821713/; classtype:trojan-activity;sid:84684813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.sh4"; depth:19; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821714/; classtype:trojan-activity;sid:84684814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821711/; classtype:trojan-activity;sid:84684811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821712/; classtype:trojan-activity;sid:84684812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.amd64"; depth:12; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821703/; classtype:trojan-activity;sid:84684803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821704/; classtype:trojan-activity;sid:84684804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821705/; classtype:trojan-activity;sid:84684805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sparc"; depth:12; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821706/; classtype:trojan-activity;sid:84684806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.mips"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821707/; classtype:trojan-activity;sid:84684807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821708/; classtype:trojan-activity;sid:84684808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821709/; classtype:trojan-activity;sid:84684809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.armv4l"; depth:22; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821710/; classtype:trojan-activity;sid:84684810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821690/; classtype:trojan-activity;sid:84684790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sparc"; depth:12; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821691/; classtype:trojan-activity;sid:84684791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86_64"; depth:13; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821692/; classtype:trojan-activity;sid:84684792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.x86_64"; depth:22; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821693/; classtype:trojan-activity;sid:84684793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.arm5"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821694/; classtype:trojan-activity;sid:84684794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.armv6l"; depth:22; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821695/; classtype:trojan-activity;sid:84684795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.ppc"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821696/; classtype:trojan-activity;sid:84684796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821697/; classtype:trojan-activity;sid:84684797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821698/; classtype:trojan-activity;sid:84684798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440fp"; depth:15; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821699/; classtype:trojan-activity;sid:84684799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kwari.mips64"; depth:18; endswith; nocase; http.host; content:"45.83.207.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821700/; classtype:trojan-activity;sid:84684800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821701/; classtype:trojan-activity;sid:84684801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.m68k"; depth:20; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821702/; classtype:trojan-activity;sid:84684802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.amd64"; depth:21; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821689/; classtype:trojan-activity;sid:84684789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.mips"; depth:20; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821688/; classtype:trojan-activity;sid:84684788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821685/; classtype:trojan-activity;sid:84684785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"maro033.identifypls.us.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821686/; classtype:trojan-activity;sid:84684786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821681/; classtype:trojan-activity;sid:84684781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kwari.i686"; depth:16; endswith; nocase; http.host; content:"45.83.207.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821682/; classtype:trojan-activity;sid:84684782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821683/; classtype:trojan-activity;sid:84684783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kwari.sparc"; depth:17; endswith; nocase; http.host; content:"45.83.207.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821684/; classtype:trojan-activity;sid:84684784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kwari.x86_64"; depth:18; endswith; nocase; http.host; content:"45.83.207.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821675/; classtype:trojan-activity;sid:84684775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kwari.arc"; depth:15; endswith; nocase; http.host; content:"45.83.207.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821676/; classtype:trojan-activity;sid:84684776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.armv6l"; depth:22; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821677/; classtype:trojan-activity;sid:84684777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.sparc"; depth:21; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821678/; classtype:trojan-activity;sid:84684778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/manji.sh4"; depth:19; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821679/; classtype:trojan-activity;sid:84684779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.armv6l"; depth:13; endswith; nocase; http.host; content:"188.214.30.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821680/; classtype:trojan-activity;sid:84684780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.54.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821674/; classtype:trojan-activity;sid:84684774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-task.bri7tanon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821673/; classtype:trojan-activity;sid:84684773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"nenkines-attachments.top"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821672/; classtype:trojan-activity;sid:84684772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"box4-file.bri7tanon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821671/; classtype:trojan-activity;sid:84684771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"103.26.86.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821670/; classtype:trojan-activity;sid:84684770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"175.107.233.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821669/; classtype:trojan-activity;sid:84684769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.196.163.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821667/; classtype:trojan-activity;sid:84684767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.13.138.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821668/; classtype:trojan-activity;sid:84684768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"31.57.201.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821666/; classtype:trojan-activity;sid:84684766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"91.92.241.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821660/; classtype:trojan-activity;sid:84684760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"104.248.151.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821661/; classtype:trojan-activity;sid:84684761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.sh"; depth:7; endswith; nocase; http.host; content:"104.248.151.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821662/; classtype:trojan-activity;sid:84684762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"104.248.151.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821663/; classtype:trojan-activity;sid:84684763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"104.248.151.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821664/; classtype:trojan-activity;sid:84684764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"104.248.151.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821665/; classtype:trojan-activity;sid:84684765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.122.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821659/; classtype:trojan-activity;sid:84684759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.30.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821658/; classtype:trojan-activity;sid:84684758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"206.168.201.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821657/; classtype:trojan-activity;sid:84684757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orevmx.sh"; depth:10; endswith; nocase; http.host; content:"178.16.54.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821652/; classtype:trojan-activity;sid:84684752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"139.135.41.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821653/; classtype:trojan-activity;sid:84684753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"102.53.48.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821654/; classtype:trojan-activity;sid:84684754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"196.188.57.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821655/; classtype:trojan-activity;sid:84684755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmaarriioisectanee.arm"; depth:23; endswith; nocase; http.host; content:"103.253.21.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821656/; classtype:trojan-activity;sid:84684756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giga.sh"; depth:8; endswith; nocase; http.host; content:"87.120.191.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821650/; classtype:trojan-activity;sid:84684750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"///arm5"; depth:7; endswith; nocase; http.host; content:"87.120.191.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821651/; classtype:trojan-activity;sid:84684751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.230.66.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821649/; classtype:trojan-activity;sid:84684749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.157.20.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821648/; classtype:trojan-activity;sid:84684748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"167.71.7.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821645/; classtype:trojan-activity;sid:84684745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fish.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821646/; classtype:trojan-activity;sid:84684746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.190.248.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821647/; classtype:trojan-activity;sid:84684747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"66.167.169.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821644/; classtype:trojan-activity;sid:84684744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821643/; classtype:trojan-activity;sid:84684743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-list.bri7tanon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821642/; classtype:trojan-activity;sid:84684742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x86"; depth:9; endswith; nocase; http.host; content:"m29058.contaboserver.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821641/; classtype:trojan-activity;sid:84684741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb2.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821640/; classtype:trojan-activity;sid:84684740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm4"; depth:12; endswith; nocase; http.host; content:"204.76.203.168.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821639/; classtype:trojan-activity;sid:84684739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"static-119-15-248-43.dnt.net.pk"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821638/; classtype:trojan-activity;sid:84684738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.24.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821637/; classtype:trojan-activity;sid:84684737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.229.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821636/; classtype:trojan-activity;sid:84684736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821632/; classtype:trojan-activity;sid:84684732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x64"; depth:8; endswith; nocase; http.host; content:"103.177.110.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821634/; classtype:trojan-activity;sid:84684734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821635/; classtype:trojan-activity;sid:84684735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.255.33.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821630/; classtype:trojan-activity;sid:84684730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"72.255.19.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821628/; classtype:trojan-activity;sid:84684728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"72.255.32.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821629/; classtype:trojan-activity;sid:84684729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"193.32.162.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821625/; classtype:trojan-activity;sid:84684725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.26.82.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821626/; classtype:trojan-activity;sid:84684726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm"; depth:15; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821627/; classtype:trojan-activity;sid:84684727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pvd9lva3vy"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821623/; classtype:trojan-activity;sid:84684723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.x86"; depth:15; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821624/; classtype:trojan-activity;sid:84684724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/k17nel4yr5"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821622/; classtype:trojan-activity;sid:84684722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821619/; classtype:trojan-activity;sid:84684719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"139.135.40.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821620/; classtype:trojan-activity;sid:84684720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.sh"; depth:5; endswith; nocase; http.host; content:"64.118.132.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821621/; classtype:trojan-activity;sid:84684721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_32"; depth:7; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821616/; classtype:trojan-activity;sid:84684716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821617/; classtype:trojan-activity;sid:84684717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821618/; classtype:trojan-activity;sid:84684718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821614/; classtype:trojan-activity;sid:84684714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k17nel4yr5"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821615/; classtype:trojan-activity;sid:84684715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-cert.bri7tanon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821613/; classtype:trojan-activity;sid:84684713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedriveserver.zip"; depth:19; endswith; nocase; http.host; content:"legitserver.theworkpc.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821612/; classtype:trojan-activity;sid:84684712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821611/; classtype:trojan-activity;sid:84684711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web1-host.bri7tanon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821610/; classtype:trojan-activity;sid:84684710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=bat|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:162; endswith; nocase; http.host; content:"184.174.20.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821609/; classtype:trojan-activity;sid:84684709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.txt"; depth:6; endswith; nocase; http.host; content:"yy.kak.is"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821608/; classtype:trojan-activity;sid:84684708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.txt"; depth:6; endswith; nocase; http.host; content:"yy.kak.is"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821607/; classtype:trojan-activity;sid:84684707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jj.js"; depth:6; endswith; nocase; http.host; content:"xx.kak.is"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821605/; classtype:trojan-activity;sid:84684705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booking.com_files/r8qxlm4wn7pvs2.html"; depth:38; endswith; nocase; http.host; content:"bkngextranetreservcontrolpanel.com"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821606/; classtype:trojan-activity;sid:84684706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access"; depth:46; endswith; nocase; http.host; content:"willbeanfeddeals.shop"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821602/; classtype:trojan-activity;sid:84684702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi"; depth:34; endswith; nocase; http.host; content:"willbeanfeddeals.shop"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821603/; classtype:trojan-activity;sid:84684703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.txt"; depth:6; endswith; nocase; http.host; content:"195.177.94.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821604/; classtype:trojan-activity;sid:84684704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-area.nor4vexil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821601/; classtype:trojan-activity;sid:84684701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3qtlj.png"; depth:10; endswith; nocase; http.host; content:"dump.win"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821600/; classtype:trojan-activity;sid:84684700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/81ip.exe"; depth:9; endswith; nocase; http.host; content:"81.163.111.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821594/; classtype:trojan-activity;sid:84684694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/workin.exe"; depth:11; endswith; nocase; http.host; content:"81.163.111.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821595/; classtype:trojan-activity;sid:84684695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swchost.exe"; depth:12; endswith; nocase; http.host; content:"81.163.111.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821596/; classtype:trojan-activity;sid:84684696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eww.exe"; depth:8; endswith; nocase; http.host; content:"81.163.111.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821597/; classtype:trojan-activity;sid:84684697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install3.exe"; depth:13; endswith; nocase; http.host; content:"81.163.111.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821598/; classtype:trojan-activity;sid:84684698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swchost2.exe"; depth:13; endswith; nocase; http.host; content:"81.163.111.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821599/; classtype:trojan-activity;sid:84684699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-edge.nor4vexil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821593/; classtype:trojan-activity;sid:84684693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.249.89.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821592/; classtype:trojan-activity;sid:84684692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.155.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821591/; classtype:trojan-activity;sid:84684691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/femboy.sh"; depth:20; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821582/; classtype:trojan-activity;sid:84684682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.i586"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821583/; classtype:trojan-activity;sid:84684683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.sh4"; depth:18; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821584/; classtype:trojan-activity;sid:84684684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.sparc"; depth:20; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821585/; classtype:trojan-activity;sid:84684685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv4l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821586/; classtype:trojan-activity;sid:84684686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.m68k"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821587/; classtype:trojan-activity;sid:84684687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.mipsel"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821588/; classtype:trojan-activity;sid:84684688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv6l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821589/; classtype:trojan-activity;sid:84684689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.powerpc"; depth:22; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821590/; classtype:trojan-activity;sid:84684690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.mips"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821578/; classtype:trojan-activity;sid:84684678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv5l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821579/; classtype:trojan-activity;sid:84684679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv7l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821580/; classtype:trojan-activity;sid:84684680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.arc"; depth:18; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821581/; classtype:trojan-activity;sid:84684681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.140.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821577/; classtype:trojan-activity;sid:84684677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"salt4-byte.nor4vexil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821576/; classtype:trojan-activity;sid:84684676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"46.227.184.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821574/; classtype:trojan-activity;sid:84684674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"43.248.15.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821575/; classtype:trojan-activity;sid:84684675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.160.135.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821573/; classtype:trojan-activity;sid:84684673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.220.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821572/; classtype:trojan-activity;sid:84684672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-view.nor4vexil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821571/; classtype:trojan-activity;sid:84684671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.138.131.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821570/; classtype:trojan-activity;sid:84684670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-test.nor4vexil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821569/; classtype:trojan-activity;sid:84684669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.40.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821568/; classtype:trojan-activity;sid:84684668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudo_mom/sostsenrer2/-/raw/main/hold.txt"; depth:41; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821566/; classtype:trojan-activity;sid:84684666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudo_mom/sostsenrer2/-/raw/main/sostener25.txt"; depth:47; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821567/; classtype:trojan-activity;sid:84684667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudo_mom/sostsenrer2/-/raw/main/sostener2502"; depth:45; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821562/; classtype:trojan-activity;sid:84684662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudo_mom/sostsenrer2/-/raw/main/enviar.txt"; depth:43; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821563/; classtype:trojan-activity;sid:84684663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudo_mom/sostsenrer2/-/raw/main/sostener14.txt"; depth:47; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821564/; classtype:trojan-activity;sid:84684664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudo_mom/sostsenrer2/-/raw/main/sostener17.txt"; depth:47; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821565/; classtype:trojan-activity;sid:84684665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.168.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821561/; classtype:trojan-activity;sid:84684661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auth1-user.nor4vexil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821560/; classtype:trojan-activity;sid:84684660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/our-team/image.png"; depth:19; endswith; nocase; http.host; content:"gtps4change.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821559/; classtype:trojan-activity;sid:84684659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o9qrt3i7dq2l7pa"; depth:16; endswith; nocase; http.host; content:"hasteb.in"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821558/; classtype:trojan-activity;sid:84684658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.249.89.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821557/; classtype:trojan-activity;sid:84684657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-zone.dru9laxen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821556/; classtype:trojan-activity;sid:84684656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-info.dru9laxen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821555/; classtype:trojan-activity;sid:84684655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.188.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821554/; classtype:trojan-activity;sid:84684654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tmp4-root.dru9laxen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821553/; classtype:trojan-activity;sid:84684653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-pack.dru9laxen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821552/; classtype:trojan-activity;sid:84684652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-stat.dru9laxen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821551/; classtype:trojan-activity;sid:84684651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tcp1-join.dru9laxen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821550/; classtype:trojan-activity;sid:84684650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.63.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821549/; classtype:trojan-activity;sid:84684649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.206.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821548/; classtype:trojan-activity;sid:84684648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.206.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821547/; classtype:trojan-activity;sid:84684647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-link.xel2mavor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821546/; classtype:trojan-activity;sid:84684646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-base.xel2mavor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821545/; classtype:trojan-activity;sid:84684645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.166.201.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821544/; classtype:trojan-activity;sid:84684644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"git4-repo.xel2mavor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821543/; classtype:trojan-activity;sid:84684643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-flag.xel2mavor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821542/; classtype:trojan-activity;sid:84684642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.240.250.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821541/; classtype:trojan-activity;sid:84684641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.239.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821540/; classtype:trojan-activity;sid:84684640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-path.xel2mavor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821539/; classtype:trojan-activity;sid:84684639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.250.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821538/; classtype:trojan-activity;sid:84684638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.28.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821537/; classtype:trojan-activity;sid:84684637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ops1-view.xel2mavor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821536/; classtype:trojan-activity;sid:84684636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.239.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821535/; classtype:trojan-activity;sid:84684635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.112.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821534/; classtype:trojan-activity;sid:84684634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.166.201.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821533/; classtype:trojan-activity;sid:84684633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-hub.prax6tolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821532/; classtype:trojan-activity;sid:84684632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-mesh.prax6tolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821531/; classtype:trojan-activity;sid:84684631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.213.235.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821530/; classtype:trojan-activity;sid:84684630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"db4-cache.prax6tolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821529/; classtype:trojan-activity;sid:84684629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.250.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821528/; classtype:trojan-activity;sid:84684628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-fast.prax6tolin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821527/; classtype:trojan-activity;sid:84684627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.131.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821526/; classtype:trojan-activity;sid:84684626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.28.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821525/; classtype:trojan-activity;sid:84684625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.112.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821524/; classtype:trojan-activity;sid:84684624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-meta.prax6tolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821523/; classtype:trojan-activity;sid:84684623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"run1-task.prax6tolin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821522/; classtype:trojan-activity;sid:84684622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.23.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821521/; classtype:trojan-activity;sid:84684621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-site.kry8navel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821520/; classtype:trojan-activity;sid:84684620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.kry8navel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821519/; classtype:trojan-activity;sid:84684619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.23.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821517/; classtype:trojan-activity;sid:84684617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.114.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821518/; classtype:trojan-activity;sid:84684618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.184.241.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821516/; classtype:trojan-activity;sid:84684616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bin4-swap.kry8navel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821515/; classtype:trojan-activity;sid:84684615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.147.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821514/; classtype:trojan-activity;sid:84684614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-read.kry8navel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821513/; classtype:trojan-activity;sid:84684613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.114.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821512/; classtype:trojan-activity;sid:84684612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-port.kry8navel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821511/; classtype:trojan-activity;sid:84684611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mon1-audit.kry8navel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821510/; classtype:trojan-activity;sid:84684610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.23.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821509/; classtype:trojan-activity;sid:84684609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-pipe.vex3litor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821508/; classtype:trojan-activity;sid:84684608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-send.vex3litor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821507/; classtype:trojan-activity;sid:84684607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821506/; classtype:trojan-activity;sid:84684606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.220.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821505/; classtype:trojan-activity;sid:84684605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.67.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821504/; classtype:trojan-activity;sid:84684604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file4-path.vex3litor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821503/; classtype:trojan-activity;sid:84684603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-unit.vex3litor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821502/; classtype:trojan-activity;sid:84684602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-info.vex3litor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821501/; classtype:trojan-activity;sid:84684601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.86.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821500/; classtype:trojan-activity;sid:84684600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"net1-flow.vex3litor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821499/; classtype:trojan-activity;sid:84684599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-root.tul7moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821498/; classtype:trojan-activity;sid:84684598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"92.38.51.65"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821497/; classtype:trojan-activity;sid:84684597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.67.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821496/; classtype:trojan-activity;sid:84684596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.26.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821495/; classtype:trojan-activity;sid:84684595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-site.tul7moran.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821494/; classtype:trojan-activity;sid:84684594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821493/; classtype:trojan-activity;sid:84684593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.147.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821492/; classtype:trojan-activity;sid:84684592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blob4-host.tul7moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821491/; classtype:trojan-activity;sid:84684591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.80.141"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821490/; classtype:trojan-activity;sid:84684590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821489/; classtype:trojan-activity;sid:84684589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-core.tul7moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821488/; classtype:trojan-activity;sid:84684588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.86.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821487/; classtype:trojan-activity;sid:84684587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-call.tul7moran.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821486/; classtype:trojan-activity;sid:84684586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.12.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821485/; classtype:trojan-activity;sid:84684585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lb1-state.tul7moran.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821484/; classtype:trojan-activity;sid:84684584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-main.qen4varix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821483/; classtype:trojan-activity;sid:84684583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-step.qen4varix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821482/; classtype:trojan-activity;sid:84684582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821481/; classtype:trojan-activity;sid:84684581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.80.141"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821480/; classtype:trojan-activity;sid:84684580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"disk4-data.qen4varix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821479/; classtype:trojan-activity;sid:84684579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-peer.qen4varix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821478/; classtype:trojan-activity;sid:84684578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.34.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821477/; classtype:trojan-activity;sid:84684577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-dns.qen4varix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821476/; classtype:trojan-activity;sid:84684576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.130.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821475/; classtype:trojan-activity;sid:84684575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cdn1-fast.qen4varix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821474/; classtype:trojan-activity;sid:84684574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.145.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821473/; classtype:trojan-activity;sid:84684573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-post.zor5liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821472/; classtype:trojan-activity;sid:84684572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-rule.zor5liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821471/; classtype:trojan-activity;sid:84684571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.174.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821470/; classtype:trojan-activity;sid:84684570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.2.185.116"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821469/; classtype:trojan-activity;sid:84684569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-key.zor5liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821468/; classtype:trojan-activity;sid:84684568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.130.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821467/; classtype:trojan-activity;sid:84684567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"host3-link.zor5liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821466/; classtype:trojan-activity;sid:84684566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.97.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821465/; classtype:trojan-activity;sid:84684565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.168.10.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821464/; classtype:trojan-activity;sid:84684564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-node.zor5liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821463/; classtype:trojan-activity;sid:84684563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.163.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821462/; classtype:trojan-activity;sid:84684562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pop1-edge.zor5liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821461/; classtype:trojan-activity;sid:84684561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.92.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821460/; classtype:trojan-activity;sid:84684560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.138.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821459/; classtype:trojan-activity;sid:84684559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.174.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821458/; classtype:trojan-activity;sid:84684558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.153.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821457/; classtype:trojan-activity;sid:84684557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aig.exe.88"; depth:11; endswith; nocase; http.host; content:"132.243.173.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821454/; classtype:trojan-activity;sid:84684554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aig_173_55.zip"; depth:15; endswith; nocase; http.host; content:"132.243.173.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821455/; classtype:trojan-activity;sid:84684555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aig.exe"; depth:8; endswith; nocase; http.host; content:"132.243.173.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821456/; classtype:trojan-activity;sid:84684556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aig_173_55_2.zip"; depth:17; endswith; nocase; http.host; content:"132.243.173.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821452/; classtype:trojan-activity;sid:84684552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/start_qsr.ps1"; depth:14; endswith; nocase; http.host; content:"132.243.173.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821453/; classtype:trojan-activity;sid:84684553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.168.10.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821450/; classtype:trojan-activity;sid:84684550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-a5h.zen4qorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821451/; classtype:trojan-activity;sid:84684551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.248.80.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821449/; classtype:trojan-activity;sid:84684549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynmarka2.zen4qorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821448/; classtype:trojan-activity;sid:84684548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft3-ring.zen4qorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821447/; classtype:trojan-activity;sid:84684547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.204.154.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821445/; classtype:trojan-activity;sid:84684545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"23.92.130.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821446/; classtype:trojan-activity;sid:84684546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"darkspark.zen4qorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821443/; classtype:trojan-activity;sid:84684543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.227.225.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821444/; classtype:trojan-activity;sid:84684544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.92.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821442/; classtype:trojan-activity;sid:84684542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rai16-track.zen4qorin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821441/; classtype:trojan-activity;sid:84684541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.149.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821440/; classtype:trojan-activity;sid:84684540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.204.154.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821439/; classtype:trojan-activity;sid:84684539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"upzr.zen4qorin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821438/; classtype:trojan-activity;sid:84684538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cipherengin.mor5laxis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821437/; classtype:trojan-activity;sid:84684537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.31.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821436/; classtype:trojan-activity;sid:84684536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vialinn.mor5laxis.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821435/; classtype:trojan-activity;sid:84684535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.92.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821432/; classtype:trojan-activity;sid:84684532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.29.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821433/; classtype:trojan-activity;sid:84684533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.248.80.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821434/; classtype:trojan-activity;sid:84684534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.149.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821431/; classtype:trojan-activity;sid:84684531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psd8ezaw/plugins/cred.dll"; depth:26; endswith; nocase; http.host; content:"176.65.144.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821430/; classtype:trojan-activity;sid:84684530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hz7cbx.mor5laxis.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821429/; classtype:trojan-activity;sid:84684529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.34.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821428/; classtype:trojan-activity;sid:84684528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rlovrqd.mor5laxis.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821427/; classtype:trojan-activity;sid:84684527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.99.108"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821426/; classtype:trojan-activity;sid:84684526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkflux7is.mor5laxis.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821425/; classtype:trojan-activity;sid:84684525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"64.53.93.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821424/; classtype:trojan-activity;sid:84684524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821423/; classtype:trojan-activity;sid:84684523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.107.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821422/; classtype:trojan-activity;sid:84684522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"road5-field.mor5laxis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821421/; classtype:trojan-activity;sid:84684521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quormeshar.qul4xorin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821420/; classtype:trojan-activity;sid:84684520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29/img_172631.png"; depth:18; endswith; nocase; http.host; content:"198.12.83.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821419/; classtype:trojan-activity;sid:84684519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.145.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821418/; classtype:trojan-activity;sid:84684518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"64.53.93.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821416/; classtype:trojan-activity;sid:84684516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.200.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821417/; classtype:trojan-activity;sid:84684517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quor-tidear.qul4xorin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821415/; classtype:trojan-activity;sid:84684515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.205.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821414/; classtype:trojan-activity;sid:84684514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.131.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821413/; classtype:trojan-activity;sid:84684513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.99.108"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821412/; classtype:trojan-activity;sid:84684512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"q1tnk.qul4xorin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821411/; classtype:trojan-activity;sid:84684511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"triforgea.qul4xorin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821410/; classtype:trojan-activity;sid:84684510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.173.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821408/; classtype:trojan-activity;sid:84684508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"139.218.43.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821409/; classtype:trojan-activity;sid:84684509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rc3ba.qul4xorin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821407/; classtype:trojan-activity;sid:84684507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cmvpokng.qul4xorin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821406/; classtype:trojan-activity;sid:84684506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freigoak.norxelav.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821405/; classtype:trojan-activity;sid:84684505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.165.125.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821404/; classtype:trojan-activity;sid:84684504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.131.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821403/; classtype:trojan-activity;sid:84684503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.33.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821402/; classtype:trojan-activity;sid:84684502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.17.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821401/; classtype:trojan-activity;sid:84684501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wx3wxihq.norxelav.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821400/; classtype:trojan-activity;sid:84684500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.24.59"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821399/; classtype:trojan-activity;sid:84684499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sile-reel.norxelav.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821398/; classtype:trojan-activity;sid:84684498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.112.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821397/; classtype:trojan-activity;sid:84684497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"otpj4gh.norxelav.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821396/; classtype:trojan-activity;sid:84684496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zbianule.norxelav.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821395/; classtype:trojan-activity;sid:84684495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.png"; depth:11; endswith; nocase; http.host; content:"homecaremovers.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821394/; classtype:trojan-activity;sid:84684494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image.png"; depth:10; endswith; nocase; http.host; content:"corwineagles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821393/; classtype:trojan-activity;sid:84684493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"65.99.181.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821392/; classtype:trojan-activity;sid:84684492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagepixxx011.png"; depth:18; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821391/; classtype:trojan-activity;sid:84684491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/about-texture1.png"; depth:35; endswith; nocase; http.host; content:"allsydevs.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821390/; classtype:trojan-activity;sid:84684490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm4"; depth:12; endswith; nocase; http.host; content:"204.76.203.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821389/; classtype:trojan-activity;sid:84684489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sp4rr-switch.norxelav.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821388/; classtype:trojan-activity;sid:84684488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image.png"; depth:10; endswith; nocase; http.host; content:"recavaran.com.tr"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821387/; classtype:trojan-activity;sid:84684487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woow.dat"; depth:9; endswith; nocase; http.host; content:"domister.online"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821386/; classtype:trojan-activity;sid:84684486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.17.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821385/; classtype:trojan-activity;sid:84684485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.24.59"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821384/; classtype:trojan-activity;sid:84684484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.250.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821383/; classtype:trojan-activity;sid:84684483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sermeshos5.bry6moxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821381/; classtype:trojan-activity;sid:84684481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lilu.png"; depth:9; endswith; nocase; http.host; content:"homecaremovers.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821382/; classtype:trojan-activity;sid:84684482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevolume09875987654.png"; depth:27; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821380/; classtype:trojan-activity;sid:84684480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"goplanet.digital"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821379/; classtype:trojan-activity;sid:84684479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_064042.png"; depth:15; endswith; nocase; http.host; content:"goplanet.digital"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821377/; classtype:trojan-activity;sid:84684477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/domens.hta"; depth:11; endswith; nocase; http.host; content:"goplanet.digital"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821378/; classtype:trojan-activity;sid:84684478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kg9c.bry6moxel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821376/; classtype:trojan-activity;sid:84684476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/0d1c792fa_zyroaim-apex.exe"; depth:102; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821375/; classtype:trojan-activity;sid:84684475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/e27407567_zyroaim-roblox.exe"; depth:104; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821372/; classtype:trojan-activity;sid:84684472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/b693dcbe9_zyroaim-r6.exe"; depth:100; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821373/; classtype:trojan-activity;sid:84684473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/zyroaim-valorant.exe"; depth:31; endswith; nocase; http.host; content:"zyroaim.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821374/; classtype:trojan-activity;sid:84684474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/zyroaim-fortnite.exe"; depth:31; endswith; nocase; http.host; content:"zyroaim.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821371/; classtype:trojan-activity;sid:84684471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/edefcd47d_zyroaim-fivem.exe"; depth:103; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821364/; classtype:trojan-activity;sid:84684464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/88fcb7edf_zyroaim-rust.exe"; depth:102; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821365/; classtype:trojan-activity;sid:84684465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/3edf558c7_zyroaim-fortnite.exe"; depth:106; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821366/; classtype:trojan-activity;sid:84684466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/zyroaim-cs2.exe"; depth:26; endswith; nocase; http.host; content:"zyroaim.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821367/; classtype:trojan-activity;sid:84684467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/1a5772b4f_zyroaim-spoofer.exe"; depth:105; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821368/; classtype:trojan-activity;sid:84684468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/e8d7890c9_zyroaim-cod.exe"; depth:101; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821369/; classtype:trojan-activity;sid:84684469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/apps/69cb3bb3ac2ef17c570d5fa7/files/mp/public/69cb3bb3ac2ef17c570d5fa7/b20834650_zyroaim-valorant.exe"; depth:106; endswith; nocase; http.host; content:"base44.app"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821370/; classtype:trojan-activity;sid:84684470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"privat7-wave.bry6moxel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821363/; classtype:trojan-activity;sid:84684463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dev6-sync.bry6moxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821362/; classtype:trojan-activity;sid:84684462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"birchalp.bry6moxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821361/; classtype:trojan-activity;sid:84684461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.33.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821360/; classtype:trojan-activity;sid:84684460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cravv-bridge.bry6moxel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821359/; classtype:trojan-activity;sid:84684459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.76.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821358/; classtype:trojan-activity;sid:84684458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zoloedu3.zeq3varin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821357/; classtype:trojan-activity;sid:84684457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagehd09.png"; depth:14; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821356/; classtype:trojan-activity;sid:84684456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"specimenapi.zeq3varin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821355/; classtype:trojan-activity;sid:84684455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fr31g2-stream.zeq3varin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821354/; classtype:trojan-activity;sid:84684454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ivlpumqbyhzyxvngnuuqlf131.bin"; depth:30; endswith; nocase; http.host; content:"192.227.128.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821353/; classtype:trojan-activity;sid:84684453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.184.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821352/; classtype:trojan-activity;sid:84684452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"prij.zeq3varin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821351/; classtype:trojan-activity;sid:84684451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.160.135.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821350/; classtype:trojan-activity;sid:84684450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.88.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821349/; classtype:trojan-activity;sid:84684449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.76.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821348/; classtype:trojan-activity;sid:84684448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=4-4-2026|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=new|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:164; endswith; nocase; http.host; content:"doc.e-statements.app"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821345/; classtype:trojan-activity;sid:84684445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ledgermacr.vo8xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821346/; classtype:trojan-activity;sid:84684446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dispgol.zeq3varin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821347/; classtype:trojan-activity;sid:84684447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.81.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821342/; classtype:trojan-activity;sid:84684442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.187.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821343/; classtype:trojan-activity;sid:84684443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.187.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821344/; classtype:trojan-activity;sid:84684444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.81.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821341/; classtype:trojan-activity;sid:84684441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"185.224.215.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821340/; classtype:trojan-activity;sid:84684440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wafcif0g.zeq3varin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821339/; classtype:trojan-activity;sid:84684439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"rbcroyalbank-homesd.info"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821338/; classtype:trojan-activity;sid:84684438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"suncorp-homesa.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821329/; classtype:trojan-activity;sid:84684429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"anzrewardse-homes.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821330/; classtype:trojan-activity;sid:84684430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"rbcroyalbank-homesa.cc"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821331/; classtype:trojan-activity;sid:84684431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"bendigo-homesa.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821332/; classtype:trojan-activity;sid:84684432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"lloydsbank-homesa.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821333/; classtype:trojan-activity;sid:84684433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"hsbcrewards-homesa.info"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821334/; classtype:trojan-activity;sid:84684434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"rbcroyalbank-homesc.info"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821335/; classtype:trojan-activity;sid:84684435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"qantasrewardsa-homes.info"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821336/; classtype:trojan-activity;sid:84684436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"qantasrewardsb-homes.info"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821337/; classtype:trojan-activity;sid:84684437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|id=1dougv4cj0cxr6ir9jjgxxonvklhfdt0c|7c|26|7c|export=download"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821328/; classtype:trojan-activity;sid:84684428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|id=18vrgogx1gd9mwmvrmprl_lnjguja6r8h|7c|26|7c|export=download"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821327/; classtype:trojan-activity;sid:84684427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"natwest-homesa.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821321/; classtype:trojan-activity;sid:84684421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meteorrejects/meteorrejects.github.io/refs/heads/main/meteor-rejects-addon-1.21.11.jar"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821322/; classtype:trojan-activity;sid:84684422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"suncorp-homesb.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821323/; classtype:trojan-activity;sid:84684423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"hsbcrewards-homesb.info"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821324/; classtype:trojan-activity;sid:84684424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meteorrejects/meteorrejects.github.io/refs/heads/main/meteor-rejects-addon-1.21.0.jar"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821325/; classtype:trojan-activity;sid:84684425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meteorrejects/meteorrejects.github.io/refs/heads/main/meteor-rejects-addon-1.21.4.jar"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821326/; classtype:trojan-activity;sid:84684426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|id=18vrgogx1gd9mwmvrmprl_lnjguja6r8h|7c|26|7c|export=download"; depth:74; endswith; nocase; http.host; content:"drive.usercontent.google.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821318/; classtype:trojan-activity;sid:84684418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"rbcroyalbank-homese.info"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821319/; classtype:trojan-activity;sid:84684419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"commbank-homesa.info"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821320/; classtype:trojan-activity;sid:84684420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nenkin.msi|3f|r|7c|26|7c|"; depth:26; endswith; nocase; http.host; content:"pub-0a6599d7d6394e379b6da3d6bfb5354a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821314/; classtype:trojan-activity;sid:84684414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"23.94.232.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821315/; classtype:trojan-activity;sid:84684415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|id=1dougv4cj0cxr6ir9jjgxxonvklhfdt0c|7c|26|7c|export=download"; depth:74; endswith; nocase; http.host; content:"drive.usercontent.google.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821316/; classtype:trojan-activity;sid:84684416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/eventvpcardsc_pu1kqzvw_installer.msi"; depth:43; endswith; nocase; http.host; content:"sesdigitalsolutions.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821317/; classtype:trojan-activity;sid:84684417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpac-homesa.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821308/; classtype:trojan-activity;sid:84684408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"commbanka-homes.info"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821309/; classtype:trojan-activity;sid:84684409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"hsbcrewardsa-homes.info"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821310/; classtype:trojan-activity;sid:84684410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"suncorprewardsn-homes.info"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821311/; classtype:trojan-activity;sid:84684411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zenecactfuayzq206.bin"; depth:22; endswith; nocase; http.host; content:"46.183.222.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821312/; classtype:trojan-activity;sid:84684412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"raiffeisenbbonusprogramma.info"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821313/; classtype:trojan-activity;sid:84684413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacnzb-home.info"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821299/; classtype:trojan-activity;sid:84684399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"macquarierewardsa-home.info"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821300/; classtype:trojan-activity;sid:84684400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpac-homesd.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821301/; classtype:trojan-activity;sid:84684401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"suncorprewardsq-home.info"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821302/; classtype:trojan-activity;sid:84684402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"lloydsbank-homesb.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821303/; classtype:trojan-activity;sid:84684403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"hsbcrewardsc-homes.info"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821304/; classtype:trojan-activity;sid:84684404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"stgeorge-homesd.info"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821305/; classtype:trojan-activity;sid:84684405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacnza-home.info"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821306/; classtype:trojan-activity;sid:84684406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpac-homesb.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821307/; classtype:trojan-activity;sid:84684407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpac-homesc.info"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821298/; classtype:trojan-activity;sid:84684398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homesc.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821297/; classtype:trojan-activity;sid:84684397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homesg.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821296/; classtype:trojan-activity;sid:84684396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homesb.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821295/; classtype:trojan-activity;sid:84684395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homesz.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821294/; classtype:trojan-activity;sid:84684394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homese.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821289/; classtype:trojan-activity;sid:84684389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homesf.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821290/; classtype:trojan-activity;sid:84684390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacone-homesa.info"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821291/; classtype:trojan-activity;sid:84684391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"westpacrewardshop2025c.click"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821292/; classtype:trojan-activity;sid:84684392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com/static/js/main.js"; depth:22; endswith; nocase; http.host; content:"wpac-homesa.info"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821293/; classtype:trojan-activity;sid:84684393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"96af.vo8xalon.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821288/; classtype:trojan-activity;sid:84684388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"canyonsecu.vo8xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821287/; classtype:trojan-activity;sid:84684387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"portal-dev.vo8xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821286/; classtype:trojan-activity;sid:84684386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.208.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821285/; classtype:trojan-activity;sid:84684385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mosrende.vo8xalon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821284/; classtype:trojan-activity;sid:84684384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"autum-path.vo8xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821283/; classtype:trojan-activity;sid:84684383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vor-nexal.drumirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821282/; classtype:trojan-activity;sid:84684382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.77.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821281/; classtype:trojan-activity;sid:84684381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.59.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821279/; classtype:trojan-activity;sid:84684379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.184.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821280/; classtype:trojan-activity;sid:84684380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"loyalshoal.drumirex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821278/; classtype:trojan-activity;sid:84684378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.23.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821277/; classtype:trojan-activity;sid:84684377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.130.34.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821276/; classtype:trojan-activity;sid:84684376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zen-fluxa.drumirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821275/; classtype:trojan-activity;sid:84684375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bjemnap.drumirex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821274/; classtype:trojan-activity;sid:84684374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"repsort.drumirex.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821273/; classtype:trojan-activity;sid:84684373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.130.34.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821271/; classtype:trojan-activity;sid:84684371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.123.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821272/; classtype:trojan-activity;sid:84684372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"104.32.65.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821270/; classtype:trojan-activity;sid:84684370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"keldra6ar.drumirex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821269/; classtype:trojan-activity;sid:84684369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.59.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821268/; classtype:trojan-activity;sid:84684368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21.exe"; depth:7; endswith; nocase; http.host; content:"130.12.180.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821267/; classtype:trojan-activity;sid:84684367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stone-flow.pra5noxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821266/; classtype:trojan-activity;sid:84684366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sandsto.pra5noxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821265/; classtype:trojan-activity;sid:84684365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h"; depth:2; endswith; nocase; http.host; content:"91.92.243.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821264/; classtype:trojan-activity;sid:84684364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m"; depth:2; endswith; nocase; http.host; content:"91.92.243.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821261/; classtype:trojan-activity;sid:84684361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"91.92.243.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821262/; classtype:trojan-activity;sid:84684362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwfdwefd231d.exe"; depth:17; endswith; nocase; http.host; content:"91.92.243.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821263/; classtype:trojan-activity;sid:84684363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.45.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821260/; classtype:trojan-activity;sid:84684360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wraw.pra5noxel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821259/; classtype:trojan-activity;sid:84684359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file_premium/w9myf6zlc5ny230/1f86ed90-6b0e-41e4-b4b8-dee23cfba442/file"; depth:71; endswith; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821258/; classtype:trojan-activity;sid:84684358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.34.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821257/; classtype:trojan-activity;sid:84684357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"29mpmnz7.pra5noxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821256/; classtype:trojan-activity;sid:84684356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821255/; classtype:trojan-activity;sid:84684355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.106.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821254/; classtype:trojan-activity;sid:84684354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ggzne8.pra5noxel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821253/; classtype:trojan-activity;sid:84684353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soltideex2.pra5noxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821252/; classtype:trojan-activity;sid:84684352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821249/; classtype:trojan-activity;sid:84684349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821250/; classtype:trojan-activity;sid:84684350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821251/; classtype:trojan-activity;sid:84684351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821247/; classtype:trojan-activity;sid:84684347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86.exe"; depth:12; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821248/; classtype:trojan-activity;sid:84684348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.153.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821246/; classtype:trojan-activity;sid:84684346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"inv0i-array.xelvorimax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821245/; classtype:trojan-activity;sid:84684345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.106.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821244/; classtype:trojan-activity;sid:84684344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"paletteloos.xelvorimax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821243/; classtype:trojan-activity;sid:84684343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.72.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821242/; classtype:trojan-activity;sid:84684342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.165.92.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821241/; classtype:trojan-activity;sid:84684341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"genome2-line.xelvorimax.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821240/; classtype:trojan-activity;sid:84684340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.47.190.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821239/; classtype:trojan-activity;sid:84684339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.153.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821238/; classtype:trojan-activity;sid:84684338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821237/; classtype:trojan-activity;sid:84684337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"harvestchanne.xelvorimax.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821236/; classtype:trojan-activity;sid:84684336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.153.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821235/; classtype:trojan-activity;sid:84684335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cinem-graph.xelvorimax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821234/; classtype:trojan-activity;sid:84684334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.222.182.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821233/; classtype:trojan-activity;sid:84684333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"itncq.xelvorimax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821232/; classtype:trojan-activity;sid:84684332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.198.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821231/; classtype:trojan-activity;sid:84684331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.72.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821230/; classtype:trojan-activity;sid:84684330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.252.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821228/; classtype:trojan-activity;sid:84684328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.153.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821229/; classtype:trojan-activity;sid:84684329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.active-service-hub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821227/; classtype:trojan-activity;sid:84684327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.234.154.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821226/; classtype:trojan-activity;sid:84684326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-net.active-service-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821225/; classtype:trojan-activity;sid:84684325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-doc.active-service-hub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821224/; classtype:trojan-activity;sid:84684324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"104.32.65.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821223/; classtype:trojan-activity;sid:84684323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-ready.active-service-hub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821222/; classtype:trojan-activity;sid:84684322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"jzdq.ditch-obscene.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821221/; classtype:trojan-activity;sid:84684321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"dirmod.inform2tunleaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821217/; classtype:trojan-activity;sid:84684317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"iwiax.personal-danger.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821218/; classtype:trojan-activity;sid:84684318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"smar-disc.oguzok7ye.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821219/; classtype:trojan-activity;sid:84684319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mer-draex.personal-danger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821220/; classtype:trojan-activity;sid:84684320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"caveazure.multip-lway.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821213/; classtype:trojan-activity;sid:84684313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"5urv-pulse.multip-lway.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821214/; classtype:trojan-activity;sid:84684314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"host1-base.active-service-hub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821215/; classtype:trojan-activity;sid:84684315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"meta-trust3d.cry7adiophone.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821216/; classtype:trojan-activity;sid:84684316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"107.175.88.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821210/; classtype:trojan-activity;sid:84684310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-core.active-service-hub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821211/; classtype:trojan-activity;sid:84684311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.198.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821212/; classtype:trojan-activity;sid:84684312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"nordraex4.onepal-liat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821209/; classtype:trojan-activity;sid:84684309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"neo-c0upon.kazan-saddle.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821208/; classtype:trojan-activity;sid:84684308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"garde-rave.multip-lway.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821207/; classtype:trojan-activity;sid:84684307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"3zpnkdk.ditch-obscene.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821206/; classtype:trojan-activity;sid:84684306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29/goodgirlformygirltobe.hta"; depth:29; endswith; nocase; http.host; content:"198.12.83.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821203/; classtype:trojan-activity;sid:84684303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zenforgeix.babrevea1ing.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821204/; classtype:trojan-activity;sid:84684304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"94auswsb.piculi5tep.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821205/; classtype:trojan-activity;sid:84684305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sercrestar.chuv2shfile.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821201/; classtype:trojan-activity;sid:84684301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.222.182.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821202/; classtype:trojan-activity;sid:84684302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"crimso1-vector.intersp5uspect.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821194/; classtype:trojan-activity;sid:84684294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ibpo.intersp5uspect.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821195/; classtype:trojan-activity;sid:84684295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"w0rk3-wave.habe7dpermanent.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821196/; classtype:trojan-activity;sid:84684296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"scanmodel.onepal-liat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821197/; classtype:trojan-activity;sid:84684297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"solspireum.insti1partition.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821198/; classtype:trojan-activity;sid:84684298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"kawjhm.chuv2shfile.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821199/; classtype:trojan-activity;sid:84684299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"deliver4-mesh.zeq8morin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821200/; classtype:trojan-activity;sid:84684300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"aliglagoo.babrevea1ing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821192/; classtype:trojan-activity;sid:84684292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"bandwi-span.conferen-cesman.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821193/; classtype:trojan-activity;sid:84684293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.170.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821189/; classtype:trojan-activity;sid:84684289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"valeoptic.cry7adiophone.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821190/; classtype:trojan-activity;sid:84684290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"lumnexa.klinavor.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821191/; classtype:trojan-activity;sid:84684291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"nimbl-sheet.cry7adiophone.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821188/; classtype:trojan-activity;sid:84684288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"71wxz.vo3xiran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821186/; classtype:trojan-activity;sid:84684286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vivi3-watch.mucus-rafter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821187/; classtype:trojan-activity;sid:84684287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"rende7-beam.sanctua-ryunt.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821185/; classtype:trojan-activity;sid:84684285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"neo-r0ck.danger-style.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821184/; classtype:trojan-activity;sid:84684284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"tp3gkrx.cry7adiophone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821182/; classtype:trojan-activity;sid:84684282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"freightdat.cry7adiophone.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821183/; classtype:trojan-activity;sid:84684283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sfayxss.cry7adiophone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821181/; classtype:trojan-activity;sid:84684281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mn4wr.desola-tidle.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821180/; classtype:trojan-activity;sid:84684280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"quormeshos3.babrevea1ing.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821179/; classtype:trojan-activity;sid:84684279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"cg892665.babrevea1ing.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821178/; classtype:trojan-activity;sid:84684278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"patterndelivery.babrevea1ing.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821176/; classtype:trojan-activity;sid:84684276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"cleansensor.intersp5uspect.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821177/; classtype:trojan-activity;sid:84684277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"me6z.desola-tidle.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821174/; classtype:trojan-activity;sid:84684274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"flamemanifest.chandelh2lifa.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821175/; classtype:trojan-activity;sid:84684275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pars-packe.personal-danger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821173/; classtype:trojan-activity;sid:84684273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-hub.secure-proxy-way.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821168/; classtype:trojan-activity;sid:84684268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ygxq.klinavor.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821169/; classtype:trojan-activity;sid:84684269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"runwspoo.travixon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821170/; classtype:trojan-activity;sid:84684270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"ptwc.desola-tidle.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821171/; classtype:trojan-activity;sid:84684271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pxedkzjn.zeq8morin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821172/; classtype:trojan-activity;sid:84684272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"3zowl.insti1partition.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821167/; classtype:trojan-activity;sid:84684267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vmkzuhhq.travixon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821165/; classtype:trojan-activity;sid:84684265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"15cqw.sanctua-ryunt.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821166/; classtype:trojan-activity;sid:84684266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"lywetogx.qul2marox.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821163/; classtype:trojan-activity;sid:84684263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"buffmargi.norxevin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821164/; classtype:trojan-activity;sid:84684264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"did8.qul2marox.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821161/; classtype:trojan-activity;sid:84684261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"zennexis.norxevin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821162/; classtype:trojan-activity;sid:84684262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.42.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821160/; classtype:trojan-activity;sid:84684260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.213.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821159/; classtype:trojan-activity;sid:84684259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-link.secure-proxy-way.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821158/; classtype:trojan-activity;sid:84684258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/tpxodftkoenzy8fxnn08z/screenconnect.clientsetup.msi|3f|rlkey=7mkilx20xtmuqv8ts14qkh921|7c|26|7c|st=wvhdtsir|7c|26|7c|dl=1"; depth:129; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821157/; classtype:trojan-activity;sid:84684257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-on.secure-proxy-way.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821156/; classtype:trojan-activity;sid:84684256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821155/; classtype:trojan-activity;sid:84684255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-site.secure-proxy-way.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821154/; classtype:trojan-activity;sid:84684254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-port.secure-proxy-way.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821153/; classtype:trojan-activity;sid:84684253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tun1-pipe.secure-proxy-way.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821152/; classtype:trojan-activity;sid:84684252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.41.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821151/; classtype:trojan-activity;sid:84684251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-main.global-server-sync.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821150/; classtype:trojan-activity;sid:84684250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/jsee-71d18.firebasestorage.app/o/img_170600.png|3f|alt=media|7c|26|7c|token=0dc575d2-44f3-40b2-ba8e-b397383f766d"; depth:118; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821149/; classtype:trojan-activity;sid:84684249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-git.global-server-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821145/; classtype:trojan-activity;sid:84684245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_102232.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821146/; classtype:trojan-activity;sid:84684246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_115403.png"; depth:15; endswith; nocase; http.host; content:"governofederal.io"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821147/; classtype:trojan-activity;sid:84684247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_145858.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821148/; classtype:trojan-activity;sid:84684248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xg06xob9/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821144/; classtype:trojan-activity;sid:84684244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.64.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821142/; classtype:trojan-activity;sid:84684242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.69.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821143/; classtype:trojan-activity;sid:84684243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-id.global-server-sync.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821141/; classtype:trojan-activity;sid:84684241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/9a14584c1f9442f7.jpg"; depth:28; endswith; nocase; http.host; content:"85.137.165.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821140/; classtype:trojan-activity;sid:84684240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_160611.png"; depth:15; endswith; nocase; http.host; content:"innovativesr.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821139/; classtype:trojan-activity;sid:84684239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_160622.png"; depth:15; endswith; nocase; http.host; content:"innovativesr.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821138/; classtype:trojan-activity;sid:84684238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-job.global-server-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821137/; classtype:trojan-activity;sid:84684237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.110.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821136/; classtype:trojan-activity;sid:84684236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.64.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821135/; classtype:trojan-activity;sid:84684235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.252.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821134/; classtype:trojan-activity;sid:84684234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-up.global-server-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821133/; classtype:trojan-activity;sid:84684233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rump101.png"; depth:12; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821132/; classtype:trojan-activity;sid:84684232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yuphantom.png"; depth:14; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821131/; classtype:trojan-activity;sid:84684231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/101shit.png"; depth:12; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821130/; classtype:trojan-activity;sid:84684230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.108.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821129/; classtype:trojan-activity;sid:84684229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"time1-out.global-server-sync.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821128/; classtype:trojan-activity;sid:84684228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-api.digital-verify-pro.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821127/; classtype:trojan-activity;sid:84684227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.243.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821126/; classtype:trojan-activity;sid:84684226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.195.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821125/; classtype:trojan-activity;sid:84684225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-ssl.digital-verify-pro.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821124/; classtype:trojan-activity;sid:84684224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-db.digital-verify-pro.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821123/; classtype:trojan-activity;sid:84684223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-hash.digital-verify-pro.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821122/; classtype:trojan-activity;sid:84684222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-key.digital-verify-pro.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821121/; classtype:trojan-activity;sid:84684221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2mq7rtnc.cl5"; depth:13; endswith; nocase; http.host; content:"arpausa.com.ec"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821120/; classtype:trojan-activity;sid:84684220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe1-id.digital-verify-pro.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821119/; classtype:trojan-activity;sid:84684219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.137.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821117/; classtype:trojan-activity;sid:84684217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.240.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821118/; classtype:trojan-activity;sid:84684218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_wildcard_.lavnixo.cfd/social-security-estatementviewer.msi"; depth:60; endswith; nocase; http.host; content:"lavnixo.cfd"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821116/; classtype:trojan-activity;sid:84684216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.240.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821115/; classtype:trojan-activity;sid:84684215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.195.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821114/; classtype:trojan-activity;sid:84684214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-io.web-traffic-trace.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821113/; classtype:trojan-activity;sid:84684213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chxrgp.vmp.msi"; depth:15; endswith; nocase; http.host; content:"sfunited.club"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821112/; classtype:trojan-activity;sid:84684212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-pin.web-traffic-trace.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821111/; classtype:trojan-activity;sid:84684211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyelsl7di8fgr-j6bkej7w313j_849ezhllihbeewram85k9cjcq8anssdexuhepcbfo0q0akbf57hpcbes4m4s_ygw0wttxwhxtpi61hvnhe2wtfqkvbx8gv2ghyggwwvmv8nkif2ypjd6pxjhkhpiui7cm69bllwibz2asd5e2/35szk915pzn779n/archive.rar"; depth:201; endswith; nocase; http.host; content:"download1979.mediafire.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821110/; classtype:trojan-activity;sid:84684210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-tx.web-traffic-trace.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821109/; classtype:trojan-activity;sid:84684209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-hop.web-traffic-trace.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821108/; classtype:trojan-activity;sid:84684208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821107/; classtype:trojan-activity;sid:84684207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821101/; classtype:trojan-activity;sid:84684201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821102/; classtype:trojan-activity;sid:84684202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821103/; classtype:trojan-activity;sid:84684203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821104/; classtype:trojan-activity;sid:84684204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821105/; classtype:trojan-activity;sid:84684205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"147.45.42.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821106/; classtype:trojan-activity;sid:84684206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.137.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821100/; classtype:trojan-activity;sid:84684200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-map.web-traffic-trace.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821099/; classtype:trojan-activity;sid:84684199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.30.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821098/; classtype:trojan-activity;sid:84684198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uvgkyzkng167.bin"; depth:17; endswith; nocase; http.host; content:"192.210.229.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821096/; classtype:trojan-activity;sid:84684196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afbrndings.msi"; depth:15; endswith; nocase; http.host; content:"192.210.229.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821097/; classtype:trojan-activity;sid:84684197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scan1-url.web-traffic-trace.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821095/; classtype:trojan-activity;sid:84684195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.209.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821093/; classtype:trojan-activity;sid:84684193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.35.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821094/; classtype:trojan-activity;sid:84684194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.27.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821092/; classtype:trojan-activity;sid:84684192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-cmd.smart-system-check.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821091/; classtype:trojan-activity;sid:84684191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.119.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821090/; classtype:trojan-activity;sid:84684190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isex86"; depth:7; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821084/; classtype:trojan-activity;sid:84684184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkk.arm5k"; depth:10; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821085/; classtype:trojan-activity;sid:84684185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkk.arm4k"; depth:10; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821086/; classtype:trojan-activity;sid:84684186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkk.arm6k"; depth:10; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821087/; classtype:trojan-activity;sid:84684187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkk.arm7k"; depth:10; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821088/; classtype:trojan-activity;sid:84684188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josho.ppck"; depth:11; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821089/; classtype:trojan-activity;sid:84684189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chronmwin.zip"; depth:14; endswith; nocase; http.host; content:"dindong.tos-cn-hongkong.volces.com"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821083/; classtype:trojan-activity;sid:84684183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/digital2026001/securssa001/refs/heads/main/docs_social_securityadmin.vbs"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821082/; classtype:trojan-activity;sid:84684182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2281/runn.exe"; depth:14; endswith; nocase; http.host; content:"2.27.28.167"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821081/; classtype:trojan-activity;sid:84684181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josho.sh4k"; depth:11; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821079/; classtype:trojan-activity;sid:84684179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dipsk"; depth:6; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821080/; classtype:trojan-activity;sid:84684180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rn2ip9fu/bikzwtho.msi"; depth:22; endswith; nocase; http.host; content:"93.152.224.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821077/; classtype:trojan-activity;sid:84684177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rn2ip9fu/ksqxkmgh.msi"; depth:22; endswith; nocase; http.host; content:"93.152.224.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821078/; classtype:trojan-activity;sid:84684178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.37.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821075/; classtype:trojan-activity;sid:84684175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.21.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821076/; classtype:trojan-activity;sid:84684176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr13image.png"; depth:15; endswith; nocase; http.host; content:"aumri.ae"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821074/; classtype:trojan-activity;sid:84684174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-pid.smart-system-check.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821073/; classtype:trojan-activity;sid:84684173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basecd81/"; depth:10; endswith; nocase; http.host; content:"pdfplugout.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821071/; classtype:trojan-activity;sid:84684171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basecd81/luxp.doc"; depth:18; endswith; nocase; http.host; content:"pdfplugout.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821072/; classtype:trojan-activity;sid:84684172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.119.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821070/; classtype:trojan-activity;sid:84684170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-ex.smart-system-check.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821069/; classtype:trojan-activity;sid:84684169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.30.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821068/; classtype:trojan-activity;sid:84684168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-log.smart-system-check.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821067/; classtype:trojan-activity;sid:84684167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.37.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821066/; classtype:trojan-activity;sid:84684166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.94.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821065/; classtype:trojan-activity;sid:84684165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-top.smart-system-check.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821064/; classtype:trojan-activity;sid:84684164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"test1-run.smart-system-check.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821063/; classtype:trojan-activity;sid:84684163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-ip.remote-access-node.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821062/; classtype:trojan-activity;sid:84684162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.247.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821061/; classtype:trojan-activity;sid:84684161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821060/; classtype:trojan-activity;sid:84684160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-dns.remote-access-node.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821059/; classtype:trojan-activity;sid:84684159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.229.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821057/; classtype:trojan-activity;sid:84684157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.138.131.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821058/; classtype:trojan-activity;sid:84684158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-sh.remote-access-node.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821056/; classtype:trojan-activity;sid:84684156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.94.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821054/; classtype:trojan-activity;sid:84684154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.141.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821055/; classtype:trojan-activity;sid:84684155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.65.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821053/; classtype:trojan-activity;sid:84684153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-tls.remote-access-node.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821052/; classtype:trojan-activity;sid:84684152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.118.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821051/; classtype:trojan-activity;sid:84684151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.172.186.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821050/; classtype:trojan-activity;sid:84684150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.185.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821049/; classtype:trojan-activity;sid:84684149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821048/; classtype:trojan-activity;sid:84684148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-ssh.remote-access-node.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821047/; classtype:trojan-activity;sid:84684147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work1-vpn.remote-access-node.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821045/; classtype:trojan-activity;sid:84684145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.116.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821046/; classtype:trojan-activity;sid:84684146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.247.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821044/; classtype:trojan-activity;sid:84684144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-box.cloud-storage-unit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821043/; classtype:trojan-activity;sid:84684143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.1.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821042/; classtype:trojan-activity;sid:84684142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-cdn.cloud-storage-unit.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821041/; classtype:trojan-activity;sid:84684141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.145.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821040/; classtype:trojan-activity;sid:84684140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.110.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821039/; classtype:trojan-activity;sid:84684139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-io.cloud-storage-unit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821038/; classtype:trojan-activity;sid:84684138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.130.121.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821037/; classtype:trojan-activity;sid:84684137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.237.109.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821036/; classtype:trojan-activity;sid:84684136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-dir.cloud-storage-unit.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821035/; classtype:trojan-activity;sid:84684135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.172.186.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821034/; classtype:trojan-activity;sid:84684134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.179.229.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821033/; classtype:trojan-activity;sid:84684133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821032/; classtype:trojan-activity;sid:84684132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-obj.cloud-storage-unit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821031/; classtype:trojan-activity;sid:84684131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file1-raw.cloud-storage-unit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821030/; classtype:trojan-activity;sid:84684130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-app.data-metric-flow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821029/; classtype:trojan-activity;sid:84684129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.229.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821028/; classtype:trojan-activity;sid:84684128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.179.229.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821027/; classtype:trojan-activity;sid:84684127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-row.data-metric-flow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821026/; classtype:trojan-activity;sid:84684126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-db.data-metric-flow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821025/; classtype:trojan-activity;sid:84684125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.110.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821024/; classtype:trojan-activity;sid:84684124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-bit.data-metric-flow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821023/; classtype:trojan-activity;sid:84684123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.125.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821022/; classtype:trojan-activity;sid:84684122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-tab.data-metric-flow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821021/; classtype:trojan-activity;sid:84684121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.172.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821020/; classtype:trojan-activity;sid:84684120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stat1-set.data-metric-flow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821019/; classtype:trojan-activity;sid:84684119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.86.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821018/; classtype:trojan-activity;sid:84684118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.125.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821017/; classtype:trojan-activity;sid:84684117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-web.tech-support-desk.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821016/; classtype:trojan-activity;sid:84684116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.125.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821015/; classtype:trojan-activity;sid:84684115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.229.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821014/; classtype:trojan-activity;sid:84684114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-auth.tech-support-desk.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821013/; classtype:trojan-activity;sid:84684113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.229.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821012/; classtype:trojan-activity;sid:84684112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-id.tech-support-desk.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821011/; classtype:trojan-activity;sid:84684111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.52.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821010/; classtype:trojan-activity;sid:84684110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.251.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821009/; classtype:trojan-activity;sid:84684109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.78.98.60"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821008/; classtype:trojan-activity;sid:84684108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-call.tech-support-desk.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821007/; classtype:trojan-activity;sid:84684107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-info.tech-support-desk.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821006/; classtype:trojan-activity;sid:84684106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.109.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821004/; classtype:trojan-activity;sid:84684104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.146.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821005/; classtype:trojan-activity;sid:84684105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.86.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821003/; classtype:trojan-activity;sid:84684103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"help1-desk.tech-support-desk.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821002/; classtype:trojan-activity;sid:84684102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.38.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821001/; classtype:trojan-activity;sid:84684101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.213.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821000/; classtype:trojan-activity;sid:84684100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-site.qul9merox.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820999/; classtype:trojan-activity;sid:84684099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-step.qul9merox.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820998/; classtype:trojan-activity;sid:84684098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.229.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820997/; classtype:trojan-activity;sid:84684097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bin4-data.qul9merox.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820996/; classtype:trojan-activity;sid:84684096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820995/; classtype:trojan-activity;sid:84684095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.78.98.60"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820994/; classtype:trojan-activity;sid:84684094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.251.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820993/; classtype:trojan-activity;sid:84684093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820991/; classtype:trojan-activity;sid:84684091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820992/; classtype:trojan-activity;sid:84684092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.109.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820990/; classtype:trojan-activity;sid:84684090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.121.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820989/; classtype:trojan-activity;sid:84684089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.121.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820988/; classtype:trojan-activity;sid:84684088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-read.qul9merox.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820987/; classtype:trojan-activity;sid:84684087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.127.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820986/; classtype:trojan-activity;sid:84684086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-stat.qul9merox.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820985/; classtype:trojan-activity;sid:84684085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.52.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820984/; classtype:trojan-activity;sid:84684084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cmd1-task.qul9merox.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820983/; classtype:trojan-activity;sid:84684083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-area.norxavin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820982/; classtype:trojan-activity;sid:84684082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.83.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820981/; classtype:trojan-activity;sid:84684081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820980/; classtype:trojan-activity;sid:84684080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.65.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820979/; classtype:trojan-activity;sid:84684079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-edge.norxavin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820978/; classtype:trojan-activity;sid:84684078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820977/; classtype:trojan-activity;sid:84684077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tmp4-root.norxavin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820976/; classtype:trojan-activity;sid:84684076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.83.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820975/; classtype:trojan-activity;sid:84684075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-link.norxavin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820974/; classtype:trojan-activity;sid:84684074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-info.norxavin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820973/; classtype:trojan-activity;sid:84684073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.132.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820972/; classtype:trojan-activity;sid:84684072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web1-host.norxavin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820971/; classtype:trojan-activity;sid:84684071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.99.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820970/; classtype:trojan-activity;sid:84684070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-post.bry3loxan.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820969/; classtype:trojan-activity;sid:84684069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820968/; classtype:trojan-activity;sid:84684068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.99.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820967/; classtype:trojan-activity;sid:84684067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-auth.bry3loxan.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820966/; classtype:trojan-activity;sid:84684066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"salt4-byte.bry3loxan.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820965/; classtype:trojan-activity;sid:84684065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0uparm6"; depth:8; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820964/; classtype:trojan-activity;sid:84684064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upm68k"; depth:8; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820961/; classtype:trojan-activity;sid:84684061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upmpsl"; depth:8; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820962/; classtype:trojan-activity;sid:84684062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.191.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820963/; classtype:trojan-activity;sid:84684063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upx64"; depth:7; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820956/; classtype:trojan-activity;sid:84684056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upx86"; depth:7; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820957/; classtype:trojan-activity;sid:84684057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upmips"; depth:8; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820958/; classtype:trojan-activity;sid:84684058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upppc"; depth:7; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820959/; classtype:trojan-activity;sid:84684059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/move"; depth:5; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820960/; classtype:trojan-activity;sid:84684060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0uparm"; depth:7; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820955/; classtype:trojan-activity;sid:84684055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upspc"; depth:7; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820951/; classtype:trojan-activity;sid:84684051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0upsh4"; depth:7; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820952/; classtype:trojan-activity;sid:84684052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0uparm7"; depth:8; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820953/; classtype:trojan-activity;sid:84684053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0uparm5"; depth:8; endswith; nocase; http.host; content:"176.65.134.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820954/; classtype:trojan-activity;sid:84684054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.9.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820950/; classtype:trojan-activity;sid:84684050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-peer.bry3loxan.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820949/; classtype:trojan-activity;sid:84684049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.132.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820948/; classtype:trojan-activity;sid:84684048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.219.202.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820947/; classtype:trojan-activity;sid:84684047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-dns.bry3loxan.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820946/; classtype:trojan-activity;sid:84684046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.165.101.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820945/; classtype:trojan-activity;sid:84684045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.21.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820944/; classtype:trojan-activity;sid:84684044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.165.101.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820943/; classtype:trojan-activity;sid:84684043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tcp1-send.bry3loxan.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820942/; classtype:trojan-activity;sid:84684042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.219.74.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820941/; classtype:trojan-activity;sid:84684041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-port.travexin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820940/; classtype:trojan-activity;sid:84684040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.travexin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820939/; classtype:trojan-activity;sid:84684039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.9.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820938/; classtype:trojan-activity;sid:84684038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ops4-base.travexin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820937/; classtype:trojan-activity;sid:84684037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.42.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820936/; classtype:trojan-activity;sid:84684036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-view.travexin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820935/; classtype:trojan-activity;sid:84684035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.187.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820934/; classtype:trojan-activity;sid:84684034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-load.travexin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820933/; classtype:trojan-activity;sid:84684033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.191.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820932/; classtype:trojan-activity;sid:84684032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.219.74.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820931/; classtype:trojan-activity;sid:84684031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tun1-pipe.travexin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820930/; classtype:trojan-activity;sid:84684030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820929/; classtype:trojan-activity;sid:84684029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.227.247.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820928/; classtype:trojan-activity;sid:84684028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-link.zeq7moral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820927/; classtype:trojan-activity;sid:84684027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm6"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820912/; classtype:trojan-activity;sid:84684012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm4"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820913/; classtype:trojan-activity;sid:84684013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x64"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820914/; classtype:trojan-activity;sid:84684014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mips"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820915/; classtype:trojan-activity;sid:84684015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.sh4"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820916/; classtype:trojan-activity;sid:84684016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mpsl"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820917/; classtype:trojan-activity;sid:84684017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.dbg"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820918/; classtype:trojan-activity;sid:84684018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i486"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820919/; classtype:trojan-activity;sid:84684019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm5"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820920/; classtype:trojan-activity;sid:84684020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.ppc"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820921/; classtype:trojan-activity;sid:84684021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i686"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820922/; classtype:trojan-activity;sid:84684022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm7"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820923/; classtype:trojan-activity;sid:84684023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.m68k"; depth:10; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820924/; classtype:trojan-activity;sid:84684024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.spc"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820925/; classtype:trojan-activity;sid:84684025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.apk"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820926/; classtype:trojan-activity;sid:84684026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.ppc440"; depth:12; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820911/; classtype:trojan-activity;sid:84684011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820910/; classtype:trojan-activity;sid:84684010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-unit.zeq7moral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820909/; classtype:trojan-activity;sid:84684009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.187.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820908/; classtype:trojan-activity;sid:84684008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"disk4-path.zeq7moral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820907/; classtype:trojan-activity;sid:84684007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.214.246.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820906/; classtype:trojan-activity;sid:84684006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.85.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820905/; classtype:trojan-activity;sid:84684005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-list.zeq7moral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820903/; classtype:trojan-activity;sid:84684003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x86"; depth:9; endswith; nocase; http.host; content:"194.163.140.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820904/; classtype:trojan-activity;sid:84684004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-patch.zeq7moral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820902/; classtype:trojan-activity;sid:84684002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"186.227.247.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820901/; classtype:trojan-activity;sid:84684001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"run1-exec.zeq7moral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820900/; classtype:trojan-activity;sid:84684000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.214.246.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3820899/; classtype:trojan-activity;sid:84683999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.76.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820898/; classtype:trojan-activity;sid:84683998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-root.krinaxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820897/; classtype:trojan-activity;sid:84683997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-site.krinaxon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820896/; classtype:trojan-activity;sid:84683996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.188.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820895/; classtype:trojan-activity;sid:84683995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.25.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820894/; classtype:trojan-activity;sid:84683994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auth4-key.krinaxon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820893/; classtype:trojan-activity;sid:84683993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.215.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820892/; classtype:trojan-activity;sid:84683992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-join.krinaxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820891/; classtype:trojan-activity;sid:84683991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.232.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820890/; classtype:trojan-activity;sid:84683990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820889/; classtype:trojan-activity;sid:84683989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.76.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820888/; classtype:trojan-activity;sid:84683988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-test.krinaxon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820887/; classtype:trojan-activity;sid:84683987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.70.207"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820886/; classtype:trojan-activity;sid:84683986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"log1-audit.krinaxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820885/; classtype:trojan-activity;sid:84683985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.vo2xeral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820884/; classtype:trojan-activity;sid:84683984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.202.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820883/; classtype:trojan-activity;sid:84683983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-info.vo2xeral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820882/; classtype:trojan-activity;sid:84683982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.224.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820881/; classtype:trojan-activity;sid:84683981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.232.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820880/; classtype:trojan-activity;sid:84683980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820879/; classtype:trojan-activity;sid:84683979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.105.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820878/; classtype:trojan-activity;sid:84683978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"git4-repo.vo2xeral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820877/; classtype:trojan-activity;sid:84683977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.85.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820876/; classtype:trojan-activity;sid:84683976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.23.105.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820875/; classtype:trojan-activity;sid:84683975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-blob.vo2xeral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820874/; classtype:trojan-activity;sid:84683974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-meta.vo2xeral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820873/; classtype:trojan-activity;sid:84683973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.202.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820872/; classtype:trojan-activity;sid:84683972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"set1-init.vo2xeral.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820871/; classtype:trojan-activity;sid:84683971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-zone.drumavex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820870/; classtype:trojan-activity;sid:84683970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.75.79.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820869/; classtype:trojan-activity;sid:84683969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.99.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820868/; classtype:trojan-activity;sid:84683968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-ready.drumavex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820867/; classtype:trojan-activity;sid:84683967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.112.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820866/; classtype:trojan-activity;sid:84683966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.127.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820865/; classtype:trojan-activity;sid:84683965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"db4-store.drumavex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820864/; classtype:trojan-activity;sid:84683964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.20.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820863/; classtype:trojan-activity;sid:84683963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.23.105.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820862/; classtype:trojan-activity;sid:84683962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/znk.exe"; depth:8; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820861/; classtype:trojan-activity;sid:84683961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-fast.drumavex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820860/; classtype:trojan-activity;sid:84683960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.70.207"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820859/; classtype:trojan-activity;sid:84683959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.179.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820858/; classtype:trojan-activity;sid:84683958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-call.drumavex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820857/; classtype:trojan-activity;sid:84683957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.114.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820856/; classtype:trojan-activity;sid:84683956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/professor9-sys/oldlauncher928/refs/heads/main/woofer.rar"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820855/; classtype:trojan-activity;sid:84683955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.75.79.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820854/; classtype:trojan-activity;sid:84683954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"box1-state.drumavex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820853/; classtype:trojan-activity;sid:84683953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/professor9-sys/oldlauncher928/refs/heads/main/cmd.bat"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820852/; classtype:trojan-activity;sid:84683952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get-launcher.php"; depth:17; endswith; nocase; http.host; content:"cloudstorage-hub.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820850/; classtype:trojan-activity;sid:84683950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/launches/8dacc96a6f17691cdbd7f9eacf910b0137af51f0.exe"; depth:54; endswith; nocase; http.host; content:"cloudstorage-hub.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820849/; classtype:trojan-activity;sid:84683949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-main.pra6lixon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820848/; classtype:trojan-activity;sid:84683948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.114.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820847/; classtype:trojan-activity;sid:84683947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.200.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820846/; classtype:trojan-activity;sid:84683946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.112.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820845/; classtype:trojan-activity;sid:84683945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-flow.pra6lixon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820844/; classtype:trojan-activity;sid:84683944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.35.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820843/; classtype:trojan-activity;sid:84683943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.112.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820842/; classtype:trojan-activity;sid:84683942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"job4-task.pra6lixon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820841/; classtype:trojan-activity;sid:84683941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-soft.pra6lixon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820840/; classtype:trojan-activity;sid:84683940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-push.pra6lixon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820839/; classtype:trojan-activity;sid:84683939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.72.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820838/; classtype:trojan-activity;sid:84683938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.72.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820837/; classtype:trojan-activity;sid:84683937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eth1-link.pra6lixon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820836/; classtype:trojan-activity;sid:84683936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.200.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820835/; classtype:trojan-activity;sid:84683935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-hub.xelvarinox.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820834/; classtype:trojan-activity;sid:84683934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-mesh.xelvarinox.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820833/; classtype:trojan-activity;sid:84683933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.38.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820832/; classtype:trojan-activity;sid:84683932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.31.132"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820831/; classtype:trojan-activity;sid:84683931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pod4-sync.xelvarinox.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820830/; classtype:trojan-activity;sid:84683930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.92.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820829/; classtype:trojan-activity;sid:84683929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-core.xelvarinox.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820828/; classtype:trojan-activity;sid:84683928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.227.116.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820827/; classtype:trojan-activity;sid:84683927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-route.xelvarinox.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820826/; classtype:trojan-activity;sid:84683926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mon1-check.xelvarinox.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820825/; classtype:trojan-activity;sid:84683925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=pxjltvwqzvthsbvh"; depth:27; endswith; nocase; http.host; content:"ef8qorio.latat-long.digital"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820824/; classtype:trojan-activity;sid:84683924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.63.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820823/; classtype:trojan-activity;sid:84683923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.213.235.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820822/; classtype:trojan-activity;sid:84683922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pay"; depth:9; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820821/; classtype:trojan-activity;sid:84683921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.38.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820820/; classtype:trojan-activity;sid:84683920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.254.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820819/; classtype:trojan-activity;sid:84683919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w2.sh"; depth:6; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820816/; classtype:trojan-activity;sid:84683916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/telnet.sh"; depth:10; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820817/; classtype:trojan-activity;sid:84683917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jg.sh"; depth:6; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820818/; classtype:trojan-activity;sid:84683918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-c0upon.kazan-saddle.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820815/; classtype:trojan-activity;sid:84683915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.227.116.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820814/; classtype:trojan-activity;sid:84683914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zmxa.kazan-saddle.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820813/; classtype:trojan-activity;sid:84683913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nvgsw.kazan-saddle.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820812/; classtype:trojan-activity;sid:84683912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stitch-spool.kazan-saddle.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820811/; classtype:trojan-activity;sid:84683911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.254.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820810/; classtype:trojan-activity;sid:84683910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tyvp2rya.kazan-saddle.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820809/; classtype:trojan-activity;sid:84683909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.109.212.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820808/; classtype:trojan-activity;sid:84683908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"couponfir.kazan-saddle.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820807/; classtype:trojan-activity;sid:84683907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.254.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820806/; classtype:trojan-activity;sid:84683906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fernoak.inform2tunleaven.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820805/; classtype:trojan-activity;sid:84683905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scre-dust.inform2tunleaven.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820804/; classtype:trojan-activity;sid:84683904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kel-fluxis.inform2tunleaven.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820803/; classtype:trojan-activity;sid:84683903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.209.242.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820802/; classtype:trojan-activity;sid:84683902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bhbl.inform2tunleaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820801/; classtype:trojan-activity;sid:84683901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.109.212.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820800/; classtype:trojan-activity;sid:84683900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.226.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820799/; classtype:trojan-activity;sid:84683899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dirmod.inform2tunleaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820798/; classtype:trojan-activity;sid:84683898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.231.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820797/; classtype:trojan-activity;sid:84683897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"equitysail.inform2tunleaven.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820796/; classtype:trojan-activity;sid:84683896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jzdq.ditch-obscene.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820795/; classtype:trojan-activity;sid:84683895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shif-well.ditch-obscene.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820794/; classtype:trojan-activity;sid:84683894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.185.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820793/; classtype:trojan-activity;sid:84683893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.135.42.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820792/; classtype:trojan-activity;sid:84683892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3zpnkdk.ditch-obscene.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820791/; classtype:trojan-activity;sid:84683891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-5ynta.ditch-obscene.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820790/; classtype:trojan-activity;sid:84683890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guafux.ditch-obscene.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820789/; classtype:trojan-activity;sid:84683889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.183.184.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820788/; classtype:trojan-activity;sid:84683888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.231.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820787/; classtype:trojan-activity;sid:84683887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.183.184.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820786/; classtype:trojan-activity;sid:84683886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"psnwbo.ditch-obscene.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820785/; classtype:trojan-activity;sid:84683885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.239.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820784/; classtype:trojan-activity;sid:84683884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bv9fw.chuv2shfile.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820783/; classtype:trojan-activity;sid:84683883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fafitgz.chuv2shfile.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820782/; classtype:trojan-activity;sid:84683882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.94.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820781/; classtype:trojan-activity;sid:84683881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.94.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820780/; classtype:trojan-activity;sid:84683880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vendorwhole.chuv2shfile.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820779/; classtype:trojan-activity;sid:84683879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.157.23.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820778/; classtype:trojan-activity;sid:84683878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p3ak-path.chuv2shfile.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820777/; classtype:trojan-activity;sid:84683877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.133.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820776/; classtype:trojan-activity;sid:84683876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kawjhm.chuv2shfile.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820775/; classtype:trojan-activity;sid:84683875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.239.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820774/; classtype:trojan-activity;sid:84683874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sercrestar.chuv2shfile.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820773/; classtype:trojan-activity;sid:84683873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"softcamp.multip-lway.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820772/; classtype:trojan-activity;sid:84683872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"caveazure.multip-lway.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820771/; classtype:trojan-activity;sid:84683871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.239.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820770/; classtype:trojan-activity;sid:84683870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-pr1v.multip-lway.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820769/; classtype:trojan-activity;sid:84683869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"garde-rave.multip-lway.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820768/; classtype:trojan-activity;sid:84683868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.43.135.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820767/; classtype:trojan-activity;sid:84683867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"g0lden4-mark.multip-lway.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820766/; classtype:trojan-activity;sid:84683866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.67.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820765/; classtype:trojan-activity;sid:84683865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5urv-pulse.multip-lway.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820764/; classtype:trojan-activity;sid:84683864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.116.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820763/; classtype:trojan-activity;sid:84683863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.239.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820762/; classtype:trojan-activity;sid:84683862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"easturban.oguzok7ye.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820761/; classtype:trojan-activity;sid:84683861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3ndp1-reach.oguzok7ye.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820760/; classtype:trojan-activity;sid:84683860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.190.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820759/; classtype:trojan-activity;sid:84683859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"704swp.oguzok7ye.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820758/; classtype:trojan-activity;sid:84683858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smar-disc.oguzok7ye.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820757/; classtype:trojan-activity;sid:84683857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.67.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820756/; classtype:trojan-activity;sid:84683856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talspireis4.oguzok7ye.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820755/; classtype:trojan-activity;sid:84683855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.165.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820754/; classtype:trojan-activity;sid:84683854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.137.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820753/; classtype:trojan-activity;sid:84683853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.190.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820752/; classtype:trojan-activity;sid:84683852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.234.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820750/; classtype:trojan-activity;sid:84683850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wceemv.oguzok7ye.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820751/; classtype:trojan-activity;sid:84683851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"basicmas.onepal-liat.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820749/; classtype:trojan-activity;sid:84683849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nordraex4.onepal-liat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820748/; classtype:trojan-activity;sid:84683848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scanmodel.onepal-liat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820747/; classtype:trojan-activity;sid:84683847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shal6-stream.onepal-liat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820746/; classtype:trojan-activity;sid:84683846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.235.109.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820745/; classtype:trojan-activity;sid:84683845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820744/; classtype:trojan-activity;sid:84683844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.137.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820743/; classtype:trojan-activity;sid:84683843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.152.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820742/; classtype:trojan-activity;sid:84683842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkmesh2ex.onepal-liat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820741/; classtype:trojan-activity;sid:84683841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mh4j.onepal-liat.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820740/; classtype:trojan-activity;sid:84683840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.72.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820739/; classtype:trojan-activity;sid:84683839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.72.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820738/; classtype:trojan-activity;sid:84683838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shell.aspx.jpg"; depth:15; endswith; nocase; http.host; content:"185.139.215.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820735/; classtype:trojan-activity;sid:84683835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shell.jpg"; depth:10; endswith; nocase; http.host; content:"185.139.215.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820736/; classtype:trojan-activity;sid:84683836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shell.asp.jpg"; depth:14; endswith; nocase; http.host; content:"185.139.215.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820737/; classtype:trojan-activity;sid:84683837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gmzhuq.phoniche1lo.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820734/; classtype:trojan-activity;sid:84683834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.166.188.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820733/; classtype:trojan-activity;sid:84683833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.114.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820732/; classtype:trojan-activity;sid:84683832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4kreqbfj.phoniche1lo.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820731/; classtype:trojan-activity;sid:84683831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud.mipsel"; depth:13; endswith; nocase; http.host; content:"176.125.242.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820727/; classtype:trojan-activity;sid:84683827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud.mips"; depth:11; endswith; nocase; http.host; content:"176.125.242.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820728/; classtype:trojan-activity;sid:84683828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud.aarch64"; depth:14; endswith; nocase; http.host; content:"176.125.242.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820729/; classtype:trojan-activity;sid:84683829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud.armv7l"; depth:13; endswith; nocase; http.host; content:"176.125.242.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820730/; classtype:trojan-activity;sid:84683830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.125.242.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820726/; classtype:trojan-activity;sid:84683826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud.x86_64"; depth:13; endswith; nocase; http.host; content:"176.125.242.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820725/; classtype:trojan-activity;sid:84683825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d1malk.phoniche1lo.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820724/; classtype:trojan-activity;sid:84683824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.252.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820723/; classtype:trojan-activity;sid:84683823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820722/; classtype:trojan-activity;sid:84683822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grid6-layer.phoniche1lo.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820721/; classtype:trojan-activity;sid:84683821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.227.35.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820720/; classtype:trojan-activity;sid:84683820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"threadtrusted.phoniche1lo.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820719/; classtype:trojan-activity;sid:84683819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.176.197.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820718/; classtype:trojan-activity;sid:84683818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultra-rnerge.phoniche1lo.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820717/; classtype:trojan-activity;sid:84683817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release0304.apk"; depth:16; endswith; nocase; http.host; content:"81.177.213.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820716/; classtype:trojan-activity;sid:84683816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.227.35.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820715/; classtype:trojan-activity;sid:84683815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-fact0r.baptis-midwife.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820714/; classtype:trojan-activity;sid:84683814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.193.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820713/; classtype:trojan-activity;sid:84683813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.0.102"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820712/; classtype:trojan-activity;sid:84683812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"29223qf.baptis-midwife.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820711/; classtype:trojan-activity;sid:84683811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"03dg.baptis-midwife.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820710/; classtype:trojan-activity;sid:84683810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proto-reta1n.baptis-midwife.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820709/; classtype:trojan-activity;sid:84683809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zentide2en.baptis-midwife.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820708/; classtype:trojan-activity;sid:84683808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.176.197.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820707/; classtype:trojan-activity;sid:84683807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"75gy.baptis-midwife.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820706/; classtype:trojan-activity;sid:84683806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"loacascad.morphinve8et.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820705/; classtype:trojan-activity;sid:84683805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.193.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820704/; classtype:trojan-activity;sid:84683804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.113.206.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820703/; classtype:trojan-activity;sid:84683803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"triflux3ar.morphinve8et.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820702/; classtype:trojan-activity;sid:84683802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.55.14.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820701/; classtype:trojan-activity;sid:84683801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.154.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820700/; classtype:trojan-activity;sid:84683800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"form4l-flow.morphinve8et.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820699/; classtype:trojan-activity;sid:84683799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"observe-mesh.morphinve8et.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820698/; classtype:trojan-activity;sid:84683798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.47.179"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820697/; classtype:trojan-activity;sid:84683797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vellineen7.morphinve8et.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820696/; classtype:trojan-activity;sid:84683796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.229.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820695/; classtype:trojan-activity;sid:84683795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3xte-array.morphinve8et.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820694/; classtype:trojan-activity;sid:84683794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9duu.over-tatake.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820693/; classtype:trojan-activity;sid:84683793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kelmark6a.over-tatake.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820692/; classtype:trojan-activity;sid:84683792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8265490257/eucpk5x.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820691/; classtype:trojan-activity;sid:84683791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/structure_14.3495_install.exe"; depth:30; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820690/; classtype:trojan-activity;sid:84683790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/responsive_25.2509.7987_install.exe"; depth:36; endswith; nocase; http.host; content:"196.251.107.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820689/; classtype:trojan-activity;sid:84683789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"autumnlayer.over-tatake.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820688/; classtype:trojan-activity;sid:84683788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"frost-sync.over-tatake.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820687/; classtype:trojan-activity;sid:84683787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=yaonhfdfbsxvcoeo"; depth:53; endswith; nocase; http.host; content:"2zjyp0pj.borschokf2dd.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820686/; classtype:trojan-activity;sid:84683786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=ooqncbszoqwuzrow"; depth:53; endswith; nocase; http.host; content:"9o394zg7.paragonbloomera.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820685/; classtype:trojan-activity;sid:84683785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t35t-cast.over-tatake.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820684/; classtype:trojan-activity;sid:84683784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pipeli-line.over-tatake.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820683/; classtype:trojan-activity;sid:84683783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.55.14.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820682/; classtype:trojan-activity;sid:84683782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nkkexjp.intersp5uspect.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820681/; classtype:trojan-activity;sid:84683781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.95.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820680/; classtype:trojan-activity;sid:84683780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yjsmlbn.intersp5uspect.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820679/; classtype:trojan-activity;sid:84683779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serdrais8.intersp5uspect.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820678/; classtype:trojan-activity;sid:84683778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.141.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820677/; classtype:trojan-activity;sid:84683777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cleansensor.intersp5uspect.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820676/; classtype:trojan-activity;sid:84683776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.249.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820675/; classtype:trojan-activity;sid:84683775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ibpo.intersp5uspect.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820674/; classtype:trojan-activity;sid:84683774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crimso1-vector.intersp5uspect.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820673/; classtype:trojan-activity;sid:84683773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.158.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820672/; classtype:trojan-activity;sid:84683772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.59.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820671/; classtype:trojan-activity;sid:84683771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mn4wr.desola-tidle.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820670/; classtype:trojan-activity;sid:84683770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.158.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820669/; classtype:trojan-activity;sid:84683769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"checkmis.desola-tidle.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820668/; classtype:trojan-activity;sid:84683768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.120.0.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820667/; classtype:trojan-activity;sid:84683767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.249.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820666/; classtype:trojan-activity;sid:84683766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.159.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820665/; classtype:trojan-activity;sid:84683765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ptwc.desola-tidle.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820664/; classtype:trojan-activity;sid:84683764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820663/; classtype:trojan-activity;sid:84683763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"me6z.desola-tidle.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820662/; classtype:trojan-activity;sid:84683762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.154.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820661/; classtype:trojan-activity;sid:84683761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"03i6.desola-tidle.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820660/; classtype:trojan-activity;sid:84683760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.120.0.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820659/; classtype:trojan-activity;sid:84683759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59903.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820658/; classtype:trojan-activity;sid:84683758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.130.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820656/; classtype:trojan-activity;sid:84683756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"139.218.43.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820657/; classtype:trojan-activity;sid:84683757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62931.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820654/; classtype:trojan-activity;sid:84683754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"huvki.echi6under.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820655/; classtype:trojan-activity;sid:84683755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"safedocs-hub.info"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820652/; classtype:trojan-activity;sid:84683752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"photodocvault.info"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820653/; classtype:trojan-activity;sid:84683753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3nx4gks.desola-tidle.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820651/; classtype:trojan-activity;sid:84683751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"visapics.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820650/; classtype:trojan-activity;sid:84683750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"jdskl139sla.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820649/; classtype:trojan-activity;sid:84683749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekc0304/longboatchronometer.hta"; depth:33; endswith; nocase; http.host; content:"169.40.135.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820648/; classtype:trojan-activity;sid:84683748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekc0304/crablearned.hta"; depth:25; endswith; nocase; http.host; content:"169.40.135.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820647/; classtype:trojan-activity;sid:84683747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_145331.png"; depth:15; endswith; nocase; http.host; content:"grandvegasbet.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820646/; classtype:trojan-activity;sid:84683746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62775.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820645/; classtype:trojan-activity;sid:84683745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96490.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820643/; classtype:trojan-activity;sid:84683743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54535.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820644/; classtype:trojan-activity;sid:84683744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08901.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820633/; classtype:trojan-activity;sid:84683733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07853.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820634/; classtype:trojan-activity;sid:84683734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87118.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820635/; classtype:trojan-activity;sid:84683735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03497.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820636/; classtype:trojan-activity;sid:84683736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84846.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820637/; classtype:trojan-activity;sid:84683737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07367.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820638/; classtype:trojan-activity;sid:84683738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00279.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820639/; classtype:trojan-activity;sid:84683739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09934.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820640/; classtype:trojan-activity;sid:84683740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08811.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820641/; classtype:trojan-activity;sid:84683741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99389.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820642/; classtype:trojan-activity;sid:84683742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96565.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820624/; classtype:trojan-activity;sid:84683724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95394.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820625/; classtype:trojan-activity;sid:84683725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80947.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820626/; classtype:trojan-activity;sid:84683726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80947.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820627/; classtype:trojan-activity;sid:84683727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64432.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820628/; classtype:trojan-activity;sid:84683728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10936.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820629/; classtype:trojan-activity;sid:84683729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36347.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820630/; classtype:trojan-activity;sid:84683730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26708.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820631/; classtype:trojan-activity;sid:84683731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58173.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820632/; classtype:trojan-activity;sid:84683732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01899.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820620/; classtype:trojan-activity;sid:84683720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90077.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820621/; classtype:trojan-activity;sid:84683721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06020.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820622/; classtype:trojan-activity;sid:84683722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77949.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820623/; classtype:trojan-activity;sid:84683723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03331.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820619/; classtype:trojan-activity;sid:84683719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73024.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820613/; classtype:trojan-activity;sid:84683713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27442.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820614/; classtype:trojan-activity;sid:84683714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95823.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820615/; classtype:trojan-activity;sid:84683715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07212.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820616/; classtype:trojan-activity;sid:84683716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15837.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820617/; classtype:trojan-activity;sid:84683717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71207.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820618/; classtype:trojan-activity;sid:84683718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71088.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820608/; classtype:trojan-activity;sid:84683708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07853.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820609/; classtype:trojan-activity;sid:84683709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99091.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820610/; classtype:trojan-activity;sid:84683710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36331.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820611/; classtype:trojan-activity;sid:84683711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85697.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820612/; classtype:trojan-activity;sid:84683712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96539.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820607/; classtype:trojan-activity;sid:84683707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06087.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820603/; classtype:trojan-activity;sid:84683703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13186.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820604/; classtype:trojan-activity;sid:84683704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37248.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820605/; classtype:trojan-activity;sid:84683705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96939.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820606/; classtype:trojan-activity;sid:84683706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98423.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820596/; classtype:trojan-activity;sid:84683696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72800.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820597/; classtype:trojan-activity;sid:84683697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22807.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820598/; classtype:trojan-activity;sid:84683698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00757.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820599/; classtype:trojan-activity;sid:84683699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35795.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820600/; classtype:trojan-activity;sid:84683700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79597.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820601/; classtype:trojan-activity;sid:84683701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27140.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820602/; classtype:trojan-activity;sid:84683702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03894.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820595/; classtype:trojan-activity;sid:84683695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03767.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820589/; classtype:trojan-activity;sid:84683689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99164.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820590/; classtype:trojan-activity;sid:84683690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19556.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820591/; classtype:trojan-activity;sid:84683691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41126.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820592/; classtype:trojan-activity;sid:84683692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17562.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820593/; classtype:trojan-activity;sid:84683693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38954.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820594/; classtype:trojan-activity;sid:84683694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79681.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820586/; classtype:trojan-activity;sid:84683686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49515.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820587/; classtype:trojan-activity;sid:84683687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31048.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820588/; classtype:trojan-activity;sid:84683688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94399.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820583/; classtype:trojan-activity;sid:84683683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24901.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820584/; classtype:trojan-activity;sid:84683684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85892.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820585/; classtype:trojan-activity;sid:84683685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46475.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820581/; classtype:trojan-activity;sid:84683681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57557.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820582/; classtype:trojan-activity;sid:84683682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49515.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820579/; classtype:trojan-activity;sid:84683679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68656.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820580/; classtype:trojan-activity;sid:84683680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15388.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820577/; classtype:trojan-activity;sid:84683677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80308.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820578/; classtype:trojan-activity;sid:84683678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17822.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820576/; classtype:trojan-activity;sid:84683676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23744.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820573/; classtype:trojan-activity;sid:84683673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94580.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820574/; classtype:trojan-activity;sid:84683674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39818.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820575/; classtype:trojan-activity;sid:84683675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72333.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820569/; classtype:trojan-activity;sid:84683669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28608.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820570/; classtype:trojan-activity;sid:84683670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21490.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820571/; classtype:trojan-activity;sid:84683671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84705.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820572/; classtype:trojan-activity;sid:84683672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57352.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820566/; classtype:trojan-activity;sid:84683666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46084.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820567/; classtype:trojan-activity;sid:84683667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04878.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820568/; classtype:trojan-activity;sid:84683668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88598.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820564/; classtype:trojan-activity;sid:84683664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98234.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820565/; classtype:trojan-activity;sid:84683665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54126.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820561/; classtype:trojan-activity;sid:84683661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53196.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820562/; classtype:trojan-activity;sid:84683662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61762.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820563/; classtype:trojan-activity;sid:84683663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37816.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820558/; classtype:trojan-activity;sid:84683658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28332.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820559/; classtype:trojan-activity;sid:84683659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20237.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820560/; classtype:trojan-activity;sid:84683660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78550.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820553/; classtype:trojan-activity;sid:84683653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94580.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820554/; classtype:trojan-activity;sid:84683654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51171.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820555/; classtype:trojan-activity;sid:84683655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47630.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820556/; classtype:trojan-activity;sid:84683656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81909.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820557/; classtype:trojan-activity;sid:84683657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45793.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820552/; classtype:trojan-activity;sid:84683652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74028.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820550/; classtype:trojan-activity;sid:84683650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50628.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820551/; classtype:trojan-activity;sid:84683651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50149.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820548/; classtype:trojan-activity;sid:84683648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72520.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820549/; classtype:trojan-activity;sid:84683649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22600.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820545/; classtype:trojan-activity;sid:84683645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85013.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820546/; classtype:trojan-activity;sid:84683646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21415.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820547/; classtype:trojan-activity;sid:84683647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86145.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820542/; classtype:trojan-activity;sid:84683642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77914.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820543/; classtype:trojan-activity;sid:84683643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04811.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820544/; classtype:trojan-activity;sid:84683644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94601.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820534/; classtype:trojan-activity;sid:84683634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97413.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820535/; classtype:trojan-activity;sid:84683635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86906.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820536/; classtype:trojan-activity;sid:84683636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01899.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820537/; classtype:trojan-activity;sid:84683637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99091.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820538/; classtype:trojan-activity;sid:84683638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61449.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820539/; classtype:trojan-activity;sid:84683639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49326.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820540/; classtype:trojan-activity;sid:84683640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67655.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820541/; classtype:trojan-activity;sid:84683641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25525.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820531/; classtype:trojan-activity;sid:84683631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49780.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820532/; classtype:trojan-activity;sid:84683632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01211.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820533/; classtype:trojan-activity;sid:84683633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17665.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820522/; classtype:trojan-activity;sid:84683622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62565.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820523/; classtype:trojan-activity;sid:84683623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06585.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820524/; classtype:trojan-activity;sid:84683624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93549.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820525/; classtype:trojan-activity;sid:84683625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91985.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820526/; classtype:trojan-activity;sid:84683626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78515.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820527/; classtype:trojan-activity;sid:84683627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60081.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820528/; classtype:trojan-activity;sid:84683628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18088.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820529/; classtype:trojan-activity;sid:84683629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96939.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820530/; classtype:trojan-activity;sid:84683630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85369.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820519/; classtype:trojan-activity;sid:84683619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83645.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820520/; classtype:trojan-activity;sid:84683620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52809.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820521/; classtype:trojan-activity;sid:84683621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18892.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820515/; classtype:trojan-activity;sid:84683615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90767.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820516/; classtype:trojan-activity;sid:84683616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21927.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820517/; classtype:trojan-activity;sid:84683617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45698.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820518/; classtype:trojan-activity;sid:84683618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38427.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820514/; classtype:trojan-activity;sid:84683614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17822.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820512/; classtype:trojan-activity;sid:84683612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22739.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820513/; classtype:trojan-activity;sid:84683613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74798.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820508/; classtype:trojan-activity;sid:84683608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06239.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820509/; classtype:trojan-activity;sid:84683609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12487.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820510/; classtype:trojan-activity;sid:84683610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46899.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820511/; classtype:trojan-activity;sid:84683611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63667.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820505/; classtype:trojan-activity;sid:84683605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85262.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820506/; classtype:trojan-activity;sid:84683606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19180.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820507/; classtype:trojan-activity;sid:84683607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95365.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820503/; classtype:trojan-activity;sid:84683603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18869.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820504/; classtype:trojan-activity;sid:84683604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43627.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820496/; classtype:trojan-activity;sid:84683596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96986.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820497/; classtype:trojan-activity;sid:84683597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81592.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820498/; classtype:trojan-activity;sid:84683598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41312.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820499/; classtype:trojan-activity;sid:84683599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21012.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820500/; classtype:trojan-activity;sid:84683600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21336.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820501/; classtype:trojan-activity;sid:84683601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31218.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820502/; classtype:trojan-activity;sid:84683602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96608.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820492/; classtype:trojan-activity;sid:84683592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87057.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820493/; classtype:trojan-activity;sid:84683593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74209.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820494/; classtype:trojan-activity;sid:84683594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23911.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820495/; classtype:trojan-activity;sid:84683595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61212.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820485/; classtype:trojan-activity;sid:84683585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99237.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820486/; classtype:trojan-activity;sid:84683586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24655.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820487/; classtype:trojan-activity;sid:84683587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14079.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820488/; classtype:trojan-activity;sid:84683588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65652.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820489/; classtype:trojan-activity;sid:84683589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72999.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820490/; classtype:trojan-activity;sid:84683590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05816.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820491/; classtype:trojan-activity;sid:84683591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23564.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820483/; classtype:trojan-activity;sid:84683583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89789.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820484/; classtype:trojan-activity;sid:84683584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68148.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820478/; classtype:trojan-activity;sid:84683578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54354.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820479/; classtype:trojan-activity;sid:84683579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24993.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820480/; classtype:trojan-activity;sid:84683580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31160.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820481/; classtype:trojan-activity;sid:84683581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21152.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820482/; classtype:trojan-activity;sid:84683582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20799.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820473/; classtype:trojan-activity;sid:84683573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75813.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820474/; classtype:trojan-activity;sid:84683574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69212.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820475/; classtype:trojan-activity;sid:84683575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26022.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820476/; classtype:trojan-activity;sid:84683576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00088.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820477/; classtype:trojan-activity;sid:84683577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38954.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820470/; classtype:trojan-activity;sid:84683570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49196.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820471/; classtype:trojan-activity;sid:84683571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39469.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820472/; classtype:trojan-activity;sid:84683572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83418.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820465/; classtype:trojan-activity;sid:84683565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17665.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820466/; classtype:trojan-activity;sid:84683566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94326.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820467/; classtype:trojan-activity;sid:84683567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60056.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820468/; classtype:trojan-activity;sid:84683568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39670.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820469/; classtype:trojan-activity;sid:84683569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73549.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820462/; classtype:trojan-activity;sid:84683562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24655.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820463/; classtype:trojan-activity;sid:84683563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73779.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820464/; classtype:trojan-activity;sid:84683564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96783.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820460/; classtype:trojan-activity;sid:84683560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84071.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820461/; classtype:trojan-activity;sid:84683561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41093.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820457/; classtype:trojan-activity;sid:84683557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64307.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820458/; classtype:trojan-activity;sid:84683558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37394.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820459/; classtype:trojan-activity;sid:84683559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11740.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820453/; classtype:trojan-activity;sid:84683553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30425.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820454/; classtype:trojan-activity;sid:84683554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96673.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820455/; classtype:trojan-activity;sid:84683555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09934.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820456/; classtype:trojan-activity;sid:84683556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71207.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820446/; classtype:trojan-activity;sid:84683546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10931.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820447/; classtype:trojan-activity;sid:84683547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81664.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820448/; classtype:trojan-activity;sid:84683548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81664.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820449/; classtype:trojan-activity;sid:84683549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36677.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820450/; classtype:trojan-activity;sid:84683550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17113.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820451/; classtype:trojan-activity;sid:84683551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87951.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820452/; classtype:trojan-activity;sid:84683552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80321.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820442/; classtype:trojan-activity;sid:84683542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69452.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820443/; classtype:trojan-activity;sid:84683543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85753.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820444/; classtype:trojan-activity;sid:84683544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06716.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820445/; classtype:trojan-activity;sid:84683545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69975.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820438/; classtype:trojan-activity;sid:84683538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30425.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820439/; classtype:trojan-activity;sid:84683539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65803.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820440/; classtype:trojan-activity;sid:84683540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95823.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820441/; classtype:trojan-activity;sid:84683541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95559.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820434/; classtype:trojan-activity;sid:84683534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84276.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820435/; classtype:trojan-activity;sid:84683535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22301.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820436/; classtype:trojan-activity;sid:84683536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71145.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820437/; classtype:trojan-activity;sid:84683537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31160.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820430/; classtype:trojan-activity;sid:84683530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06835.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820431/; classtype:trojan-activity;sid:84683531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91790.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820432/; classtype:trojan-activity;sid:84683532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24070.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820433/; classtype:trojan-activity;sid:84683533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95015.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820422/; classtype:trojan-activity;sid:84683522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53313.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820423/; classtype:trojan-activity;sid:84683523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57557.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820424/; classtype:trojan-activity;sid:84683524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79849.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820425/; classtype:trojan-activity;sid:84683525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34096.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820426/; classtype:trojan-activity;sid:84683526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45753.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820427/; classtype:trojan-activity;sid:84683527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50616.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820428/; classtype:trojan-activity;sid:84683528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87491.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820429/; classtype:trojan-activity;sid:84683529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70351.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820416/; classtype:trojan-activity;sid:84683516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33122.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820417/; classtype:trojan-activity;sid:84683517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83777.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820418/; classtype:trojan-activity;sid:84683518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58832.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820419/; classtype:trojan-activity;sid:84683519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05816.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820420/; classtype:trojan-activity;sid:84683520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38901.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820421/; classtype:trojan-activity;sid:84683521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71512.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820414/; classtype:trojan-activity;sid:84683514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02148.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820415/; classtype:trojan-activity;sid:84683515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17113.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820410/; classtype:trojan-activity;sid:84683510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87057.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820411/; classtype:trojan-activity;sid:84683511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50999.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820412/; classtype:trojan-activity;sid:84683512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27177.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820413/; classtype:trojan-activity;sid:84683513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50298.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820407/; classtype:trojan-activity;sid:84683507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51173.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820408/; classtype:trojan-activity;sid:84683508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85498.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820409/; classtype:trojan-activity;sid:84683509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91107.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820401/; classtype:trojan-activity;sid:84683501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55259.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820402/; classtype:trojan-activity;sid:84683502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33967.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820403/; classtype:trojan-activity;sid:84683503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15791.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820404/; classtype:trojan-activity;sid:84683504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22174.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820405/; classtype:trojan-activity;sid:84683505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91478.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820406/; classtype:trojan-activity;sid:84683506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98790.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820400/; classtype:trojan-activity;sid:84683500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76404.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820394/; classtype:trojan-activity;sid:84683494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75982.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820395/; classtype:trojan-activity;sid:84683495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27442.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820396/; classtype:trojan-activity;sid:84683496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42486.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820397/; classtype:trojan-activity;sid:84683497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83940.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820398/; classtype:trojan-activity;sid:84683498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64266.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820399/; classtype:trojan-activity;sid:84683499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86869.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820390/; classtype:trojan-activity;sid:84683490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29513.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820391/; classtype:trojan-activity;sid:84683491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92463.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820392/; classtype:trojan-activity;sid:84683492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97420.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820393/; classtype:trojan-activity;sid:84683493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95692.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820383/; classtype:trojan-activity;sid:84683483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25906.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820384/; classtype:trojan-activity;sid:84683484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26253.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820385/; classtype:trojan-activity;sid:84683485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03894.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820386/; classtype:trojan-activity;sid:84683486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54805.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820387/; classtype:trojan-activity;sid:84683487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97413.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820388/; classtype:trojan-activity;sid:84683488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91513.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820389/; classtype:trojan-activity;sid:84683489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36782.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820376/; classtype:trojan-activity;sid:84683476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67925.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820377/; classtype:trojan-activity;sid:84683477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_051935.png"; depth:15; endswith; nocase; http.host; content:"bgurbey.great-site.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820378/; classtype:trojan-activity;sid:84683478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39804.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820379/; classtype:trojan-activity;sid:84683479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26917.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820380/; classtype:trojan-activity;sid:84683480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15861.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820381/; classtype:trojan-activity;sid:84683481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36223.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820382/; classtype:trojan-activity;sid:84683482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66017.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820374/; classtype:trojan-activity;sid:84683474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83497.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820375/; classtype:trojan-activity;sid:84683475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85095.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820372/; classtype:trojan-activity;sid:84683472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45753.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820373/; classtype:trojan-activity;sid:84683473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34235.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820369/; classtype:trojan-activity;sid:84683469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84107.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820370/; classtype:trojan-activity;sid:84683470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07400.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820371/; classtype:trojan-activity;sid:84683471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06072.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820368/; classtype:trojan-activity;sid:84683468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16922.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820366/; classtype:trojan-activity;sid:84683466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25723.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820367/; classtype:trojan-activity;sid:84683467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86171.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820363/; classtype:trojan-activity;sid:84683463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49317.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820364/; classtype:trojan-activity;sid:84683464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89593.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820365/; classtype:trojan-activity;sid:84683465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45429.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820358/; classtype:trojan-activity;sid:84683458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91985.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820359/; classtype:trojan-activity;sid:84683459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77434.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820360/; classtype:trojan-activity;sid:84683460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23255.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820361/; classtype:trojan-activity;sid:84683461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61120.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820362/; classtype:trojan-activity;sid:84683462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35478.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820354/; classtype:trojan-activity;sid:84683454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16459.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820355/; classtype:trojan-activity;sid:84683455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34561.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820356/; classtype:trojan-activity;sid:84683456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25188.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820357/; classtype:trojan-activity;sid:84683457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94040.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820349/; classtype:trojan-activity;sid:84683449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_897893.pdf.ps1"; depth:26; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820350/; classtype:trojan-activity;sid:84683450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96565.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820351/; classtype:trojan-activity;sid:84683451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59572.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820352/; classtype:trojan-activity;sid:84683452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97426.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820353/; classtype:trojan-activity;sid:84683453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22739.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820346/; classtype:trojan-activity;sid:84683446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87554.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820347/; classtype:trojan-activity;sid:84683447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11594.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820348/; classtype:trojan-activity;sid:84683448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43024.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820344/; classtype:trojan-activity;sid:84683444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21473.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820345/; classtype:trojan-activity;sid:84683445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24663.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820341/; classtype:trojan-activity;sid:84683441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66268.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820342/; classtype:trojan-activity;sid:84683442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52860.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820343/; classtype:trojan-activity;sid:84683443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28403.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820324/; classtype:trojan-activity;sid:84683424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60502.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820325/; classtype:trojan-activity;sid:84683425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60727.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820326/; classtype:trojan-activity;sid:84683426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77494.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820327/; classtype:trojan-activity;sid:84683427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83777.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820328/; classtype:trojan-activity;sid:84683428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96498.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820329/; classtype:trojan-activity;sid:84683429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96986.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820330/; classtype:trojan-activity;sid:84683430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18869.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820331/; classtype:trojan-activity;sid:84683431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10789.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820332/; classtype:trojan-activity;sid:84683432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04811.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820333/; classtype:trojan-activity;sid:84683433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91513.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820334/; classtype:trojan-activity;sid:84683434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07352.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820335/; classtype:trojan-activity;sid:84683435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46190.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820336/; classtype:trojan-activity;sid:84683436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91747.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820337/; classtype:trojan-activity;sid:84683437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20299.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820338/; classtype:trojan-activity;sid:84683438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33769.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820339/; classtype:trojan-activity;sid:84683439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12487.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820340/; classtype:trojan-activity;sid:84683440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65349.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820320/; classtype:trojan-activity;sid:84683420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81612.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820321/; classtype:trojan-activity;sid:84683421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25736.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820322/; classtype:trojan-activity;sid:84683422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64830.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820323/; classtype:trojan-activity;sid:84683423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55337.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820319/; classtype:trojan-activity;sid:84683419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39368.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820314/; classtype:trojan-activity;sid:84683414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22704.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820315/; classtype:trojan-activity;sid:84683415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02192.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820316/; classtype:trojan-activity;sid:84683416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91513.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820317/; classtype:trojan-activity;sid:84683417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10789.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820318/; classtype:trojan-activity;sid:84683418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97776.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820310/; classtype:trojan-activity;sid:84683410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26730.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820311/; classtype:trojan-activity;sid:84683411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00535.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820312/; classtype:trojan-activity;sid:84683412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46359.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820313/; classtype:trojan-activity;sid:84683413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54935.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820307/; classtype:trojan-activity;sid:84683407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42022.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820308/; classtype:trojan-activity;sid:84683408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67100.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820309/; classtype:trojan-activity;sid:84683409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06585.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820304/; classtype:trojan-activity;sid:84683404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96580.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820305/; classtype:trojan-activity;sid:84683405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84792.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820306/; classtype:trojan-activity;sid:84683406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64220.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820301/; classtype:trojan-activity;sid:84683401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69721.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820302/; classtype:trojan-activity;sid:84683402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85706.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820303/; classtype:trojan-activity;sid:84683403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48040.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820300/; classtype:trojan-activity;sid:84683400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89541.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820297/; classtype:trojan-activity;sid:84683397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00492.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820298/; classtype:trojan-activity;sid:84683398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58832.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820299/; classtype:trojan-activity;sid:84683399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14388.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820293/; classtype:trojan-activity;sid:84683393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84705.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820294/; classtype:trojan-activity;sid:84683394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60726.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820295/; classtype:trojan-activity;sid:84683395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26730.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820296/; classtype:trojan-activity;sid:84683396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73129.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820290/; classtype:trojan-activity;sid:84683390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13881.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820291/; classtype:trojan-activity;sid:84683391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72346.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820292/; classtype:trojan-activity;sid:84683392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bmiskak.txt"; depth:12; endswith; nocase; http.host; content:"water.s3.cubbit.eu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820285/; classtype:trojan-activity;sid:84683385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13663.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820286/; classtype:trojan-activity;sid:84683386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54606.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820287/; classtype:trojan-activity;sid:84683387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68476.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820288/; classtype:trojan-activity;sid:84683388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02839.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820289/; classtype:trojan-activity;sid:84683389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83467.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820278/; classtype:trojan-activity;sid:84683378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50289.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820279/; classtype:trojan-activity;sid:84683379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86171.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820280/; classtype:trojan-activity;sid:84683380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93351.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820281/; classtype:trojan-activity;sid:84683381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99237.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820282/; classtype:trojan-activity;sid:84683382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07712.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820283/; classtype:trojan-activity;sid:84683383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27177.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820284/; classtype:trojan-activity;sid:84683384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60161.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820269/; classtype:trojan-activity;sid:84683369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00007.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820270/; classtype:trojan-activity;sid:84683370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77802.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820271/; classtype:trojan-activity;sid:84683371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37394.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820272/; classtype:trojan-activity;sid:84683372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86145.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820273/; classtype:trojan-activity;sid:84683373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18258.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820274/; classtype:trojan-activity;sid:84683374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92910.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820275/; classtype:trojan-activity;sid:84683375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83497.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820276/; classtype:trojan-activity;sid:84683376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28685.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820277/; classtype:trojan-activity;sid:84683377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72346.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820266/; classtype:trojan-activity;sid:84683366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24901.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820267/; classtype:trojan-activity;sid:84683367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03497.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820268/; classtype:trojan-activity;sid:84683368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98916.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820265/; classtype:trojan-activity;sid:84683365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44238.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820264/; classtype:trojan-activity;sid:84683364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78394.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820262/; classtype:trojan-activity;sid:84683362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21024.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820263/; classtype:trojan-activity;sid:84683363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97017.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820255/; classtype:trojan-activity;sid:84683355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15098.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820256/; classtype:trojan-activity;sid:84683356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88693.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820257/; classtype:trojan-activity;sid:84683357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91997.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820258/; classtype:trojan-activity;sid:84683358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69254.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820259/; classtype:trojan-activity;sid:84683359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19556.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820260/; classtype:trojan-activity;sid:84683360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29996.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820261/; classtype:trojan-activity;sid:84683361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08373.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820251/; classtype:trojan-activity;sid:84683351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54776.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820252/; classtype:trojan-activity;sid:84683352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73549.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820253/; classtype:trojan-activity;sid:84683353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99893.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820254/; classtype:trojan-activity;sid:84683354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56403.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820250/; classtype:trojan-activity;sid:84683350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccaohef.txt"; depth:12; endswith; nocase; http.host; content:"water.s3.cubbit.eu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820249/; classtype:trojan-activity;sid:84683349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18701.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820246/; classtype:trojan-activity;sid:84683346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54606.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820247/; classtype:trojan-activity;sid:84683347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43756.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820248/; classtype:trojan-activity;sid:84683348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43666.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820239/; classtype:trojan-activity;sid:84683339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65872.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820240/; classtype:trojan-activity;sid:84683340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19463.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820241/; classtype:trojan-activity;sid:84683341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85706.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820242/; classtype:trojan-activity;sid:84683342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35769.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820243/; classtype:trojan-activity;sid:84683343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97143.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820244/; classtype:trojan-activity;sid:84683344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06705.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820245/; classtype:trojan-activity;sid:84683345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72800.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820233/; classtype:trojan-activity;sid:84683333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81050.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820234/; classtype:trojan-activity;sid:84683334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54154.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820235/; classtype:trojan-activity;sid:84683335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52315.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820236/; classtype:trojan-activity;sid:84683336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56208.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820237/; classtype:trojan-activity;sid:84683337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27247.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820238/; classtype:trojan-activity;sid:84683338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74348.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820228/; classtype:trojan-activity;sid:84683328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68793.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820229/; classtype:trojan-activity;sid:84683329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23840.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820230/; classtype:trojan-activity;sid:84683330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63265.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820231/; classtype:trojan-activity;sid:84683331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33853.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820232/; classtype:trojan-activity;sid:84683332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95015.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820225/; classtype:trojan-activity;sid:84683325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15837.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820226/; classtype:trojan-activity;sid:84683326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25110.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820227/; classtype:trojan-activity;sid:84683327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69962.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820218/; classtype:trojan-activity;sid:84683318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46586.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820219/; classtype:trojan-activity;sid:84683319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44587.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820220/; classtype:trojan-activity;sid:84683320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26022.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820221/; classtype:trojan-activity;sid:84683321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55337.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820222/; classtype:trojan-activity;sid:84683322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28820.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820223/; classtype:trojan-activity;sid:84683323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87927.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820224/; classtype:trojan-activity;sid:84683324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91997.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820213/; classtype:trojan-activity;sid:84683313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93958.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820214/; classtype:trojan-activity;sid:84683314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76760.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820215/; classtype:trojan-activity;sid:84683315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17823.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820216/; classtype:trojan-activity;sid:84683316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42426.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820217/; classtype:trojan-activity;sid:84683317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17005.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820209/; classtype:trojan-activity;sid:84683309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41620.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820210/; classtype:trojan-activity;sid:84683310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61627.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820211/; classtype:trojan-activity;sid:84683311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47537.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820212/; classtype:trojan-activity;sid:84683312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25736.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820202/; classtype:trojan-activity;sid:84683302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19796.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820203/; classtype:trojan-activity;sid:84683303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11055.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820204/; classtype:trojan-activity;sid:84683304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24086.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820205/; classtype:trojan-activity;sid:84683305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75034.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820206/; classtype:trojan-activity;sid:84683306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80122.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820207/; classtype:trojan-activity;sid:84683307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74570.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820208/; classtype:trojan-activity;sid:84683308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98234.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820201/; classtype:trojan-activity;sid:84683301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85753.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820198/; classtype:trojan-activity;sid:84683298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84792.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820199/; classtype:trojan-activity;sid:84683299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68221.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820200/; classtype:trojan-activity;sid:84683300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11286.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820189/; classtype:trojan-activity;sid:84683289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26253.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820190/; classtype:trojan-activity;sid:84683290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96490.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820191/; classtype:trojan-activity;sid:84683291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20859.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820192/; classtype:trojan-activity;sid:84683292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66758.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820193/; classtype:trojan-activity;sid:84683293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54542.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820194/; classtype:trojan-activity;sid:84683294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87927.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820195/; classtype:trojan-activity;sid:84683295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08859.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820196/; classtype:trojan-activity;sid:84683296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23430.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820197/; classtype:trojan-activity;sid:84683297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15608.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820184/; classtype:trojan-activity;sid:84683284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67465.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820185/; classtype:trojan-activity;sid:84683285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60401.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820186/; classtype:trojan-activity;sid:84683286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99433.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820187/; classtype:trojan-activity;sid:84683287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83467.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820188/; classtype:trojan-activity;sid:84683288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08380.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820182/; classtype:trojan-activity;sid:84683282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96061.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820183/; classtype:trojan-activity;sid:84683283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08335.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820176/; classtype:trojan-activity;sid:84683276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73011.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820177/; classtype:trojan-activity;sid:84683277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95559.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820178/; classtype:trojan-activity;sid:84683278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63667.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820179/; classtype:trojan-activity;sid:84683279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15833.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820180/; classtype:trojan-activity;sid:84683280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29854.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820181/; classtype:trojan-activity;sid:84683281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26463.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820170/; classtype:trojan-activity;sid:84683270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59180.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820171/; classtype:trojan-activity;sid:84683271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59474.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820172/; classtype:trojan-activity;sid:84683272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96783.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820173/; classtype:trojan-activity;sid:84683273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15314.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820174/; classtype:trojan-activity;sid:84683274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93224.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820175/; classtype:trojan-activity;sid:84683275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70818.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820168/; classtype:trojan-activity;sid:84683268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86145.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820169/; classtype:trojan-activity;sid:84683269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24978.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820158/; classtype:trojan-activity;sid:84683258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06835.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820159/; classtype:trojan-activity;sid:84683259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a9a4wp/hbgfred.txt"; depth:19; endswith; nocase; http.host; content:"mypanel.vip"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820160/; classtype:trojan-activity;sid:84683260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07367.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820161/; classtype:trojan-activity;sid:84683261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13579.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820162/; classtype:trojan-activity;sid:84683262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63265.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820163/; classtype:trojan-activity;sid:84683263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77773.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820164/; classtype:trojan-activity;sid:84683264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93813.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820165/; classtype:trojan-activity;sid:84683265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16480.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820166/; classtype:trojan-activity;sid:84683266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83432.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820167/; classtype:trojan-activity;sid:84683267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79811.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820153/; classtype:trojan-activity;sid:84683253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96490.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820154/; classtype:trojan-activity;sid:84683254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99268.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820155/; classtype:trojan-activity;sid:84683255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50144.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820156/; classtype:trojan-activity;sid:84683256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71339.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820157/; classtype:trojan-activity;sid:84683257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67328.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820151/; classtype:trojan-activity;sid:84683251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18487.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820152/; classtype:trojan-activity;sid:84683252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47014.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820150/; classtype:trojan-activity;sid:84683250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16922.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820149/; classtype:trojan-activity;sid:84683249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99893.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820146/; classtype:trojan-activity;sid:84683246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86869.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820147/; classtype:trojan-activity;sid:84683247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38670.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820148/; classtype:trojan-activity;sid:84683248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31475.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820143/; classtype:trojan-activity;sid:84683243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86529.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820144/; classtype:trojan-activity;sid:84683244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88598.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820145/; classtype:trojan-activity;sid:84683245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.25.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820142/; classtype:trojan-activity;sid:84683242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39773.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820128/; classtype:trojan-activity;sid:84683228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60666.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820129/; classtype:trojan-activity;sid:84683229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81148.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820130/; classtype:trojan-activity;sid:84683230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96728.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820131/; classtype:trojan-activity;sid:84683231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45349.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820132/; classtype:trojan-activity;sid:84683232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97420.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820133/; classtype:trojan-activity;sid:84683233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02259.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820134/; classtype:trojan-activity;sid:84683234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_32763.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820135/; classtype:trojan-activity;sid:84683235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80122.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820136/; classtype:trojan-activity;sid:84683236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99389.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820137/; classtype:trojan-activity;sid:84683237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33197.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820138/; classtype:trojan-activity;sid:84683238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64509.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820139/; classtype:trojan-activity;sid:84683239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69626.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820140/; classtype:trojan-activity;sid:84683240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08074.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820141/; classtype:trojan-activity;sid:84683241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83645.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820126/; classtype:trojan-activity;sid:84683226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94399.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820127/; classtype:trojan-activity;sid:84683227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85275.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820123/; classtype:trojan-activity;sid:84683223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01355.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820124/; classtype:trojan-activity;sid:84683224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89789.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820125/; classtype:trojan-activity;sid:84683225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07384.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820118/; classtype:trojan-activity;sid:84683218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92463.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820119/; classtype:trojan-activity;sid:84683219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60163.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820120/; classtype:trojan-activity;sid:84683220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15217.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820121/; classtype:trojan-activity;sid:84683221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56966.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820122/; classtype:trojan-activity;sid:84683222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54122.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820108/; classtype:trojan-activity;sid:84683208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68476.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820109/; classtype:trojan-activity;sid:84683209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99389.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820110/; classtype:trojan-activity;sid:84683210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89271.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820111/; classtype:trojan-activity;sid:84683211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87454.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820112/; classtype:trojan-activity;sid:84683212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84276.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820113/; classtype:trojan-activity;sid:84683213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73308.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820114/; classtype:trojan-activity;sid:84683214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15283.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820115/; classtype:trojan-activity;sid:84683215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75025.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820116/; classtype:trojan-activity;sid:84683216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53501.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820117/; classtype:trojan-activity;sid:84683217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.25.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820102/; classtype:trojan-activity;sid:84683202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84839.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820103/; classtype:trojan-activity;sid:84683203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08074.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820104/; classtype:trojan-activity;sid:84683204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20126.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820105/; classtype:trojan-activity;sid:84683205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37131.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820106/; classtype:trojan-activity;sid:84683206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50289.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820107/; classtype:trojan-activity;sid:84683207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81245.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820096/; classtype:trojan-activity;sid:84683196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64040.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820097/; classtype:trojan-activity;sid:84683197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87927.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820098/; classtype:trojan-activity;sid:84683198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69212.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820099/; classtype:trojan-activity;sid:84683199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49178.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820100/; classtype:trojan-activity;sid:84683200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69626.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820101/; classtype:trojan-activity;sid:84683201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19977.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820095/; classtype:trojan-activity;sid:84683195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03569.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820094/; classtype:trojan-activity;sid:84683194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69740.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820093/; classtype:trojan-activity;sid:84683193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52326.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820092/; classtype:trojan-activity;sid:84683192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01535.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820085/; classtype:trojan-activity;sid:84683185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18344.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820086/; classtype:trojan-activity;sid:84683186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15283.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820087/; classtype:trojan-activity;sid:84683187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99029.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820088/; classtype:trojan-activity;sid:84683188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88693.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820089/; classtype:trojan-activity;sid:84683189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72606.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820090/; classtype:trojan-activity;sid:84683190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_897893.pdf.lnk"; depth:26; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820091/; classtype:trojan-activity;sid:84683191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89541.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820082/; classtype:trojan-activity;sid:84683182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84426.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820083/; classtype:trojan-activity;sid:84683183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08429.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820084/; classtype:trojan-activity;sid:84683184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68362.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820078/; classtype:trojan-activity;sid:84683178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52221.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820079/; classtype:trojan-activity;sid:84683179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63278.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820080/; classtype:trojan-activity;sid:84683180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87533.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820081/; classtype:trojan-activity;sid:84683181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41495.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820072/; classtype:trojan-activity;sid:84683172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79078.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820073/; classtype:trojan-activity;sid:84683173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85772.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820074/; classtype:trojan-activity;sid:84683174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60401.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820075/; classtype:trojan-activity;sid:84683175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50818.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820076/; classtype:trojan-activity;sid:84683176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90644.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820077/; classtype:trojan-activity;sid:84683177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77303.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820069/; classtype:trojan-activity;sid:84683169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57990.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820070/; classtype:trojan-activity;sid:84683170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90347.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820071/; classtype:trojan-activity;sid:84683171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client-built.exe"; depth:17; endswith; nocase; http.host; content:"92.249.61.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820067/; classtype:trojan-activity;sid:84683167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41200.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820068/; classtype:trojan-activity;sid:84683168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22996.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820061/; classtype:trojan-activity;sid:84683161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70256.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820062/; classtype:trojan-activity;sid:84683162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47978.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820063/; classtype:trojan-activity;sid:84683163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53604.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820064/; classtype:trojan-activity;sid:84683164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07793.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820065/; classtype:trojan-activity;sid:84683165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83497.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820066/; classtype:trojan-activity;sid:84683166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39773.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820060/; classtype:trojan-activity;sid:84683160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84839.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820056/; classtype:trojan-activity;sid:84683156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95509.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820057/; classtype:trojan-activity;sid:84683157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87951.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820058/; classtype:trojan-activity;sid:84683158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50931.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820059/; classtype:trojan-activity;sid:84683159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88599.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820055/; classtype:trojan-activity;sid:84683155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79849.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820049/; classtype:trojan-activity;sid:84683149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18487.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820050/; classtype:trojan-activity;sid:84683150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66147.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820051/; classtype:trojan-activity;sid:84683151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43152.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820052/; classtype:trojan-activity;sid:84683152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31475.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820053/; classtype:trojan-activity;sid:84683153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31677.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820054/; classtype:trojan-activity;sid:84683154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14079.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820046/; classtype:trojan-activity;sid:84683146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67130.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820047/; classtype:trojan-activity;sid:84683147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09953.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820048/; classtype:trojan-activity;sid:84683148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52758.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820044/; classtype:trojan-activity;sid:84683144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50934.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820045/; classtype:trojan-activity;sid:84683145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13843.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820042/; classtype:trojan-activity;sid:84683142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93259.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820043/; classtype:trojan-activity;sid:84683143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81867.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820040/; classtype:trojan-activity;sid:84683140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69149.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820041/; classtype:trojan-activity;sid:84683141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40134.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820035/; classtype:trojan-activity;sid:84683135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29496.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820036/; classtype:trojan-activity;sid:84683136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24993.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820037/; classtype:trojan-activity;sid:84683137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71405.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820038/; classtype:trojan-activity;sid:84683138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27995.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820039/; classtype:trojan-activity;sid:84683139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11286.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820031/; classtype:trojan-activity;sid:84683131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57064.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820032/; classtype:trojan-activity;sid:84683132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73989.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820033/; classtype:trojan-activity;sid:84683133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71339.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820034/; classtype:trojan-activity;sid:84683134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72883.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820026/; classtype:trojan-activity;sid:84683126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62809.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820027/; classtype:trojan-activity;sid:84683127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91107.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820028/; classtype:trojan-activity;sid:84683128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25276.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820029/; classtype:trojan-activity;sid:84683129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91478.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820030/; classtype:trojan-activity;sid:84683130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16764.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820025/; classtype:trojan-activity;sid:84683125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29943.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820024/; classtype:trojan-activity;sid:84683124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98722.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820023/; classtype:trojan-activity;sid:84683123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03767.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820019/; classtype:trojan-activity;sid:84683119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84705.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820020/; classtype:trojan-activity;sid:84683120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35369.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820021/; classtype:trojan-activity;sid:84683121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81592.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820022/; classtype:trojan-activity;sid:84683122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07352.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820007/; classtype:trojan-activity;sid:84683107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65740.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820008/; classtype:trojan-activity;sid:84683108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79681.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820009/; classtype:trojan-activity;sid:84683109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43634.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820010/; classtype:trojan-activity;sid:84683110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95015.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820011/; classtype:trojan-activity;sid:84683111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90644.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820012/; classtype:trojan-activity;sid:84683112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46031.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820013/; classtype:trojan-activity;sid:84683113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89789.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820014/; classtype:trojan-activity;sid:84683114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99268.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820015/; classtype:trojan-activity;sid:84683115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87519.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820016/; classtype:trojan-activity;sid:84683116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64509.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820017/; classtype:trojan-activity;sid:84683117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25490.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820018/; classtype:trojan-activity;sid:84683118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13802.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820004/; classtype:trojan-activity;sid:84683104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06087.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820005/; classtype:trojan-activity;sid:84683105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82893.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820006/; classtype:trojan-activity;sid:84683106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91790.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820003/; classtype:trojan-activity;sid:84683103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20137.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820002/; classtype:trojan-activity;sid:84683102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11594.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820000/; classtype:trojan-activity;sid:84683100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36834.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820001/; classtype:trojan-activity;sid:84683101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15848.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819998/; classtype:trojan-activity;sid:84683098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45405.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819999/; classtype:trojan-activity;sid:84683099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28210.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819992/; classtype:trojan-activity;sid:84683092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68221.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819993/; classtype:trojan-activity;sid:84683093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34163.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819994/; classtype:trojan-activity;sid:84683094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80321.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819995/; classtype:trojan-activity;sid:84683095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96498.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819996/; classtype:trojan-activity;sid:84683096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08859.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819997/; classtype:trojan-activity;sid:84683097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84107.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819988/; classtype:trojan-activity;sid:84683088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63451.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819989/; classtype:trojan-activity;sid:84683089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83473.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819990/; classtype:trojan-activity;sid:84683090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77949.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819991/; classtype:trojan-activity;sid:84683091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65803.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819987/; classtype:trojan-activity;sid:84683087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00279.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819984/; classtype:trojan-activity;sid:84683084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_32532.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819985/; classtype:trojan-activity;sid:84683085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00826.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819986/; classtype:trojan-activity;sid:84683086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81383.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819983/; classtype:trojan-activity;sid:84683083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66234.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819976/; classtype:trojan-activity;sid:84683076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26097.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819977/; classtype:trojan-activity;sid:84683077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26463.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819978/; classtype:trojan-activity;sid:84683078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35478.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819979/; classtype:trojan-activity;sid:84683079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72520.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819980/; classtype:trojan-activity;sid:84683080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87626.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819981/; classtype:trojan-activity;sid:84683081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91747.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819982/; classtype:trojan-activity;sid:84683082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01211.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819972/; classtype:trojan-activity;sid:84683072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95509.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819973/; classtype:trojan-activity;sid:84683073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02643.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819974/; classtype:trojan-activity;sid:84683074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76012.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819975/; classtype:trojan-activity;sid:84683075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92157.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819969/; classtype:trojan-activity;sid:84683069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93549.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819970/; classtype:trojan-activity;sid:84683070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98882.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819971/; classtype:trojan-activity;sid:84683071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55920.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819956/; classtype:trojan-activity;sid:84683056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56406.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819957/; classtype:trojan-activity;sid:84683057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13236.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819958/; classtype:trojan-activity;sid:84683058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63640.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819959/; classtype:trojan-activity;sid:84683059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98423.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819960/; classtype:trojan-activity;sid:84683060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53631.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819961/; classtype:trojan-activity;sid:84683061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83865.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819962/; classtype:trojan-activity;sid:84683062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66977.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819963/; classtype:trojan-activity;sid:84683063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84450.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819964/; classtype:trojan-activity;sid:84683064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83940.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819965/; classtype:trojan-activity;sid:84683065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98234.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819966/; classtype:trojan-activity;sid:84683066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77324.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819967/; classtype:trojan-activity;sid:84683067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94833.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819968/; classtype:trojan-activity;sid:84683068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45276.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819952/; classtype:trojan-activity;sid:84683052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55920.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819953/; classtype:trojan-activity;sid:84683053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05941.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819954/; classtype:trojan-activity;sid:84683054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27140.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819955/; classtype:trojan-activity;sid:84683055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79294.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819948/; classtype:trojan-activity;sid:84683048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38670.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819949/; classtype:trojan-activity;sid:84683049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47014.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819950/; classtype:trojan-activity;sid:84683050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83640.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819951/; classtype:trojan-activity;sid:84683051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61938.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819941/; classtype:trojan-activity;sid:84683041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10931.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819942/; classtype:trojan-activity;sid:84683042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36175.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819943/; classtype:trojan-activity;sid:84683043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41312.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819944/; classtype:trojan-activity;sid:84683044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85697.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819945/; classtype:trojan-activity;sid:84683045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66425.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819946/; classtype:trojan-activity;sid:84683046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24820.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819947/; classtype:trojan-activity;sid:84683047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79078.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819939/; classtype:trojan-activity;sid:84683039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85013.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819940/; classtype:trojan-activity;sid:84683040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46586.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819932/; classtype:trojan-activity;sid:84683032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36406.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819933/; classtype:trojan-activity;sid:84683033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13309.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819934/; classtype:trojan-activity;sid:84683034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95509.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819935/; classtype:trojan-activity;sid:84683035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72788.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819936/; classtype:trojan-activity;sid:84683036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89593.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819937/; classtype:trojan-activity;sid:84683037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63640.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819938/; classtype:trojan-activity;sid:84683038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67328.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819920/; classtype:trojan-activity;sid:84683020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48796.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819921/; classtype:trojan-activity;sid:84683021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65225.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819922/; classtype:trojan-activity;sid:84683022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60056.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819923/; classtype:trojan-activity;sid:84683023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61762.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819924/; classtype:trojan-activity;sid:84683024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71405.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819925/; classtype:trojan-activity;sid:84683025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88815.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819926/; classtype:trojan-activity;sid:84683026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11651.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819927/; classtype:trojan-activity;sid:84683027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99806.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819928/; classtype:trojan-activity;sid:84683028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75025.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819929/; classtype:trojan-activity;sid:84683029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84426.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819930/; classtype:trojan-activity;sid:84683030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16430.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819931/; classtype:trojan-activity;sid:84683031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74209.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819918/; classtype:trojan-activity;sid:84683018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43919.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819919/; classtype:trojan-activity;sid:84683019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41093.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819917/; classtype:trojan-activity;sid:84683017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97017.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819916/; classtype:trojan-activity;sid:84683016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29996.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819910/; classtype:trojan-activity;sid:84683010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61896.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819911/; classtype:trojan-activity;sid:84683011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13316.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819912/; classtype:trojan-activity;sid:84683012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88088.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819913/; classtype:trojan-activity;sid:84683013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79483.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819914/; classtype:trojan-activity;sid:84683014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94834.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819915/; classtype:trojan-activity;sid:84683015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39368.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819909/; classtype:trojan-activity;sid:84683009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99043.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819904/; classtype:trojan-activity;sid:84683004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91997.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819905/; classtype:trojan-activity;sid:84683005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64040.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819906/; classtype:trojan-activity;sid:84683006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88746.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819907/; classtype:trojan-activity;sid:84683007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07301.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819908/; classtype:trojan-activity;sid:84683008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65651.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819902/; classtype:trojan-activity;sid:84683002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64538.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819903/; classtype:trojan-activity;sid:84683003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85772.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819898/; classtype:trojan-activity;sid:84682998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90767.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819899/; classtype:trojan-activity;sid:84682999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39203.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819900/; classtype:trojan-activity;sid:84683000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78515.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819901/; classtype:trojan-activity;sid:84683001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83777.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819894/; classtype:trojan-activity;sid:84682994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13097.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819895/; classtype:trojan-activity;sid:84682995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60502.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819896/; classtype:trojan-activity;sid:84682996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33197.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819897/; classtype:trojan-activity;sid:84682997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01535.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819885/; classtype:trojan-activity;sid:84682985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85892.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819886/; classtype:trojan-activity;sid:84682986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15181.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819887/; classtype:trojan-activity;sid:84682987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81271.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819888/; classtype:trojan-activity;sid:84682988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90583.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819889/; classtype:trojan-activity;sid:84682989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64509.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819890/; classtype:trojan-activity;sid:84682990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50999.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819891/; classtype:trojan-activity;sid:84682991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74028.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819892/; classtype:trojan-activity;sid:84682992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25110.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819893/; classtype:trojan-activity;sid:84682993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89593.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819880/; classtype:trojan-activity;sid:84682980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97426.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819881/; classtype:trojan-activity;sid:84682981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69035.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819882/; classtype:trojan-activity;sid:84682982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42426.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819883/; classtype:trojan-activity;sid:84682983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03796.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819884/; classtype:trojan-activity;sid:84682984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85262.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819878/; classtype:trojan-activity;sid:84682978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78812.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819879/; classtype:trojan-activity;sid:84682979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11549.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819875/; classtype:trojan-activity;sid:84682975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30329.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819876/; classtype:trojan-activity;sid:84682976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37707.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819877/; classtype:trojan-activity;sid:84682977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84839.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819867/; classtype:trojan-activity;sid:84682967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53430.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819868/; classtype:trojan-activity;sid:84682968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67655.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819869/; classtype:trojan-activity;sid:84682969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20882.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819870/; classtype:trojan-activity;sid:84682970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49151.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819871/; classtype:trojan-activity;sid:84682971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27329.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819872/; classtype:trojan-activity;sid:84682972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34916.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819873/; classtype:trojan-activity;sid:84682973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62911.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819874/; classtype:trojan-activity;sid:84682974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87253.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819861/; classtype:trojan-activity;sid:84682961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68362.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819862/; classtype:trojan-activity;sid:84682962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93995.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819863/; classtype:trojan-activity;sid:84682963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18811.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819864/; classtype:trojan-activity;sid:84682964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56161.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819865/; classtype:trojan-activity;sid:84682965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34496.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819866/; classtype:trojan-activity;sid:84682966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55953.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819859/; classtype:trojan-activity;sid:84682959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12110.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819860/; classtype:trojan-activity;sid:84682960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21336.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819850/; classtype:trojan-activity;sid:84682950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98790.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819851/; classtype:trojan-activity;sid:84682951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22996.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819852/; classtype:trojan-activity;sid:84682952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05194.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819853/; classtype:trojan-activity;sid:84682953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03478.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819854/; classtype:trojan-activity;sid:84682954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07828.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819855/; classtype:trojan-activity;sid:84682955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69035.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819856/; classtype:trojan-activity;sid:84682956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24978.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819857/; classtype:trojan-activity;sid:84682957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23430.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819858/; classtype:trojan-activity;sid:84682958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75982.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819845/; classtype:trojan-activity;sid:84682945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68622.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819846/; classtype:trojan-activity;sid:84682946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18664.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819847/; classtype:trojan-activity;sid:84682947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13881.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819848/; classtype:trojan-activity;sid:84682948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35403.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819849/; classtype:trojan-activity;sid:84682949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72201.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819842/; classtype:trojan-activity;sid:84682942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59474.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819843/; classtype:trojan-activity;sid:84682943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68148.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819844/; classtype:trojan-activity;sid:84682944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05801.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819840/; classtype:trojan-activity;sid:84682940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17312.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819841/; classtype:trojan-activity;sid:84682941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96728.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819834/; classtype:trojan-activity;sid:84682934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84426.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819835/; classtype:trojan-activity;sid:84682935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68501.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819836/; classtype:trojan-activity;sid:84682936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34496.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819837/; classtype:trojan-activity;sid:84682937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17005.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819838/; classtype:trojan-activity;sid:84682938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86869.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819839/; classtype:trojan-activity;sid:84682939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58115.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819831/; classtype:trojan-activity;sid:84682931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85262.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819832/; classtype:trojan-activity;sid:84682932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25906.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819833/; classtype:trojan-activity;sid:84682933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87491.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819829/; classtype:trojan-activity;sid:84682929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97508.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819830/; classtype:trojan-activity;sid:84682930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62609.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819823/; classtype:trojan-activity;sid:84682923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61896.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819824/; classtype:trojan-activity;sid:84682924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02024.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819825/; classtype:trojan-activity;sid:84682925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21473.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819826/; classtype:trojan-activity;sid:84682926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12397.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819827/; classtype:trojan-activity;sid:84682927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10624.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819828/; classtype:trojan-activity;sid:84682928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16010.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819820/; classtype:trojan-activity;sid:84682920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18664.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819821/; classtype:trojan-activity;sid:84682921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55292.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819822/; classtype:trojan-activity;sid:84682922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79483.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819815/; classtype:trojan-activity;sid:84682915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08667.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819816/; classtype:trojan-activity;sid:84682916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97508.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819817/; classtype:trojan-activity;sid:84682917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83473.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819818/; classtype:trojan-activity;sid:84682918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17312.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819819/; classtype:trojan-activity;sid:84682919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54354.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819807/; classtype:trojan-activity;sid:84682907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82276.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819808/; classtype:trojan-activity;sid:84682908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33845.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819809/; classtype:trojan-activity;sid:84682909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40358.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819810/; classtype:trojan-activity;sid:84682910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53196.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819811/; classtype:trojan-activity;sid:84682911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79342.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819812/; classtype:trojan-activity;sid:84682912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46084.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819813/; classtype:trojan-activity;sid:84682913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05194.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819814/; classtype:trojan-activity;sid:84682914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12525.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819805/; classtype:trojan-activity;sid:84682905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98937.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819806/; classtype:trojan-activity;sid:84682906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10718.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819803/; classtype:trojan-activity;sid:84682903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37616.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819804/; classtype:trojan-activity;sid:84682904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38374.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819801/; classtype:trojan-activity;sid:84682901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66758.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819802/; classtype:trojan-activity;sid:84682902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02324.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819798/; classtype:trojan-activity;sid:84682898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20396.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819799/; classtype:trojan-activity;sid:84682899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79342.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819800/; classtype:trojan-activity;sid:84682900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83473.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819795/; classtype:trojan-activity;sid:84682895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60666.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819796/; classtype:trojan-activity;sid:84682896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59665.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819797/; classtype:trojan-activity;sid:84682897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11549.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819790/; classtype:trojan-activity;sid:84682890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27245.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819791/; classtype:trojan-activity;sid:84682891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22845.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819792/; classtype:trojan-activity;sid:84682892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90950.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819793/; classtype:trojan-activity;sid:84682893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87533.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819794/; classtype:trojan-activity;sid:84682894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33337.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819789/; classtype:trojan-activity;sid:84682889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09625.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819783/; classtype:trojan-activity;sid:84682883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69962.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819784/; classtype:trojan-activity;sid:84682884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86842.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819785/; classtype:trojan-activity;sid:84682885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09625.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819786/; classtype:trojan-activity;sid:84682886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29513.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819787/; classtype:trojan-activity;sid:84682887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26708.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819788/; classtype:trojan-activity;sid:84682888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75496.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819779/; classtype:trojan-activity;sid:84682879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56400.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819780/; classtype:trojan-activity;sid:84682880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20882.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819781/; classtype:trojan-activity;sid:84682881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48547.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819782/; classtype:trojan-activity;sid:84682882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69394.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819775/; classtype:trojan-activity;sid:84682875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91865.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819776/; classtype:trojan-activity;sid:84682876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80321.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819777/; classtype:trojan-activity;sid:84682877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21603.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819778/; classtype:trojan-activity;sid:84682878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06290.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819771/; classtype:trojan-activity;sid:84682871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57655.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819772/; classtype:trojan-activity;sid:84682872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04630.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819773/; classtype:trojan-activity;sid:84682873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72333.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819774/; classtype:trojan-activity;sid:84682874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52435.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819767/; classtype:trojan-activity;sid:84682867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90767.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819768/; classtype:trojan-activity;sid:84682868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68583.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819769/; classtype:trojan-activity;sid:84682869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81148.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819770/; classtype:trojan-activity;sid:84682870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44883.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819764/; classtype:trojan-activity;sid:84682864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28685.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819765/; classtype:trojan-activity;sid:84682865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11651.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819766/; classtype:trojan-activity;sid:84682866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56298.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819761/; classtype:trojan-activity;sid:84682861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20786.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819762/; classtype:trojan-activity;sid:84682862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23908.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819763/; classtype:trojan-activity;sid:84682863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90347.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819757/; classtype:trojan-activity;sid:84682857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22533.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819758/; classtype:trojan-activity;sid:84682858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99084.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819759/; classtype:trojan-activity;sid:84682859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99043.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819760/; classtype:trojan-activity;sid:84682860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31677.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819756/; classtype:trojan-activity;sid:84682856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88693.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819751/; classtype:trojan-activity;sid:84682851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08380.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819752/; classtype:trojan-activity;sid:84682852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37131.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819753/; classtype:trojan-activity;sid:84682853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81040.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819754/; classtype:trojan-activity;sid:84682854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64898.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819755/; classtype:trojan-activity;sid:84682855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20126.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819749/; classtype:trojan-activity;sid:84682849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76995.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819750/; classtype:trojan-activity;sid:84682850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23564.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819741/; classtype:trojan-activity;sid:84682841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53313.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819742/; classtype:trojan-activity;sid:84682842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81383.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819743/; classtype:trojan-activity;sid:84682843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37816.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819744/; classtype:trojan-activity;sid:84682844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94040.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819745/; classtype:trojan-activity;sid:84682845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76148.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819746/; classtype:trojan-activity;sid:84682846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46475.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819747/; classtype:trojan-activity;sid:84682847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07950.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819748/; classtype:trojan-activity;sid:84682848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47796.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819734/; classtype:trojan-activity;sid:84682834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02024.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819735/; classtype:trojan-activity;sid:84682835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13720.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819736/; classtype:trojan-activity;sid:84682836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12660.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819737/; classtype:trojan-activity;sid:84682837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60763.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819738/; classtype:trojan-activity;sid:84682838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92910.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819739/; classtype:trojan-activity;sid:84682839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33018.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819740/; classtype:trojan-activity;sid:84682840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66977.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819732/; classtype:trojan-activity;sid:84682832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28358.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819733/; classtype:trojan-activity;sid:84682833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03674.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819731/; classtype:trojan-activity;sid:84682831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92625.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819726/; classtype:trojan-activity;sid:84682826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36677.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819727/; classtype:trojan-activity;sid:84682827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43756.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819728/; classtype:trojan-activity;sid:84682828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16459.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819729/; classtype:trojan-activity;sid:84682829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93813.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819730/; classtype:trojan-activity;sid:84682830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42322.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819725/; classtype:trojan-activity;sid:84682825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00492.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819724/; classtype:trojan-activity;sid:84682824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23536.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819720/; classtype:trojan-activity;sid:84682820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88088.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819721/; classtype:trojan-activity;sid:84682821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81650.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819722/; classtype:trojan-activity;sid:84682822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99162.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819723/; classtype:trojan-activity;sid:84682823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18811.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819713/; classtype:trojan-activity;sid:84682813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02881.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819714/; classtype:trojan-activity;sid:84682814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55259.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819715/; classtype:trojan-activity;sid:84682815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96565.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819716/; classtype:trojan-activity;sid:84682816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47630.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819717/; classtype:trojan-activity;sid:84682817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63809.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819718/; classtype:trojan-activity;sid:84682818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41668.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819719/; classtype:trojan-activity;sid:84682819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62931.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819710/; classtype:trojan-activity;sid:84682810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05941.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819711/; classtype:trojan-activity;sid:84682811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down.php|3f|i=qqrxaww3tr|7c|26|7c|n=rifbbkp.txt"; depth:48; endswith; nocase; http.host; content:"fv5-5.files.fm"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819712/; classtype:trojan-activity;sid:84682812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66742.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819705/; classtype:trojan-activity;sid:84682805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25599.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819706/; classtype:trojan-activity;sid:84682806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77272.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819707/; classtype:trojan-activity;sid:84682807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94326.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819708/; classtype:trojan-activity;sid:84682808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73959.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819709/; classtype:trojan-activity;sid:84682809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93351.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819700/; classtype:trojan-activity;sid:84682800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44883.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819701/; classtype:trojan-activity;sid:84682801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84106.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819702/; classtype:trojan-activity;sid:84682802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93995.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819703/; classtype:trojan-activity;sid:84682803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97333.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819704/; classtype:trojan-activity;sid:84682804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39804.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819698/; classtype:trojan-activity;sid:84682798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73989.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819699/; classtype:trojan-activity;sid:84682799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95289.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819694/; classtype:trojan-activity;sid:84682794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21463.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819695/; classtype:trojan-activity;sid:84682795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13186.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819696/; classtype:trojan-activity;sid:84682796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16464.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819697/; classtype:trojan-activity;sid:84682797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22872.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819692/; classtype:trojan-activity;sid:84682792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23356.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819693/; classtype:trojan-activity;sid:84682793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83432.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819690/; classtype:trojan-activity;sid:84682790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21415.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819691/; classtype:trojan-activity;sid:84682791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37826.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819686/; classtype:trojan-activity;sid:84682786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71512.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819687/; classtype:trojan-activity;sid:84682787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85772.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819688/; classtype:trojan-activity;sid:84682788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00620.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819689/; classtype:trojan-activity;sid:84682789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65652.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819678/; classtype:trojan-activity;sid:84682778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71885.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819679/; classtype:trojan-activity;sid:84682779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66250.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819680/; classtype:trojan-activity;sid:84682780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81383.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819681/; classtype:trojan-activity;sid:84682781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52843.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819682/; classtype:trojan-activity;sid:84682782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43388.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819683/; classtype:trojan-activity;sid:84682783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12317.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819684/; classtype:trojan-activity;sid:84682784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39203.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819685/; classtype:trojan-activity;sid:84682785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95394.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819677/; classtype:trojan-activity;sid:84682777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75496.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819669/; classtype:trojan-activity;sid:84682769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60967.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819670/; classtype:trojan-activity;sid:84682770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47488.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819671/; classtype:trojan-activity;sid:84682771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51171.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819672/; classtype:trojan-activity;sid:84682772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59685.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819673/; classtype:trojan-activity;sid:84682773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96182.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819674/; classtype:trojan-activity;sid:84682774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99164.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819675/; classtype:trojan-activity;sid:84682775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21763.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819676/; classtype:trojan-activity;sid:84682776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35807.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819668/; classtype:trojan-activity;sid:84682768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43024.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819664/; classtype:trojan-activity;sid:84682764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87626.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819665/; classtype:trojan-activity;sid:84682765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17662.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819666/; classtype:trojan-activity;sid:84682766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10888.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819667/; classtype:trojan-activity;sid:84682767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73976.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819661/; classtype:trojan-activity;sid:84682761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33845.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819662/; classtype:trojan-activity;sid:84682762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12971.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819663/; classtype:trojan-activity;sid:84682763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16220.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819657/; classtype:trojan-activity;sid:84682757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38899.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819658/; classtype:trojan-activity;sid:84682758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27129.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819659/; classtype:trojan-activity;sid:84682759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11369.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819660/; classtype:trojan-activity;sid:84682760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70273.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819656/; classtype:trojan-activity;sid:84682756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84106.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819653/; classtype:trojan-activity;sid:84682753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59685.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819654/; classtype:trojan-activity;sid:84682754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47537.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819655/; classtype:trojan-activity;sid:84682755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86428.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819646/; classtype:trojan-activity;sid:84682746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97776.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819647/; classtype:trojan-activity;sid:84682747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48879.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819648/; classtype:trojan-activity;sid:84682748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77462.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819649/; classtype:trojan-activity;sid:84682749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99091.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819650/; classtype:trojan-activity;sid:84682750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83888.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819651/; classtype:trojan-activity;sid:84682751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54535.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819652/; classtype:trojan-activity;sid:84682752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65225.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819645/; classtype:trojan-activity;sid:84682745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88815.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819641/; classtype:trojan-activity;sid:84682741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08820.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819642/; classtype:trojan-activity;sid:84682742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28076.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819643/; classtype:trojan-activity;sid:84682743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48499.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819644/; classtype:trojan-activity;sid:84682744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16464.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819636/; classtype:trojan-activity;sid:84682736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99029.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819637/; classtype:trojan-activity;sid:84682737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84071.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819638/; classtype:trojan-activity;sid:84682738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94559.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819639/; classtype:trojan-activity;sid:84682739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80995.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819640/; classtype:trojan-activity;sid:84682740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22166.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819634/; classtype:trojan-activity;sid:84682734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77324.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819635/; classtype:trojan-activity;sid:84682735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13097.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819629/; classtype:trojan-activity;sid:84682729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25276.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819630/; classtype:trojan-activity;sid:84682730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64055.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819631/; classtype:trojan-activity;sid:84682731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20713.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819632/; classtype:trojan-activity;sid:84682732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77813.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819633/; classtype:trojan-activity;sid:84682733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45694.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819625/; classtype:trojan-activity;sid:84682725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46415.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819626/; classtype:trojan-activity;sid:84682726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70376.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819627/; classtype:trojan-activity;sid:84682727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19796.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819628/; classtype:trojan-activity;sid:84682728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46190.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819619/; classtype:trojan-activity;sid:84682719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08622.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819620/; classtype:trojan-activity;sid:84682720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33091.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819621/; classtype:trojan-activity;sid:84682721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45694.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819622/; classtype:trojan-activity;sid:84682722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82208.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819623/; classtype:trojan-activity;sid:84682723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01355.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819624/; classtype:trojan-activity;sid:84682724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59903.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819614/; classtype:trojan-activity;sid:84682714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08622.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819615/; classtype:trojan-activity;sid:84682715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53592.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819616/; classtype:trojan-activity;sid:84682716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83865.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819617/; classtype:trojan-activity;sid:84682717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17662.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819618/; classtype:trojan-activity;sid:84682718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83897.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819612/; classtype:trojan-activity;sid:84682712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26726.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819613/; classtype:trojan-activity;sid:84682713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61111.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819610/; classtype:trojan-activity;sid:84682710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08999.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819611/; classtype:trojan-activity;sid:84682711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81664.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819608/; classtype:trojan-activity;sid:84682708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50934.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819609/; classtype:trojan-activity;sid:84682709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94834.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819605/; classtype:trojan-activity;sid:84682705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45349.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819606/; classtype:trojan-activity;sid:84682706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87454.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819607/; classtype:trojan-activity;sid:84682707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09506.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819604/; classtype:trojan-activity;sid:84682704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81547.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819601/; classtype:trojan-activity;sid:84682701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88599.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819602/; classtype:trojan-activity;sid:84682702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27669.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819603/; classtype:trojan-activity;sid:84682703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23744.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819599/; classtype:trojan-activity;sid:84682699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81050.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819600/; classtype:trojan-activity;sid:84682700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03331.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819594/; classtype:trojan-activity;sid:84682694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_32763.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819595/; classtype:trojan-activity;sid:84682695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33337.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819596/; classtype:trojan-activity;sid:84682696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99029.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819597/; classtype:trojan-activity;sid:84682697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58844.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819598/; classtype:trojan-activity;sid:84682698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99162.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819592/; classtype:trojan-activity;sid:84682692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49151.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819593/; classtype:trojan-activity;sid:84682693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08901.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819589/; classtype:trojan-activity;sid:84682689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41200.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819590/; classtype:trojan-activity;sid:84682690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21152.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819591/; classtype:trojan-activity;sid:84682691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60163.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819586/; classtype:trojan-activity;sid:84682686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38966.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819587/; classtype:trojan-activity;sid:84682687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15608.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819588/; classtype:trojan-activity;sid:84682688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70706.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819578/; classtype:trojan-activity;sid:84682678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62963.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819579/; classtype:trojan-activity;sid:84682679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15965.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819580/; classtype:trojan-activity;sid:84682680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93958.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819581/; classtype:trojan-activity;sid:84682681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36722.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819582/; classtype:trojan-activity;sid:84682682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96986.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819583/; classtype:trojan-activity;sid:84682683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62911.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819584/; classtype:trojan-activity;sid:84682684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16010.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819585/; classtype:trojan-activity;sid:84682685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52073.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819575/; classtype:trojan-activity;sid:84682675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60726.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819576/; classtype:trojan-activity;sid:84682676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20396.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819577/; classtype:trojan-activity;sid:84682677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00231.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819572/; classtype:trojan-activity;sid:84682672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36769.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819573/; classtype:trojan-activity;sid:84682673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74743.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819574/; classtype:trojan-activity;sid:84682674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82276.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819569/; classtype:trojan-activity;sid:84682669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80840.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819570/; classtype:trojan-activity;sid:84682670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88222.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819571/; classtype:trojan-activity;sid:84682671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13720.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819568/; classtype:trojan-activity;sid:84682668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50818.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819560/; classtype:trojan-activity;sid:84682660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51894.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819561/; classtype:trojan-activity;sid:84682661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81650.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819562/; classtype:trojan-activity;sid:84682662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"r1v3-route.echi6under.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819563/; classtype:trojan-activity;sid:84682663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72068.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819564/; classtype:trojan-activity;sid:84682664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64307.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819565/; classtype:trojan-activity;sid:84682665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34055.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819566/; classtype:trojan-activity;sid:84682666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62563.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819567/; classtype:trojan-activity;sid:84682667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37826.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819554/; classtype:trojan-activity;sid:84682654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84428.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819555/; classtype:trojan-activity;sid:84682655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88278.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819556/; classtype:trojan-activity;sid:84682656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81245.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819557/; classtype:trojan-activity;sid:84682657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92625.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819558/; classtype:trojan-activity;sid:84682658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22174.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819559/; classtype:trojan-activity;sid:84682659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42552.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819548/; classtype:trojan-activity;sid:84682648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24086.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819549/; classtype:trojan-activity;sid:84682649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13302.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819550/; classtype:trojan-activity;sid:84682650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67033.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819551/; classtype:trojan-activity;sid:84682651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99043.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819552/; classtype:trojan-activity;sid:84682652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27669.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819553/; classtype:trojan-activity;sid:84682653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00757.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819545/; classtype:trojan-activity;sid:84682645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08683.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819546/; classtype:trojan-activity;sid:84682646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30450.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819547/; classtype:trojan-activity;sid:84682647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00142.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819540/; classtype:trojan-activity;sid:84682640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87414.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819541/; classtype:trojan-activity;sid:84682641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41604.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819542/; classtype:trojan-activity;sid:84682642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99806.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819543/; classtype:trojan-activity;sid:84682643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56208.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819544/; classtype:trojan-activity;sid:84682644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69452.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819536/; classtype:trojan-activity;sid:84682636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54776.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819537/; classtype:trojan-activity;sid:84682637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26097.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819538/; classtype:trojan-activity;sid:84682638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08939.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819539/; classtype:trojan-activity;sid:84682639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22872.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819535/; classtype:trojan-activity;sid:84682635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29854.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819532/; classtype:trojan-activity;sid:84682632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64432.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819533/; classtype:trojan-activity;sid:84682633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58173.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819534/; classtype:trojan-activity;sid:84682634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72679.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819524/; classtype:trojan-activity;sid:84682624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18892.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819525/; classtype:trojan-activity;sid:84682625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36175.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819526/; classtype:trojan-activity;sid:84682626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12510.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819527/; classtype:trojan-activity;sid:84682627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77813.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819528/; classtype:trojan-activity;sid:84682628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07828.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819529/; classtype:trojan-activity;sid:84682629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96474.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819530/; classtype:trojan-activity;sid:84682630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71145.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819531/; classtype:trojan-activity;sid:84682631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24820.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819521/; classtype:trojan-activity;sid:84682621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30908.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819522/; classtype:trojan-activity;sid:84682622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13663.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819523/; classtype:trojan-activity;sid:84682623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40919.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819514/; classtype:trojan-activity;sid:84682614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70618.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819515/; classtype:trojan-activity;sid:84682615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90583.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819516/; classtype:trojan-activity;sid:84682616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64948.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819517/; classtype:trojan-activity;sid:84682617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85275.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819518/; classtype:trojan-activity;sid:84682618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84846.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819519/; classtype:trojan-activity;sid:84682619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16764.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819520/; classtype:trojan-activity;sid:84682620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81612.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819505/; classtype:trojan-activity;sid:84682605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87118.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819506/; classtype:trojan-activity;sid:84682606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40919.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819507/; classtype:trojan-activity;sid:84682607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46899.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819508/; classtype:trojan-activity;sid:84682608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37616.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819509/; classtype:trojan-activity;sid:84682609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56161.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819510/; classtype:trojan-activity;sid:84682610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43188.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819511/; classtype:trojan-activity;sid:84682611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68283.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819512/; classtype:trojan-activity;sid:84682612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52758.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819513/; classtype:trojan-activity;sid:84682613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66262.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819496/; classtype:trojan-activity;sid:84682596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98775.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819497/; classtype:trojan-activity;sid:84682597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88067.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819498/; classtype:trojan-activity;sid:84682598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48040.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819499/; classtype:trojan-activity;sid:84682599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16272.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819500/; classtype:trojan-activity;sid:84682600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54154.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819501/; classtype:trojan-activity;sid:84682601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87626.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819502/; classtype:trojan-activity;sid:84682602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47488.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819503/; classtype:trojan-activity;sid:84682603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25188.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819504/; classtype:trojan-activity;sid:84682604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73129.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819491/; classtype:trojan-activity;sid:84682591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19977.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819492/; classtype:trojan-activity;sid:84682592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73678.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819493/; classtype:trojan-activity;sid:84682593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95692.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819494/; classtype:trojan-activity;sid:84682594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93259.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819495/; classtype:trojan-activity;sid:84682595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52073.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819490/; classtype:trojan-activity;sid:84682590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68583.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819488/; classtype:trojan-activity;sid:84682588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72999.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819489/; classtype:trojan-activity;sid:84682589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72068.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819485/; classtype:trojan-activity;sid:84682585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71885.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819486/; classtype:trojan-activity;sid:84682586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88691.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819487/; classtype:trojan-activity;sid:84682587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20314.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819473/; classtype:trojan-activity;sid:84682573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21603.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819474/; classtype:trojan-activity;sid:84682574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93995.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819475/; classtype:trojan-activity;sid:84682575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96182.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819476/; classtype:trojan-activity;sid:84682576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06716.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819477/; classtype:trojan-activity;sid:84682577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97333.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819478/; classtype:trojan-activity;sid:84682578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13235.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819479/; classtype:trojan-activity;sid:84682579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69981.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819480/; classtype:trojan-activity;sid:84682580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15217.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819481/; classtype:trojan-activity;sid:84682581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91484.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819482/; classtype:trojan-activity;sid:84682582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28820.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819483/; classtype:trojan-activity;sid:84682583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97017.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819484/; classtype:trojan-activity;sid:84682584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83888.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819469/; classtype:trojan-activity;sid:84682569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65651.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819470/; classtype:trojan-activity;sid:84682570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57896.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819471/; classtype:trojan-activity;sid:84682571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60161.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819472/; classtype:trojan-activity;sid:84682572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66017.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819465/; classtype:trojan-activity;sid:84682565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94833.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819466/; classtype:trojan-activity;sid:84682566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72679.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819467/; classtype:trojan-activity;sid:84682567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67130.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819468/; classtype:trojan-activity;sid:84682568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81547.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819463/; classtype:trojan-activity;sid:84682563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54969.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819464/; classtype:trojan-activity;sid:84682564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41495.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819461/; classtype:trojan-activity;sid:84682561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43724.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819462/; classtype:trojan-activity;sid:84682562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99433.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819455/; classtype:trojan-activity;sid:84682555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87414.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819456/; classtype:trojan-activity;sid:84682556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08373.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819457/; classtype:trojan-activity;sid:84682557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30450.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819458/; classtype:trojan-activity;sid:84682558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80830.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819459/; classtype:trojan-activity;sid:84682559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45405.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819460/; classtype:trojan-activity;sid:84682560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85095.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819451/; classtype:trojan-activity;sid:84682551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68947.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819452/; classtype:trojan-activity;sid:84682552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65012.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819453/; classtype:trojan-activity;sid:84682553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69981.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819454/; classtype:trojan-activity;sid:84682554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23580.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819448/; classtype:trojan-activity;sid:84682548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98775.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819449/; classtype:trojan-activity;sid:84682549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66234.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819450/; classtype:trojan-activity;sid:84682550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42486.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819445/; classtype:trojan-activity;sid:84682545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06113.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819446/; classtype:trojan-activity;sid:84682546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91385.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819447/; classtype:trojan-activity;sid:84682547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68667.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819440/; classtype:trojan-activity;sid:84682540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72892.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819441/; classtype:trojan-activity;sid:84682541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87547.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819442/; classtype:trojan-activity;sid:84682542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40212.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819443/; classtype:trojan-activity;sid:84682543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12660.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819444/; classtype:trojan-activity;sid:84682544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48547.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819435/; classtype:trojan-activity;sid:84682535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86171.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819436/; classtype:trojan-activity;sid:84682536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68793.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819437/; classtype:trojan-activity;sid:84682537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96182.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819438/; classtype:trojan-activity;sid:84682538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52326.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819439/; classtype:trojan-activity;sid:84682539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68809.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819427/; classtype:trojan-activity;sid:84682527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52221.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819428/; classtype:trojan-activity;sid:84682528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07384.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819429/; classtype:trojan-activity;sid:84682529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05947.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819430/; classtype:trojan-activity;sid:84682530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49317.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819431/; classtype:trojan-activity;sid:84682531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24938.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819432/; classtype:trojan-activity;sid:84682532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96851.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819433/; classtype:trojan-activity;sid:84682533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96856.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819434/; classtype:trojan-activity;sid:84682534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34096.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819421/; classtype:trojan-activity;sid:84682521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02324.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819422/; classtype:trojan-activity;sid:84682522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43188.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819423/; classtype:trojan-activity;sid:84682523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47111.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819424/; classtype:trojan-activity;sid:84682524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53098.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819425/; classtype:trojan-activity;sid:84682525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91762.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819426/; classtype:trojan-activity;sid:84682526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20295.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819415/; classtype:trojan-activity;sid:84682515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93523.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819416/; classtype:trojan-activity;sid:84682516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02839.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819417/; classtype:trojan-activity;sid:84682517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82893.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819418/; classtype:trojan-activity;sid:84682518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80995.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819419/; classtype:trojan-activity;sid:84682519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37964.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819420/; classtype:trojan-activity;sid:84682520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84276.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819411/; classtype:trojan-activity;sid:84682511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86529.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819412/; classtype:trojan-activity;sid:84682512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41604.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819413/; classtype:trojan-activity;sid:84682513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05801.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819414/; classtype:trojan-activity;sid:84682514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62511.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819410/; classtype:trojan-activity;sid:84682510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22301.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819408/; classtype:trojan-activity;sid:84682508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15833.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819409/; classtype:trojan-activity;sid:84682509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35790.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819403/; classtype:trojan-activity;sid:84682503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97455.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819404/; classtype:trojan-activity;sid:84682504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15965.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819405/; classtype:trojan-activity;sid:84682505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64549.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819406/; classtype:trojan-activity;sid:84682506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81909.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819407/; classtype:trojan-activity;sid:84682507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82041.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819400/; classtype:trojan-activity;sid:84682500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96851.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819401/; classtype:trojan-activity;sid:84682501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91747.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819402/; classtype:trojan-activity;sid:84682502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57350.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819398/; classtype:trojan-activity;sid:84682498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80308.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819399/; classtype:trojan-activity;sid:84682499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15163.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819391/; classtype:trojan-activity;sid:84682491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33967.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819392/; classtype:trojan-activity;sid:84682492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55459.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819393/; classtype:trojan-activity;sid:84682493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98937.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819394/; classtype:trojan-activity;sid:84682494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34561.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819395/; classtype:trojan-activity;sid:84682495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34293.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819396/; classtype:trojan-activity;sid:84682496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63128.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819397/; classtype:trojan-activity;sid:84682497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65012.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819388/; classtype:trojan-activity;sid:84682488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44238.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819389/; classtype:trojan-activity;sid:84682489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81592.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819390/; classtype:trojan-activity;sid:84682490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55365.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819386/; classtype:trojan-activity;sid:84682486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26726.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819387/; classtype:trojan-activity;sid:84682487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64830.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819376/; classtype:trojan-activity;sid:84682476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45248.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819377/; classtype:trojan-activity;sid:84682477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34916.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819378/; classtype:trojan-activity;sid:84682478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33769.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819379/; classtype:trojan-activity;sid:84682479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87414.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819380/; classtype:trojan-activity;sid:84682480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70402.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819381/; classtype:trojan-activity;sid:84682481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35403.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819382/; classtype:trojan-activity;sid:84682482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74570.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819383/; classtype:trojan-activity;sid:84682483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91985.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819384/; classtype:trojan-activity;sid:84682484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28076.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819385/; classtype:trojan-activity;sid:84682485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66147.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819371/; classtype:trojan-activity;sid:84682471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45629.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819372/; classtype:trojan-activity;sid:84682472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38374.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819373/; classtype:trojan-activity;sid:84682473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63278.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819374/; classtype:trojan-activity;sid:84682474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41668.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819375/; classtype:trojan-activity;sid:84682475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23840.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819368/; classtype:trojan-activity;sid:84682468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44107.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819369/; classtype:trojan-activity;sid:84682469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04878.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819370/; classtype:trojan-activity;sid:84682470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02148.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819363/; classtype:trojan-activity;sid:84682463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39600.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819364/; classtype:trojan-activity;sid:84682464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73779.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819365/; classtype:trojan-activity;sid:84682465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46358.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819366/; classtype:trojan-activity;sid:84682466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12971.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819367/; classtype:trojan-activity;sid:84682467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87951.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819360/; classtype:trojan-activity;sid:84682460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96856.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819361/; classtype:trojan-activity;sid:84682461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18088.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819362/; classtype:trojan-activity;sid:84682462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40212.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819359/; classtype:trojan-activity;sid:84682459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99893.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819357/; classtype:trojan-activity;sid:84682457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69167.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819358/; classtype:trojan-activity;sid:84682458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87533.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819355/; classtype:trojan-activity;sid:84682455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16383.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819356/; classtype:trojan-activity;sid:84682456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23580.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819352/; classtype:trojan-activity;sid:84682452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22704.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819353/; classtype:trojan-activity;sid:84682453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46359.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819354/; classtype:trojan-activity;sid:84682454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96608.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819344/; classtype:trojan-activity;sid:84682444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86906.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819345/; classtype:trojan-activity;sid:84682445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23255.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819346/; classtype:trojan-activity;sid:84682446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69721.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819347/; classtype:trojan-activity;sid:84682447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88278.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819348/; classtype:trojan-activity;sid:84682448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52809.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819349/; classtype:trojan-activity;sid:84682449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91865.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819350/; classtype:trojan-activity;sid:84682450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02259.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819351/; classtype:trojan-activity;sid:84682451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07793.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819341/; classtype:trojan-activity;sid:84682441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43919.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819342/; classtype:trojan-activity;sid:84682442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76835.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819343/; classtype:trojan-activity;sid:84682443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50616.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819338/; classtype:trojan-activity;sid:84682438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47111.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819339/; classtype:trojan-activity;sid:84682439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76148.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819340/; classtype:trojan-activity;sid:84682440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96673.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819332/; classtype:trojan-activity;sid:84682432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36722.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819333/; classtype:trojan-activity;sid:84682433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00088.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819334/; classtype:trojan-activity;sid:84682434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83432.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819335/; classtype:trojan-activity;sid:84682435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88815.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819336/; classtype:trojan-activity;sid:84682436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18344.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819337/; classtype:trojan-activity;sid:84682437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08117.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819330/; classtype:trojan-activity;sid:84682430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96728.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819331/; classtype:trojan-activity;sid:84682431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57352.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819324/; classtype:trojan-activity;sid:84682424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62775.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819325/; classtype:trojan-activity;sid:84682425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87118.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819326/; classtype:trojan-activity;sid:84682426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81148.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819327/; classtype:trojan-activity;sid:84682427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37383.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819328/; classtype:trojan-activity;sid:84682428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53051.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819329/; classtype:trojan-activity;sid:84682429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55365.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819316/; classtype:trojan-activity;sid:84682416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68359.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819317/; classtype:trojan-activity;sid:84682417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85706.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819318/; classtype:trojan-activity;sid:84682418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55691.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819319/; classtype:trojan-activity;sid:84682419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50144.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819320/; classtype:trojan-activity;sid:84682420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46395.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819321/; classtype:trojan-activity;sid:84682421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35807.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819322/; classtype:trojan-activity;sid:84682422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80308.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819323/; classtype:trojan-activity;sid:84682423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97776.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819313/; classtype:trojan-activity;sid:84682413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19180.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819314/; classtype:trojan-activity;sid:84682414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59665.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819315/; classtype:trojan-activity;sid:84682415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40358.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819309/; classtype:trojan-activity;sid:84682409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19463.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819310/; classtype:trojan-activity;sid:84682410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88691.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819311/; classtype:trojan-activity;sid:84682411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61111.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819312/; classtype:trojan-activity;sid:84682412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77914.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819300/; classtype:trojan-activity;sid:84682400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78413.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819301/; classtype:trojan-activity;sid:84682401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51894.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819302/; classtype:trojan-activity;sid:84682402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57473.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819303/; classtype:trojan-activity;sid:84682403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58832.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819304/; classtype:trojan-activity;sid:84682404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71572.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819305/; classtype:trojan-activity;sid:84682405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23536.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819306/; classtype:trojan-activity;sid:84682406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27129.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819307/; classtype:trojan-activity;sid:84682407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21559.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819308/; classtype:trojan-activity;sid:84682408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82893.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819298/; classtype:trojan-activity;sid:84682398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77303.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819299/; classtype:trojan-activity;sid:84682399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07693.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819295/; classtype:trojan-activity;sid:84682395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/55/ec/nicespeakingwithbetstthingsforme.hta"; depth:43; endswith; nocase; http.host; content:"198.12.83.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819296/; classtype:trojan-activity;sid:84682396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67033.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819297/; classtype:trojan-activity;sid:84682397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16220.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819293/; classtype:trojan-activity;sid:84682393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00007.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819294/; classtype:trojan-activity;sid:84682394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89431.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819292/; classtype:trojan-activity;sid:84682392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19266.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819290/; classtype:trojan-activity;sid:84682390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66268.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819291/; classtype:trojan-activity;sid:84682391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81271.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819285/; classtype:trojan-activity;sid:84682385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60081.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819286/; classtype:trojan-activity;sid:84682386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36597.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819287/; classtype:trojan-activity;sid:84682387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45658.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819288/; classtype:trojan-activity;sid:84682388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94559.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819289/; classtype:trojan-activity;sid:84682389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04829.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819278/; classtype:trojan-activity;sid:84682378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01796.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819279/; classtype:trojan-activity;sid:84682379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31816.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819280/; classtype:trojan-activity;sid:84682380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38427.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819281/; classtype:trojan-activity;sid:84682381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78116.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819282/; classtype:trojan-activity;sid:84682382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27573.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819283/; classtype:trojan-activity;sid:84682383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62563.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819284/; classtype:trojan-activity;sid:84682384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74229.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819273/; classtype:trojan-activity;sid:84682373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73678.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819274/; classtype:trojan-activity;sid:84682374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90950.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819275/; classtype:trojan-activity;sid:84682375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93351.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819276/; classtype:trojan-activity;sid:84682376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83865.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819277/; classtype:trojan-activity;sid:84682377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87491.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819259/; classtype:trojan-activity;sid:84682359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87057.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819260/; classtype:trojan-activity;sid:84682360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20786.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819261/; classtype:trojan-activity;sid:84682361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81867.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819262/; classtype:trojan-activity;sid:84682362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69975.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819263/; classtype:trojan-activity;sid:84682363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96629.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819264/; classtype:trojan-activity;sid:84682364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02192.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819265/; classtype:trojan-activity;sid:84682365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20137.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819266/; classtype:trojan-activity;sid:84682366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01812.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819267/; classtype:trojan-activity;sid:84682367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93224.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819268/; classtype:trojan-activity;sid:84682368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18177.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819269/; classtype:trojan-activity;sid:84682369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08811.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819270/; classtype:trojan-activity;sid:84682370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74229.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819271/; classtype:trojan-activity;sid:84682371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19266.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819272/; classtype:trojan-activity;sid:84682372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53097.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819258/; classtype:trojan-activity;sid:84682358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01458.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819251/; classtype:trojan-activity;sid:84682351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36331.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819252/; classtype:trojan-activity;sid:84682352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59517.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819253/; classtype:trojan-activity;sid:84682353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27245.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819254/; classtype:trojan-activity;sid:84682354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85934.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819255/; classtype:trojan-activity;sid:84682355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89431.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819256/; classtype:trojan-activity;sid:84682356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97143.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819257/; classtype:trojan-activity;sid:84682357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23911.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819240/; classtype:trojan-activity;sid:84682340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92696.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819241/; classtype:trojan-activity;sid:84682341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02162.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819242/; classtype:trojan-activity;sid:84682342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80830.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819243/; classtype:trojan-activity;sid:84682343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96145.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819244/; classtype:trojan-activity;sid:84682344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15181.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819245/; classtype:trojan-activity;sid:84682345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30736.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819246/; classtype:trojan-activity;sid:84682346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87519.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819247/; classtype:trojan-activity;sid:84682347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98722.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819248/; classtype:trojan-activity;sid:84682348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91129.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819249/; classtype:trojan-activity;sid:84682349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87554.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819250/; classtype:trojan-activity;sid:84682350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86906.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819232/; classtype:trojan-activity;sid:84682332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10319.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819233/; classtype:trojan-activity;sid:84682333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49326.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819234/; classtype:trojan-activity;sid:84682334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03569.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819235/; classtype:trojan-activity;sid:84682335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92625.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819236/; classtype:trojan-activity;sid:84682336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20296.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819237/; classtype:trojan-activity;sid:84682337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91478.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819238/; classtype:trojan-activity;sid:84682338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77773.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819239/; classtype:trojan-activity;sid:84682339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15791.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819225/; classtype:trojan-activity;sid:84682325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99131.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819226/; classtype:trojan-activity;sid:84682326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72788.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819227/; classtype:trojan-activity;sid:84682327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78413.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819228/; classtype:trojan-activity;sid:84682328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45276.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819229/; classtype:trojan-activity;sid:84682329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96477.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819230/; classtype:trojan-activity;sid:84682330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11369.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819231/; classtype:trojan-activity;sid:84682331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16272.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819222/; classtype:trojan-activity;sid:84682322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36782.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819223/; classtype:trojan-activity;sid:84682323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23593.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819224/; classtype:trojan-activity;sid:84682324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01577.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819217/; classtype:trojan-activity;sid:84682317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04263.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819218/; classtype:trojan-activity;sid:84682318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91129.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819219/; classtype:trojan-activity;sid:84682319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77802.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819220/; classtype:trojan-activity;sid:84682320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57655.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819221/; classtype:trojan-activity;sid:84682321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12317.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819212/; classtype:trojan-activity;sid:84682312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93549.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819213/; classtype:trojan-activity;sid:84682313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24070.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819214/; classtype:trojan-activity;sid:84682314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/458/4/cloudconnections.js"; depth:26; endswith; nocase; http.host; content:"107.175.88.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819215/; classtype:trojan-activity;sid:84682315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09506.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819216/; classtype:trojan-activity;sid:84682316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85892.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819205/; classtype:trojan-activity;sid:84682305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37612.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819206/; classtype:trojan-activity;sid:84682306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16430.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819207/; classtype:trojan-activity;sid:84682307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39574.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819208/; classtype:trojan-activity;sid:84682308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89271.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819209/; classtype:trojan-activity;sid:84682309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95559.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819210/; classtype:trojan-activity;sid:84682310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44090.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819211/; classtype:trojan-activity;sid:84682311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38832.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819204/; classtype:trojan-activity;sid:84682304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63948.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819203/; classtype:trojan-activity;sid:84682303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12570.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819194/; classtype:trojan-activity;sid:84682294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00142.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819195/; classtype:trojan-activity;sid:84682295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84071.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819196/; classtype:trojan-activity;sid:84682296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20295.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819197/; classtype:trojan-activity;sid:84682297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99084.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819198/; classtype:trojan-activity;sid:84682298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43572.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819199/; classtype:trojan-activity;sid:84682299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88598.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819200/; classtype:trojan-activity;sid:84682300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85753.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819201/; classtype:trojan-activity;sid:84682301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01458.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819202/; classtype:trojan-activity;sid:84682302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15098.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819187/; classtype:trojan-activity;sid:84682287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64055.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819188/; classtype:trojan-activity;sid:84682288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87454.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819189/; classtype:trojan-activity;sid:84682289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12110.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819190/; classtype:trojan-activity;sid:84682290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01812.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819191/; classtype:trojan-activity;sid:84682291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85369.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819192/; classtype:trojan-activity;sid:84682292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57350.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819193/; classtype:trojan-activity;sid:84682293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55459.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819177/; classtype:trojan-activity;sid:84682277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88971.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819178/; classtype:trojan-activity;sid:84682278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96673.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819179/; classtype:trojan-activity;sid:84682279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92157.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819180/; classtype:trojan-activity;sid:84682280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26701.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819181/; classtype:trojan-activity;sid:84682281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89226.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819182/; classtype:trojan-activity;sid:84682282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05378.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819183/; classtype:trojan-activity;sid:84682283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53631.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819184/; classtype:trojan-activity;sid:84682284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46031.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819185/; classtype:trojan-activity;sid:84682285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37707.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819186/; classtype:trojan-activity;sid:84682286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38832.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819175/; classtype:trojan-activity;sid:84682275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35369.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819176/; classtype:trojan-activity;sid:84682276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87253.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819169/; classtype:trojan-activity;sid:84682269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68283.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819170/; classtype:trojan-activity;sid:84682270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11055.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819171/; classtype:trojan-activity;sid:84682271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60555.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819172/; classtype:trojan-activity;sid:84682272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70256.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819173/; classtype:trojan-activity;sid:84682273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59572.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819174/; classtype:trojan-activity;sid:84682274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43572.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819165/; classtype:trojan-activity;sid:84682265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91762.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819166/; classtype:trojan-activity;sid:84682266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48879.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819167/; classtype:trojan-activity;sid:84682267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97455.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819168/; classtype:trojan-activity;sid:84682268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06235.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819162/; classtype:trojan-activity;sid:84682262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56298.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819163/; classtype:trojan-activity;sid:84682263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25723.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819164/; classtype:trojan-activity;sid:84682264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06290.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819159/; classtype:trojan-activity;sid:84682259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96580.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819160/; classtype:trojan-activity;sid:84682260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91762.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819161/; classtype:trojan-activity;sid:84682261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56406.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819147/; classtype:trojan-activity;sid:84682247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69149.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819148/; classtype:trojan-activity;sid:84682248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76760.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819149/; classtype:trojan-activity;sid:84682249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55648.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819150/; classtype:trojan-activity;sid:84682250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71088.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819151/; classtype:trojan-activity;sid:84682251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06705.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819152/; classtype:trojan-activity;sid:84682252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85934.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819153/; classtype:trojan-activity;sid:84682253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03478.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819154/; classtype:trojan-activity;sid:84682254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15388.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819155/; classtype:trojan-activity;sid:84682255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63675.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819156/; classtype:trojan-activity;sid:84682256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45793.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819157/; classtype:trojan-activity;sid:84682257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96474.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819158/; classtype:trojan-activity;sid:84682258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15163.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819144/; classtype:trojan-activity;sid:84682244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66723.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819145/; classtype:trojan-activity;sid:84682245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70706.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819146/; classtype:trojan-activity;sid:84682246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89541.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819138/; classtype:trojan-activity;sid:84682238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45629.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819139/; classtype:trojan-activity;sid:84682239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31268.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819140/; classtype:trojan-activity;sid:84682240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97413.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819141/; classtype:trojan-activity;sid:84682241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66723.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819142/; classtype:trojan-activity;sid:84682242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50931.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819143/; classtype:trojan-activity;sid:84682243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73011.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819131/; classtype:trojan-activity;sid:84682231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24938.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819132/; classtype:trojan-activity;sid:84682232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34163.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819133/; classtype:trojan-activity;sid:84682233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70618.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819134/; classtype:trojan-activity;sid:84682234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97333.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819135/; classtype:trojan-activity;sid:84682235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80947.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819136/; classtype:trojan-activity;sid:84682236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06949.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819137/; classtype:trojan-activity;sid:84682237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33018.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819130/; classtype:trojan-activity;sid:84682230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98916.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819128/; classtype:trojan-activity;sid:84682228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02162.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819129/; classtype:trojan-activity;sid:84682229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89271.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819126/; classtype:trojan-activity;sid:84682226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43627.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819127/; classtype:trojan-activity;sid:84682227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28210.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819125/; classtype:trojan-activity;sid:84682225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35790.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819124/; classtype:trojan-activity;sid:84682224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68667.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819120/; classtype:trojan-activity;sid:84682220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02643.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819121/; classtype:trojan-activity;sid:84682221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72493.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819122/; classtype:trojan-activity;sid:84682222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38075.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819123/; classtype:trojan-activity;sid:84682223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95289.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819116/; classtype:trojan-activity;sid:84682216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84450.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819117/; classtype:trojan-activity;sid:84682217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07950.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819118/; classtype:trojan-activity;sid:84682218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19872.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819119/; classtype:trojan-activity;sid:84682219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45658.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819113/; classtype:trojan-activity;sid:84682213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45012.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819114/; classtype:trojan-activity;sid:84682214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87547.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819115/; classtype:trojan-activity;sid:84682215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65652.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819112/; classtype:trojan-activity;sid:84682212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43581.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819109/; classtype:trojan-activity;sid:84682209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44587.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819110/; classtype:trojan-activity;sid:84682210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22600.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819111/; classtype:trojan-activity;sid:84682211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26591.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819099/; classtype:trojan-activity;sid:84682199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94399.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819100/; classtype:trojan-activity;sid:84682200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39469.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819101/; classtype:trojan-activity;sid:84682201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07505.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819102/; classtype:trojan-activity;sid:84682202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95289.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819103/; classtype:trojan-activity;sid:84682203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91865.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819104/; classtype:trojan-activity;sid:84682204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17823.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819105/; classtype:trojan-activity;sid:84682205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22807.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819106/; classtype:trojan-activity;sid:84682206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17562.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819107/; classtype:trojan-activity;sid:84682207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29943.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819108/; classtype:trojan-activity;sid:84682208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60555.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819089/; classtype:trojan-activity;sid:84682189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89226.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819090/; classtype:trojan-activity;sid:84682190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88691.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819091/; classtype:trojan-activity;sid:84682191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83897.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819092/; classtype:trojan-activity;sid:84682192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_897893.pdf.vbs"; depth:26; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819093/; classtype:trojan-activity;sid:84682193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_32532.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819094/; classtype:trojan-activity;sid:84682194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88067.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819095/; classtype:trojan-activity;sid:84682195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72892.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819096/; classtype:trojan-activity;sid:84682196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46358.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819097/; classtype:trojan-activity;sid:84682197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53894.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819098/; classtype:trojan-activity;sid:84682198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96629.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819084/; classtype:trojan-activity;sid:84682184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14989.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819085/; classtype:trojan-activity;sid:84682185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65872.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819086/; classtype:trojan-activity;sid:84682186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16383.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819087/; classtype:trojan-activity;sid:84682187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05378.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819088/; classtype:trojan-activity;sid:84682188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16480.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819082/; classtype:trojan-activity;sid:84682182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31225.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819083/; classtype:trojan-activity;sid:84682183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25490.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819074/; classtype:trojan-activity;sid:84682174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72145.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819075/; classtype:trojan-activity;sid:84682175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65740.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819076/; classtype:trojan-activity;sid:84682176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85275.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819077/; classtype:trojan-activity;sid:84682177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72883.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819078/; classtype:trojan-activity;sid:84682178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65349.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819079/; classtype:trojan-activity;sid:84682179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23356.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819080/; classtype:trojan-activity;sid:84682180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54122.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819081/; classtype:trojan-activity;sid:84682181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39574.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819073/; classtype:trojan-activity;sid:84682173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70376.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819072/; classtype:trojan-activity;sid:84682172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99084.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819070/; classtype:trojan-activity;sid:84682170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83940.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819071/; classtype:trojan-activity;sid:84682171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76404.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819066/; classtype:trojan-activity;sid:84682166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68656.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819067/; classtype:trojan-activity;sid:84682167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99164.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819068/; classtype:trojan-activity;sid:84682168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41904.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819069/; classtype:trojan-activity;sid:84682169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53098.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819064/; classtype:trojan-activity;sid:84682164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84792.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819065/; classtype:trojan-activity;sid:84682165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20799.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819058/; classtype:trojan-activity;sid:84682158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61449.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819059/; classtype:trojan-activity;sid:84682159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20296.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819060/; classtype:trojan-activity;sid:84682160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82208.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819061/; classtype:trojan-activity;sid:84682161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13236.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819062/; classtype:trojan-activity;sid:84682162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22533.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819063/; classtype:trojan-activity;sid:84682163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07400.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819057/; classtype:trojan-activity;sid:84682157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a9a4wp/ndofghk.txt"; depth:19; endswith; nocase; http.host; content:"mypanel.vip"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819046/; classtype:trojan-activity;sid:84682146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72160.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819047/; classtype:trojan-activity;sid:84682147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18177.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819048/; classtype:trojan-activity;sid:84682148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78550.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819049/; classtype:trojan-activity;sid:84682149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54467.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819050/; classtype:trojan-activity;sid:84682150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44090.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819051/; classtype:trojan-activity;sid:84682151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41904.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819052/; classtype:trojan-activity;sid:84682152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34293.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819053/; classtype:trojan-activity;sid:84682153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13316.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819054/; classtype:trojan-activity;sid:84682154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61938.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819055/; classtype:trojan-activity;sid:84682155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41126.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819056/; classtype:trojan-activity;sid:84682156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49929.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819043/; classtype:trojan-activity;sid:84682143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23919.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819044/; classtype:trojan-activity;sid:84682144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94580.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819045/; classtype:trojan-activity;sid:84682145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63948.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819037/; classtype:trojan-activity;sid:84682137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52937.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819038/; classtype:trojan-activity;sid:84682138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26917.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819039/; classtype:trojan-activity;sid:84682139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10539.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819040/; classtype:trojan-activity;sid:84682140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22845.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819041/; classtype:trojan-activity;sid:84682141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53604.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819042/; classtype:trojan-activity;sid:84682142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45309.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819031/; classtype:trojan-activity;sid:84682131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04263.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819032/; classtype:trojan-activity;sid:84682132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79294.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819033/; classtype:trojan-activity;sid:84682133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28608.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819034/; classtype:trojan-activity;sid:84682134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83888.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819035/; classtype:trojan-activity;sid:84682135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98916.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819036/; classtype:trojan-activity;sid:84682136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55147.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819028/; classtype:trojan-activity;sid:84682128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83640.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819029/; classtype:trojan-activity;sid:84682129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08683.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819030/; classtype:trojan-activity;sid:84682130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01796.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819026/; classtype:trojan-activity;sid:84682126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85095.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819027/; classtype:trojan-activity;sid:84682127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79569.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819019/; classtype:trojan-activity;sid:84682119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36834.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819020/; classtype:trojan-activity;sid:84682120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28026.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819021/; classtype:trojan-activity;sid:84682121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03796.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819022/; classtype:trojan-activity;sid:84682122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21927.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819023/; classtype:trojan-activity;sid:84682123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96580.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819024/; classtype:trojan-activity;sid:84682124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20859.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819025/; classtype:trojan-activity;sid:84682125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36728.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819018/; classtype:trojan-activity;sid:84682118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55147.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819017/; classtype:trojan-activity;sid:84682117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08820.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819016/; classtype:trojan-activity;sid:84682116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98722.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819015/; classtype:trojan-activity;sid:84682115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43634.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819011/; classtype:trojan-activity;sid:84682111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76012.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819012/; classtype:trojan-activity;sid:84682112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20035.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819013/; classtype:trojan-activity;sid:84682113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29496.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819014/; classtype:trojan-activity;sid:84682114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64538.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819010/; classtype:trojan-activity;sid:84682110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01788.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819003/; classtype:trojan-activity;sid:84682103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23908.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819004/; classtype:trojan-activity;sid:84682104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91790.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819005/; classtype:trojan-activity;sid:84682105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94833.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819006/; classtype:trojan-activity;sid:84682106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96608.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819007/; classtype:trojan-activity;sid:84682107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24764.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819008/; classtype:trojan-activity;sid:84682108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81909.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819009/; classtype:trojan-activity;sid:84682109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48154.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818993/; classtype:trojan-activity;sid:84682093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97508.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818994/; classtype:trojan-activity;sid:84682094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92696.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818995/; classtype:trojan-activity;sid:84682095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64761.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818996/; classtype:trojan-activity;sid:84682096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28026.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818997/; classtype:trojan-activity;sid:84682097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26591.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818998/; classtype:trojan-activity;sid:84682098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92910.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818999/; classtype:trojan-activity;sid:84682099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62511.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819000/; classtype:trojan-activity;sid:84682100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43388.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819001/; classtype:trojan-activity;sid:84682101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3819002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70402.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3819002/; classtype:trojan-activity;sid:84682102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05895.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818987/; classtype:trojan-activity;sid:84682087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21559.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818988/; classtype:trojan-activity;sid:84682088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09953.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818989/; classtype:trojan-activity;sid:84682089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13579.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818990/; classtype:trojan-activity;sid:84682090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63809.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818991/; classtype:trojan-activity;sid:84682091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49929.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818992/; classtype:trojan-activity;sid:84682092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46395.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818978/; classtype:trojan-activity;sid:84682078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83418.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818979/; classtype:trojan-activity;sid:84682079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21974.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818980/; classtype:trojan-activity;sid:84682080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85498.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818981/; classtype:trojan-activity;sid:84682081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54805.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818982/; classtype:trojan-activity;sid:84682082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84846.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818983/; classtype:trojan-activity;sid:84682083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14989.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818984/; classtype:trojan-activity;sid:84682084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24663.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818985/; classtype:trojan-activity;sid:84682085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48499.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818986/; classtype:trojan-activity;sid:84682086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62843.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818973/; classtype:trojan-activity;sid:84682073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95394.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818974/; classtype:trojan-activity;sid:84682074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37383.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818975/; classtype:trojan-activity;sid:84682075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84450.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818976/; classtype:trojan-activity;sid:84682076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72715.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818977/; classtype:trojan-activity;sid:84682077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79597.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818972/; classtype:trojan-activity;sid:84682072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53501.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818970/; classtype:trojan-activity;sid:84682070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21012.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818971/; classtype:trojan-activity;sid:84682071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38966.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818967/; classtype:trojan-activity;sid:84682067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80840.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818968/; classtype:trojan-activity;sid:84682068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80995.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818969/; classtype:trojan-activity;sid:84682069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70894.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818962/; classtype:trojan-activity;sid:84682062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60967.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818963/; classtype:trojan-activity;sid:84682063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93958.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818964/; classtype:trojan-activity;sid:84682064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25599.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818965/; classtype:trojan-activity;sid:84682065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31816.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818966/; classtype:trojan-activity;sid:84682066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88746.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818953/; classtype:trojan-activity;sid:84682053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67465.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818954/; classtype:trojan-activity;sid:84682054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54837.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818955/; classtype:trojan-activity;sid:84682055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00535.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818956/; classtype:trojan-activity;sid:84682056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88067.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818957/; classtype:trojan-activity;sid:84682057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20314.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818958/; classtype:trojan-activity;sid:84682058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.142.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818959/; classtype:trojan-activity;sid:84682059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66262.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818960/; classtype:trojan-activity;sid:84682060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39600.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818961/; classtype:trojan-activity;sid:84682061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56403.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818949/; classtype:trojan-activity;sid:84682049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/testx.pdf.ps1"; depth:20; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818950/; classtype:trojan-activity;sid:84682050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40134.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818951/; classtype:trojan-activity;sid:84682051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24198.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818952/; classtype:trojan-activity;sid:84682052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54126.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818946/; classtype:trojan-activity;sid:84682046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87253.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818947/; classtype:trojan-activity;sid:84682047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88088.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818948/; classtype:trojan-activity;sid:84682048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12510.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818939/; classtype:trojan-activity;sid:84682039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50628.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818940/; classtype:trojan-activity;sid:84682040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47973.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818941/; classtype:trojan-activity;sid:84682041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31225.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818942/; classtype:trojan-activity;sid:84682042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55691.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818943/; classtype:trojan-activity;sid:84682043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06239.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818944/; classtype:trojan-activity;sid:84682044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28403.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818945/; classtype:trojan-activity;sid:84682045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57473.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818935/; classtype:trojan-activity;sid:84682035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54969.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818936/; classtype:trojan-activity;sid:84682036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10718.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818937/; classtype:trojan-activity;sid:84682037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34055.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818938/; classtype:trojan-activity;sid:84682038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/josetomas.pdf.vbs"; depth:24; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818933/; classtype:trojan-activity;sid:84682033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45012.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818934/; classtype:trojan-activity;sid:84682034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52297.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818927/; classtype:trojan-activity;sid:84682027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59150.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818928/; classtype:trojan-activity;sid:84682028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96629.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818929/; classtype:trojan-activity;sid:84682029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81040.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818930/; classtype:trojan-activity;sid:84682030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49889.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818931/; classtype:trojan-activity;sid:84682031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48154.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818932/; classtype:trojan-activity;sid:84682032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51173.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818926/; classtype:trojan-activity;sid:84682026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92157.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818923/; classtype:trojan-activity;sid:84682023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48752.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818924/; classtype:trojan-activity;sid:84682024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30968.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818925/; classtype:trojan-activity;sid:84682025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43724.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818908/; classtype:trojan-activity;sid:84682008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96061.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818909/; classtype:trojan-activity;sid:84682009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02185.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818910/; classtype:trojan-activity;sid:84682010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52843.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818911/; classtype:trojan-activity;sid:84682011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02881.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818912/; classtype:trojan-activity;sid:84682012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95823.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818913/; classtype:trojan-activity;sid:84682013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86529.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818914/; classtype:trojan-activity;sid:84682014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57990.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818915/; classtype:trojan-activity;sid:84682015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59180.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818916/; classtype:trojan-activity;sid:84682016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92463.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818917/; classtype:trojan-activity;sid:84682017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76383.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818918/; classtype:trojan-activity;sid:84682018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60763.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818919/; classtype:trojan-activity;sid:84682019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06020.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818920/; classtype:trojan-activity;sid:84682020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47973.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818921/; classtype:trojan-activity;sid:84682021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93523.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818922/; classtype:trojan-activity;sid:84682022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63675.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818900/; classtype:trojan-activity;sid:84682000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65304.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818901/; classtype:trojan-activity;sid:84682001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37248.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818902/; classtype:trojan-activity;sid:84682002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05947.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818903/; classtype:trojan-activity;sid:84682003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04630.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818904/; classtype:trojan-activity;sid:84682004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96145.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818905/; classtype:trojan-activity;sid:84682005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21463.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818906/; classtype:trojan-activity;sid:84682006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70351.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818907/; classtype:trojan-activity;sid:84682007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12570.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818898/; classtype:trojan-activity;sid:84681998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27995.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818899/; classtype:trojan-activity;sid:84681999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82041.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818892/; classtype:trojan-activity;sid:84681992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01577.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818893/; classtype:trojan-activity;sid:84681993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62963.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818894/; classtype:trojan-activity;sid:84681994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36223.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818895/; classtype:trojan-activity;sid:84681995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42552.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818896/; classtype:trojan-activity;sid:84681996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10319.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818897/; classtype:trojan-activity;sid:84681997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35795.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818889/; classtype:trojan-activity;sid:84681989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13309.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818890/; classtype:trojan-activity;sid:84681990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62843.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818891/; classtype:trojan-activity;sid:84681991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47384.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818886/; classtype:trojan-activity;sid:84681986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62809.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818887/; classtype:trojan-activity;sid:84681987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55648.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818888/; classtype:trojan-activity;sid:84681988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85697.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818883/; classtype:trojan-activity;sid:84681983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49196.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818884/; classtype:trojan-activity;sid:84681984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83645.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818885/; classtype:trojan-activity;sid:84681985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53430.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818878/; classtype:trojan-activity;sid:84681978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93813.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818879/; classtype:trojan-activity;sid:84681979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99237.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818880/; classtype:trojan-activity;sid:84681980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08667.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818881/; classtype:trojan-activity;sid:84681981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99268.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818882/; classtype:trojan-activity;sid:84681982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75034.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818870/; classtype:trojan-activity;sid:84681970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48752.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818871/; classtype:trojan-activity;sid:84681971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76995.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818872/; classtype:trojan-activity;sid:84681972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40082.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818873/; classtype:trojan-activity;sid:84681973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52860.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818874/; classtype:trojan-activity;sid:84681974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69254.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818875/; classtype:trojan-activity;sid:84681975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36769.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818876/; classtype:trojan-activity;sid:84681976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46273.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818877/; classtype:trojan-activity;sid:84681977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68359.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818869/; classtype:trojan-activity;sid:84681969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52937.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818867/; classtype:trojan-activity;sid:84681967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42022.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818868/; classtype:trojan-activity;sid:84681968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20299.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818866/; classtype:trojan-activity;sid:84681966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19872.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818863/; classtype:trojan-activity;sid:84681963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83897.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818864/; classtype:trojan-activity;sid:84681964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63451.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818865/; classtype:trojan-activity;sid:84681965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25525.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818853/; classtype:trojan-activity;sid:84681953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58115.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818854/; classtype:trojan-activity;sid:84681954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80840.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818855/; classtype:trojan-activity;sid:84681955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64761.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818856/; classtype:trojan-activity;sid:84681956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20237.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818857/; classtype:trojan-activity;sid:84681957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97143.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818858/; classtype:trojan-activity;sid:84681958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39818.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818859/; classtype:trojan-activity;sid:84681959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91484.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818860/; classtype:trojan-activity;sid:84681960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08429.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818861/; classtype:trojan-activity;sid:84681961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34784.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818862/; classtype:trojan-activity;sid:84681962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33122.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818851/; classtype:trojan-activity;sid:84681951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95365.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818852/; classtype:trojan-activity;sid:84681952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54837.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818846/; classtype:trojan-activity;sid:84681946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60727.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818847/; classtype:trojan-activity;sid:84681947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79811.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818848/; classtype:trojan-activity;sid:84681948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48796.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818849/; classtype:trojan-activity;sid:84681949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07212.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818850/; classtype:trojan-activity;sid:84681950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31048.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818845/; classtype:trojan-activity;sid:84681945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89226.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818837/; classtype:trojan-activity;sid:84681937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94326.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818838/; classtype:trojan-activity;sid:84681938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56048.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818839/; classtype:trojan-activity;sid:84681939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07013.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818840/; classtype:trojan-activity;sid:84681940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66742.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818841/; classtype:trojan-activity;sid:84681941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06949.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818842/; classtype:trojan-activity;sid:84681942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55953.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818843/; classtype:trojan-activity;sid:84681943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96477.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818844/; classtype:trojan-activity;sid:84681944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93259.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818828/; classtype:trojan-activity;sid:84681928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97426.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818829/; classtype:trojan-activity;sid:84681929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15861.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818830/; classtype:trojan-activity;sid:84681930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74743.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818831/; classtype:trojan-activity;sid:84681931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86428.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818832/; classtype:trojan-activity;sid:84681932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04829.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818833/; classtype:trojan-activity;sid:84681933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33091.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818834/; classtype:trojan-activity;sid:84681934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70818.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818835/; classtype:trojan-activity;sid:84681935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08686.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818836/; classtype:trojan-activity;sid:84681936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85498.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818818/; classtype:trojan-activity;sid:84681918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01673.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818819/; classtype:trojan-activity;sid:84681919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06113.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818820/; classtype:trojan-activity;sid:84681920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30968.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818821/; classtype:trojan-activity;sid:84681921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69394.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818822/; classtype:trojan-activity;sid:84681922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_92696.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818823/; classtype:trojan-activity;sid:84681923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63128.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818824/; classtype:trojan-activity;sid:84681924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64549.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818825/; classtype:trojan-activity;sid:84681925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24198.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818826/; classtype:trojan-activity;sid:84681926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35000.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818827/; classtype:trojan-activity;sid:84681927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08686.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818812/; classtype:trojan-activity;sid:84681912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59828.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818813/; classtype:trojan-activity;sid:84681913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73024.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818814/; classtype:trojan-activity;sid:84681914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68947.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818815/; classtype:trojan-activity;sid:84681915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57064.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818816/; classtype:trojan-activity;sid:84681916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69918.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818817/; classtype:trojan-activity;sid:84681917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12397.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818811/; classtype:trojan-activity;sid:84681911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95692.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818810/; classtype:trojan-activity;sid:84681910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31218.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818808/; classtype:trojan-activity;sid:84681908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06072.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818809/; classtype:trojan-activity;sid:84681909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03117.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818805/; classtype:trojan-activity;sid:84681905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73308.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818806/; classtype:trojan-activity;sid:84681906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59517.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818807/; classtype:trojan-activity;sid:84681907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49639.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818803/; classtype:trojan-activity;sid:84681903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96145.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818804/; classtype:trojan-activity;sid:84681904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91129.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818797/; classtype:trojan-activity;sid:84681897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88222.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818798/; classtype:trojan-activity;sid:84681898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61120.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818799/; classtype:trojan-activity;sid:84681899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75892.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818800/; classtype:trojan-activity;sid:84681900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01986.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818801/; classtype:trojan-activity;sid:84681901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10624.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818802/; classtype:trojan-activity;sid:84681902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53097.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818789/; classtype:trojan-activity;sid:84681889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61627.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818790/; classtype:trojan-activity;sid:84681890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77272.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818791/; classtype:trojan-activity;sid:84681891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66425.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818792/; classtype:trojan-activity;sid:84681892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75892.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818793/; classtype:trojan-activity;sid:84681893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90644.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818794/; classtype:trojan-activity;sid:84681894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18701.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818795/; classtype:trojan-activity;sid:84681895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49780.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818796/; classtype:trojan-activity;sid:84681896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59150.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818781/; classtype:trojan-activity;sid:84681881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91385.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818782/; classtype:trojan-activity;sid:84681882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00826.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818783/; classtype:trojan-activity;sid:84681883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72715.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818784/; classtype:trojan-activity;sid:84681884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54542.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818785/; classtype:trojan-activity;sid:84681885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76835.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818786/; classtype:trojan-activity;sid:84681886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97455.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818787/; classtype:trojan-activity;sid:84681887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04008.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818788/; classtype:trojan-activity;sid:84681888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/testx.pdf.vbs"; depth:20; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818775/; classtype:trojan-activity;sid:84681875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53894.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818776/; classtype:trojan-activity;sid:84681876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_97420.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818777/; classtype:trojan-activity;sid:84681877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68501.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818778/; classtype:trojan-activity;sid:84681878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96856.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818779/; classtype:trojan-activity;sid:84681879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72579.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818780/; classtype:trojan-activity;sid:84681880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94040.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818767/; classtype:trojan-activity;sid:84681867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65304.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818768/; classtype:trojan-activity;sid:84681868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80830.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818769/; classtype:trojan-activity;sid:84681869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27247.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818770/; classtype:trojan-activity;sid:84681870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90077.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818771/; classtype:trojan-activity;sid:84681871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01986.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818772/; classtype:trojan-activity;sid:84681872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47978.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818773/; classtype:trojan-activity;sid:84681873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69740.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818774/; classtype:trojan-activity;sid:84681874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94559.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818763/; classtype:trojan-activity;sid:84681863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03117.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818764/; classtype:trojan-activity;sid:84681864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84106.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818765/; classtype:trojan-activity;sid:84681865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78116.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818766/; classtype:trojan-activity;sid:84681866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84428.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818758/; classtype:trojan-activity;sid:84681858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73976.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818759/; classtype:trojan-activity;sid:84681859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64948.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818760/; classtype:trojan-activity;sid:84681860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88971.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818761/; classtype:trojan-activity;sid:84681861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99806.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818762/; classtype:trojan-activity;sid:84681862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94834.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818754/; classtype:trojan-activity;sid:84681854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24764.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818755/; classtype:trojan-activity;sid:84681855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72145.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818756/; classtype:trojan-activity;sid:84681856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22166.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818757/; classtype:trojan-activity;sid:84681857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36597.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818748/; classtype:trojan-activity;sid:84681848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77462.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818749/; classtype:trojan-activity;sid:84681849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20713.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818750/; classtype:trojan-activity;sid:84681850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96474.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818751/; classtype:trojan-activity;sid:84681851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40469.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818752/; classtype:trojan-activity;sid:84681852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44107.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818753/; classtype:trojan-activity;sid:84681853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88599.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818745/; classtype:trojan-activity;sid:84681845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56966.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818746/; classtype:trojan-activity;sid:84681846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85013.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818747/; classtype:trojan-activity;sid:84681847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26701.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818739/; classtype:trojan-activity;sid:84681839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98423.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818740/; classtype:trojan-activity;sid:84681840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85934.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818741/; classtype:trojan-activity;sid:84681841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56400.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818742/; classtype:trojan-activity;sid:84681842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40082.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818743/; classtype:trojan-activity;sid:84681843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/testx.pdf.lnk"; depth:20; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818744/; classtype:trojan-activity;sid:84681844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41620.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818737/; classtype:trojan-activity;sid:84681837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38075.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818738/; classtype:trojan-activity;sid:84681838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96061.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818732/; classtype:trojan-activity;sid:84681832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96851.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818733/; classtype:trojan-activity;sid:84681833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07013.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818734/; classtype:trojan-activity;sid:84681834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54467.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818735/; classtype:trojan-activity;sid:84681835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90347.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818736/; classtype:trojan-activity;sid:84681836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90583.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818729/; classtype:trojan-activity;sid:84681829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86842.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818730/; classtype:trojan-activity;sid:84681830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78106.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818731/; classtype:trojan-activity;sid:84681831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81612.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818726/; classtype:trojan-activity;sid:84681826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99162.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818727/; classtype:trojan-activity;sid:84681827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57896.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818728/; classtype:trojan-activity;sid:84681828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08901.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818722/; classtype:trojan-activity;sid:84681822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83640.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818723/; classtype:trojan-activity;sid:84681823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27573.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818724/; classtype:trojan-activity;sid:84681824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70273.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818725/; classtype:trojan-activity;sid:84681825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52315.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818716/; classtype:trojan-activity;sid:84681816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43581.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818717/; classtype:trojan-activity;sid:84681817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72160.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818718/; classtype:trojan-activity;sid:84681818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30908.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818719/; classtype:trojan-activity;sid:84681819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64220.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818720/; classtype:trojan-activity;sid:84681820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/458/cloudconnect.hta"; depth:21; endswith; nocase; http.host; content:"107.175.88.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818721/; classtype:trojan-activity;sid:84681821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81650.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818710/; classtype:trojan-activity;sid:84681810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08999.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818711/; classtype:trojan-activity;sid:84681811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76383.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818712/; classtype:trojan-activity;sid:84681812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37964.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818713/; classtype:trojan-activity;sid:84681813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46273.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818714/; classtype:trojan-activity;sid:84681814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28358.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818715/; classtype:trojan-activity;sid:84681815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88746.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818704/; classtype:trojan-activity;sid:84681804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36406.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818705/; classtype:trojan-activity;sid:84681805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36347.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818706/; classtype:trojan-activity;sid:84681806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83418.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818707/; classtype:trojan-activity;sid:84681807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88222.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818708/; classtype:trojan-activity;sid:84681808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84107.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818709/; classtype:trojan-activity;sid:84681809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34235.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818702/; classtype:trojan-activity;sid:84681802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18258.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818703/; classtype:trojan-activity;sid:84681803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20035.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818700/; classtype:trojan-activity;sid:84681800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23593.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818701/; classtype:trojan-activity;sid:84681801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71572.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818695/; classtype:trojan-activity;sid:84681795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13302.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818696/; classtype:trojan-activity;sid:84681796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00620.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818697/; classtype:trojan-activity;sid:84681797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12525.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818698/; classtype:trojan-activity;sid:84681798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28332.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818699/; classtype:trojan-activity;sid:84681799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45429.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818693/; classtype:trojan-activity;sid:84681793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13843.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818694/; classtype:trojan-activity;sid:84681794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50298.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818692/; classtype:trojan-activity;sid:84681792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86428.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818691/; classtype:trojan-activity;sid:84681791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56048.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818687/; classtype:trojan-activity;sid:84681787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94601.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818688/; classtype:trojan-activity;sid:84681788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69918.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818689/; classtype:trojan-activity;sid:84681789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34305.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818690/; classtype:trojan-activity;sid:84681790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93224.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818683/; classtype:trojan-activity;sid:84681783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90077.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818684/; classtype:trojan-activity;sid:84681784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_89431.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818685/; classtype:trojan-activity;sid:84681785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28346.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818686/; classtype:trojan-activity;sid:84681786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74798.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818680/; classtype:trojan-activity;sid:84681780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13802.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818681/; classtype:trojan-activity;sid:84681781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91385.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818682/; classtype:trojan-activity;sid:84681782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99433.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818668/; classtype:trojan-activity;sid:84681768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59828.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818669/; classtype:trojan-activity;sid:84681769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81050.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818670/; classtype:trojan-activity;sid:84681770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62565.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818671/; classtype:trojan-activity;sid:84681771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03674.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818672/; classtype:trojan-activity;sid:84681772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28346.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818673/; classtype:trojan-activity;sid:84681773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96939.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818674/; classtype:trojan-activity;sid:84681774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_93523.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818675/; classtype:trojan-activity;sid:84681775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35000.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818676/; classtype:trojan-activity;sid:84681776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61212.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818677/; classtype:trojan-activity;sid:84681777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67925.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818678/; classtype:trojan-activity;sid:84681778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07712.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818679/; classtype:trojan-activity;sid:84681779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01788.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818665/; classtype:trojan-activity;sid:84681765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07950.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818666/; classtype:trojan-activity;sid:84681766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34305.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818667/; classtype:trojan-activity;sid:84681767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08788.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818663/; classtype:trojan-activity;sid:84681763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81867.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818664/; classtype:trojan-activity;sid:84681764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11740.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818660/; classtype:trojan-activity;sid:84681760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40469.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818661/; classtype:trojan-activity;sid:84681761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81547.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818662/; classtype:trojan-activity;sid:84681762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46415.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818658/; classtype:trojan-activity;sid:84681758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98790.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818659/; classtype:trojan-activity;sid:84681759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96498.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818650/; classtype:trojan-activity;sid:84681750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45309.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818651/; classtype:trojan-activity;sid:84681751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01673.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818652/; classtype:trojan-activity;sid:84681752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96783.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818653/; classtype:trojan-activity;sid:84681753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08939.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818654/; classtype:trojan-activity;sid:84681754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12549.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818655/; classtype:trojan-activity;sid:84681755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34784.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818656/; classtype:trojan-activity;sid:84681756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79569.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818657/; classtype:trojan-activity;sid:84681757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69167.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818648/; classtype:trojan-activity;sid:84681748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81040.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818649/; classtype:trojan-activity;sid:84681749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75813.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818645/; classtype:trojan-activity;sid:84681745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82276.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818646/; classtype:trojan-activity;sid:84681746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47384.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818647/; classtype:trojan-activity;sid:84681747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04008.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818642/; classtype:trojan-activity;sid:84681742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15314.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818643/; classtype:trojan-activity;sid:84681743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12549.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818644/; classtype:trojan-activity;sid:84681744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21763.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818638/; classtype:trojan-activity;sid:84681738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21974.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818639/; classtype:trojan-activity;sid:84681739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72201.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818640/; classtype:trojan-activity;sid:84681740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74348.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818641/; classtype:trojan-activity;sid:84681741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73959.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818632/; classtype:trojan-activity;sid:84681732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61451.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818633/; classtype:trojan-activity;sid:84681733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82041.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818634/; classtype:trojan-activity;sid:84681734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_85369.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818635/; classtype:trojan-activity;sid:84681735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66250.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818636/; classtype:trojan-activity;sid:84681736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62609.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818637/; classtype:trojan-activity;sid:84681737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98775.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818630/; classtype:trojan-activity;sid:84681730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91484.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818631/; classtype:trojan-activity;sid:84681731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64898.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818624/; classtype:trojan-activity;sid:84681724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21024.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818625/; classtype:trojan-activity;sid:84681725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13235.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818626/; classtype:trojan-activity;sid:84681726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50149.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818627/; classtype:trojan-activity;sid:84681727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07693.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818628/; classtype:trojan-activity;sid:84681728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30329.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818629/; classtype:trojan-activity;sid:84681729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53592.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818616/; classtype:trojan-activity;sid:84681716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47796.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818617/; classtype:trojan-activity;sid:84681717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/55/goodforbestthings.js"; depth:24; endswith; nocase; http.host; content:"198.12.83.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818618/; classtype:trojan-activity;sid:84681718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06235.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818619/; classtype:trojan-activity;sid:84681719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38899.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818620/; classtype:trojan-activity;sid:84681720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67100.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818621/; classtype:trojan-activity;sid:84681721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96539.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818622/; classtype:trojan-activity;sid:84681722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87547.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818623/; classtype:trojan-activity;sid:84681723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10936.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818613/; classtype:trojan-activity;sid:84681713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14388.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818614/; classtype:trojan-activity;sid:84681714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27329.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818615/; classtype:trojan-activity;sid:84681715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21490.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818612/; classtype:trojan-activity;sid:84681712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78394.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818605/; classtype:trojan-activity;sid:84681705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81271.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818606/; classtype:trojan-activity;sid:84681706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61451.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818607/; classtype:trojan-activity;sid:84681707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37612.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818608/; classtype:trojan-activity;sid:84681708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38901.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818609/; classtype:trojan-activity;sid:84681709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33853.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818610/; classtype:trojan-activity;sid:84681710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58844.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818611/; classtype:trojan-activity;sid:84681711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45698.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818596/; classtype:trojan-activity;sid:84681696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08117.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818597/; classtype:trojan-activity;sid:84681697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_82208.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818598/; classtype:trojan-activity;sid:84681698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10888.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818599/; classtype:trojan-activity;sid:84681699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31268.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818600/; classtype:trojan-activity;sid:84681700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05895.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818601/; classtype:trojan-activity;sid:84681701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_95365.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818602/; classtype:trojan-activity;sid:84681702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54935.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818603/; classtype:trojan-activity;sid:84681703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55292.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818604/; classtype:trojan-activity;sid:84681704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_91107.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818591/; classtype:trojan-activity;sid:84681691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07301.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818592/; classtype:trojan-activity;sid:84681692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78106.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818593/; classtype:trojan-activity;sid:84681693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"capi-recor.echi6under.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818594/; classtype:trojan-activity;sid:84681694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02185.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818595/; classtype:trojan-activity;sid:84681695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98882.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818587/; classtype:trojan-activity;sid:84681687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_81245.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818588/; classtype:trojan-activity;sid:84681688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72579.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818589/; classtype:trojan-activity;sid:84681689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30736.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818590/; classtype:trojan-activity;sid:84681690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98937.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818586/; classtype:trojan-activity;sid:84681686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49639.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818580/; classtype:trojan-activity;sid:84681680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45248.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818581/; classtype:trojan-activity;sid:84681681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_98882.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818582/; classtype:trojan-activity;sid:84681682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_90950.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818583/; classtype:trojan-activity;sid:84681683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64266.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818584/; classtype:trojan-activity;sid:84681684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88278.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818585/; classtype:trojan-activity;sid:84681685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77434.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818576/; classtype:trojan-activity;sid:84681676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70894.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818577/; classtype:trojan-activity;sid:84681677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23919.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818578/; classtype:trojan-activity;sid:84681678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_83467.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818579/; classtype:trojan-activity;sid:84681679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_86842.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818571/; classtype:trojan-activity;sid:84681671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72606.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818572/; classtype:trojan-activity;sid:84681672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53051.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818573/; classtype:trojan-activity;sid:84681673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78812.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818574/; classtype:trojan-activity;sid:84681674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08788.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818575/; classtype:trojan-activity;sid:84681675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36728.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818565/; classtype:trojan-activity;sid:84681665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43152.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818566/; classtype:trojan-activity;sid:84681666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96477.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818567/; classtype:trojan-activity;sid:84681667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15848.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818568/; classtype:trojan-activity;sid:84681668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49178.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818569/; classtype:trojan-activity;sid:84681669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68622.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818570/; classtype:trojan-activity;sid:84681670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77494.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818561/; classtype:trojan-activity;sid:84681661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49889.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818562/; classtype:trojan-activity;sid:84681662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35769.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818563/; classtype:trojan-activity;sid:84681663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_94601.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818564/; classtype:trojan-activity;sid:84681664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39670.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818555/; classtype:trojan-activity;sid:84681655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08335.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818556/; classtype:trojan-activity;sid:84681656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00231.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818557/; classtype:trojan-activity;sid:84681657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52297.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818558/; classtype:trojan-activity;sid:84681658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87554.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818559/; classtype:trojan-activity;sid:84681659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99131.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818560/; classtype:trojan-activity;sid:84681660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42322.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818550/; classtype:trojan-activity;sid:84681650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68809.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818551/; classtype:trojan-activity;sid:84681651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72493.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818552/; classtype:trojan-activity;sid:84681652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01622.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818553/; classtype:trojan-activity;sid:84681653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_87519.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818554/; classtype:trojan-activity;sid:84681654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_84428.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818549/; classtype:trojan-activity;sid:84681649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01622.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818542/; classtype:trojan-activity;sid:84681642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07505.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818543/; classtype:trojan-activity;sid:84681643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_96539.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818544/; classtype:trojan-activity;sid:84681644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/josetomas.pdf.lnk"; depth:24; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818545/; classtype:trojan-activity;sid:84681645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10539.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818546/; classtype:trojan-activity;sid:84681646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52435.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818547/; classtype:trojan-activity;sid:84681647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_88971.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818548/; classtype:trojan-activity;sid:84681648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43666.pdf.lnk"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818541/; classtype:trojan-activity;sid:84681641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39574.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818539/; classtype:trojan-activity;sid:84681639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63667.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818540/; classtype:trojan-activity;sid:84681640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05378.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818537/; classtype:trojan-activity;sid:84681637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62843.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818538/; classtype:trojan-activity;sid:84681638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48547.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818534/; classtype:trojan-activity;sid:84681634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43572.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818535/; classtype:trojan-activity;sid:84681635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65740.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818536/; classtype:trojan-activity;sid:84681636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79342.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818531/; classtype:trojan-activity;sid:84681631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33853.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818532/; classtype:trojan-activity;sid:84681632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23580.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818533/; classtype:trojan-activity;sid:84681633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66250.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818523/; classtype:trojan-activity;sid:84681623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13235.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818524/; classtype:trojan-activity;sid:84681624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66758.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818525/; classtype:trojan-activity;sid:84681625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70402.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818526/; classtype:trojan-activity;sid:84681626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53097.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818527/; classtype:trojan-activity;sid:84681627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55920.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818528/; classtype:trojan-activity;sid:84681628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75496.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818529/; classtype:trojan-activity;sid:84681629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63809.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818530/; classtype:trojan-activity;sid:84681630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00757.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818522/; classtype:trojan-activity;sid:84681622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31225.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818514/; classtype:trojan-activity;sid:84681614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52937.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818515/; classtype:trojan-activity;sid:84681615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49326.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818516/; classtype:trojan-activity;sid:84681616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66977.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818517/; classtype:trojan-activity;sid:84681617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16480.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818518/; classtype:trojan-activity;sid:84681618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13236.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818519/; classtype:trojan-activity;sid:84681619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03117.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818520/; classtype:trojan-activity;sid:84681620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66723.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818521/; classtype:trojan-activity;sid:84681621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03331.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818513/; classtype:trojan-activity;sid:84681613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63451.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818510/; classtype:trojan-activity;sid:84681610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67130.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818511/; classtype:trojan-activity;sid:84681611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54354.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818512/; classtype:trojan-activity;sid:84681612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08335.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818509/; classtype:trojan-activity;sid:84681609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71145.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818500/; classtype:trojan-activity;sid:84681600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66017.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818501/; classtype:trojan-activity;sid:84681601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52326.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818502/; classtype:trojan-activity;sid:84681602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61627.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818503/; classtype:trojan-activity;sid:84681603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40212.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818504/; classtype:trojan-activity;sid:84681604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36769.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818505/; classtype:trojan-activity;sid:84681605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13881.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818506/; classtype:trojan-activity;sid:84681606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71207.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818507/; classtype:trojan-activity;sid:84681607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53631.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818508/; classtype:trojan-activity;sid:84681608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20859.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818494/; classtype:trojan-activity;sid:84681594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12570.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818495/; classtype:trojan-activity;sid:84681595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65349.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818496/; classtype:trojan-activity;sid:84681596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53313.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818497/; classtype:trojan-activity;sid:84681597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46586.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818498/; classtype:trojan-activity;sid:84681598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50934.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818499/; classtype:trojan-activity;sid:84681599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29854.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818487/; classtype:trojan-activity;sid:84681587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21024.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818488/; classtype:trojan-activity;sid:84681588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38832.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818489/; classtype:trojan-activity;sid:84681589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35369.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818490/; classtype:trojan-activity;sid:84681590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01673.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818491/; classtype:trojan-activity;sid:84681591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23593.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818492/; classtype:trojan-activity;sid:84681592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72493.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818493/; classtype:trojan-activity;sid:84681593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39773.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818486/; classtype:trojan-activity;sid:84681586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43756.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818483/; classtype:trojan-activity;sid:84681583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13802.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818484/; classtype:trojan-activity;sid:84681584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76404.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818485/; classtype:trojan-activity;sid:84681585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24764.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818477/; classtype:trojan-activity;sid:84681577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06072.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818478/; classtype:trojan-activity;sid:84681578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02259.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818479/; classtype:trojan-activity;sid:84681579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27140.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818480/; classtype:trojan-activity;sid:84681580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17113.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818481/; classtype:trojan-activity;sid:84681581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36223.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818482/; classtype:trojan-activity;sid:84681582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70273.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818476/; classtype:trojan-activity;sid:84681576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06290.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818470/; classtype:trojan-activity;sid:84681570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70706.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818471/; classtype:trojan-activity;sid:84681571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22166.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818472/; classtype:trojan-activity;sid:84681572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21763.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818473/; classtype:trojan-activity;sid:84681573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12317.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818474/; classtype:trojan-activity;sid:84681574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75982.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818475/; classtype:trojan-activity;sid:84681575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72579.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818466/; classtype:trojan-activity;sid:84681566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72800.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818467/; classtype:trojan-activity;sid:84681567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72333.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818468/; classtype:trojan-activity;sid:84681568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45694.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818469/; classtype:trojan-activity;sid:84681569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60163.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818460/; classtype:trojan-activity;sid:84681560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56298.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818461/; classtype:trojan-activity;sid:84681561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42022.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818462/; classtype:trojan-activity;sid:84681562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34096.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818463/; classtype:trojan-activity;sid:84681563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37826.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818464/; classtype:trojan-activity;sid:84681564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34293.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818465/; classtype:trojan-activity;sid:84681565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26917.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818453/; classtype:trojan-activity;sid:84681553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08622.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818454/; classtype:trojan-activity;sid:84681554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55337.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818455/; classtype:trojan-activity;sid:84681555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07793.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818456/; classtype:trojan-activity;sid:84681556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38670.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818457/; classtype:trojan-activity;sid:84681557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77303.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818458/; classtype:trojan-activity;sid:84681558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05816.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818459/; classtype:trojan-activity;sid:84681559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20799.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818450/; classtype:trojan-activity;sid:84681550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69035.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818451/; classtype:trojan-activity;sid:84681551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27995.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818452/; classtype:trojan-activity;sid:84681552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54805.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818441/; classtype:trojan-activity;sid:84681541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50616.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818442/; classtype:trojan-activity;sid:84681542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21152.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818443/; classtype:trojan-activity;sid:84681543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66262.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818444/; classtype:trojan-activity;sid:84681544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64948.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818445/; classtype:trojan-activity;sid:84681545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15833.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818446/; classtype:trojan-activity;sid:84681546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55691.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818447/; classtype:trojan-activity;sid:84681547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06239.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818448/; classtype:trojan-activity;sid:84681548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74229.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818449/; classtype:trojan-activity;sid:84681549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60555.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818439/; classtype:trojan-activity;sid:84681539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77272.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818440/; classtype:trojan-activity;sid:84681540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74348.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818437/; classtype:trojan-activity;sid:84681537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23840.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818438/; classtype:trojan-activity;sid:84681538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53098.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818434/; classtype:trojan-activity;sid:84681534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09625.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818435/; classtype:trojan-activity;sid:84681535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33018.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818436/; classtype:trojan-activity;sid:84681536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63640.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818433/; classtype:trojan-activity;sid:84681533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72715.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818427/; classtype:trojan-activity;sid:84681527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52860.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818428/; classtype:trojan-activity;sid:84681528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70818.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818429/; classtype:trojan-activity;sid:84681529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78812.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818430/; classtype:trojan-activity;sid:84681530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34784.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818431/; classtype:trojan-activity;sid:84681531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58115.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818432/; classtype:trojan-activity;sid:84681532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01796.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818424/; classtype:trojan-activity;sid:84681524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68947.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818425/; classtype:trojan-activity;sid:84681525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48040.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818426/; classtype:trojan-activity;sid:84681526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30736.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818422/; classtype:trojan-activity;sid:84681522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60763.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818423/; classtype:trojan-activity;sid:84681523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06020.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818409/; classtype:trojan-activity;sid:84681509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47973.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818410/; classtype:trojan-activity;sid:84681510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45012.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818411/; classtype:trojan-activity;sid:84681511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56400.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818412/; classtype:trojan-activity;sid:84681512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47111.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818413/; classtype:trojan-activity;sid:84681513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22872.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818414/; classtype:trojan-activity;sid:84681514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28210.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818415/; classtype:trojan-activity;sid:84681515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17665.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818416/; classtype:trojan-activity;sid:84681516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31160.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818417/; classtype:trojan-activity;sid:84681517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45753.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818418/; classtype:trojan-activity;sid:84681518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23430.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818419/; classtype:trojan-activity;sid:84681519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62809.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818420/; classtype:trojan-activity;sid:84681520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23911.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818421/; classtype:trojan-activity;sid:84681521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42486.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818408/; classtype:trojan-activity;sid:84681508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37383.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818397/; classtype:trojan-activity;sid:84681497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36597.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818398/; classtype:trojan-activity;sid:84681498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57990.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818399/; classtype:trojan-activity;sid:84681499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60727.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818400/; classtype:trojan-activity;sid:84681500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46084.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818401/; classtype:trojan-activity;sid:84681501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39469.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818402/; classtype:trojan-activity;sid:84681502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36406.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818403/; classtype:trojan-activity;sid:84681503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00231.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818404/; classtype:trojan-activity;sid:84681504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25490.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818405/; classtype:trojan-activity;sid:84681505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68656.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818406/; classtype:trojan-activity;sid:84681506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41620.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818407/; classtype:trojan-activity;sid:84681507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20299.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818396/; classtype:trojan-activity;sid:84681496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69254.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818395/; classtype:trojan-activity;sid:84681495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24820.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818394/; classtype:trojan-activity;sid:84681494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16459.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818390/; classtype:trojan-activity;sid:84681490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13302.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818391/; classtype:trojan-activity;sid:84681491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79849.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818392/; classtype:trojan-activity;sid:84681492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04008.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818393/; classtype:trojan-activity;sid:84681493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21415.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818385/; classtype:trojan-activity;sid:84681485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61120.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818386/; classtype:trojan-activity;sid:84681486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51173.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818387/; classtype:trojan-activity;sid:84681487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36175.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818388/; classtype:trojan-activity;sid:84681488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04263.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818389/; classtype:trojan-activity;sid:84681489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46190.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818371/; classtype:trojan-activity;sid:84681471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24655.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818372/; classtype:trojan-activity;sid:84681472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76760.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818373/; classtype:trojan-activity;sid:84681473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00620.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818374/; classtype:trojan-activity;sid:84681474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79811.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818375/; classtype:trojan-activity;sid:84681475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03569.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818376/; classtype:trojan-activity;sid:84681476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57350.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818377/; classtype:trojan-activity;sid:84681477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52435.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818378/; classtype:trojan-activity;sid:84681478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02192.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818379/; classtype:trojan-activity;sid:84681479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45429.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818380/; classtype:trojan-activity;sid:84681480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10624.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818381/; classtype:trojan-activity;sid:84681481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31816.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818382/; classtype:trojan-activity;sid:84681482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06705.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818383/; classtype:trojan-activity;sid:84681483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41093.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818384/; classtype:trojan-activity;sid:84681484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34561.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818369/; classtype:trojan-activity;sid:84681469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64432.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818370/; classtype:trojan-activity;sid:84681470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17662.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818363/; classtype:trojan-activity;sid:84681463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54935.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818364/; classtype:trojan-activity;sid:84681464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34305.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818365/; classtype:trojan-activity;sid:84681465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64220.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818366/; classtype:trojan-activity;sid:84681466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15388.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818367/; classtype:trojan-activity;sid:84681467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02162.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818368/; classtype:trojan-activity;sid:84681468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38427.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818357/; classtype:trojan-activity;sid:84681457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75892.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818358/; classtype:trojan-activity;sid:84681458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79681.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818359/; classtype:trojan-activity;sid:84681459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72346.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818360/; classtype:trojan-activity;sid:84681460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10931.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818361/; classtype:trojan-activity;sid:84681461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21463.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818362/; classtype:trojan-activity;sid:84681462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35478.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818348/; classtype:trojan-activity;sid:84681448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08667.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818349/; classtype:trojan-activity;sid:84681449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11594.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818350/; classtype:trojan-activity;sid:84681450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53196.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818351/; classtype:trojan-activity;sid:84681451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66425.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818352/; classtype:trojan-activity;sid:84681452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03478.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818353/; classtype:trojan-activity;sid:84681453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48499.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818354/; classtype:trojan-activity;sid:84681454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54606.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818355/; classtype:trojan-activity;sid:84681455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16464.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818356/; classtype:trojan-activity;sid:84681456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27245.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818346/; classtype:trojan-activity;sid:84681446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65225.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818347/; classtype:trojan-activity;sid:84681447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24978.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818342/; classtype:trojan-activity;sid:84681442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69962.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818343/; classtype:trojan-activity;sid:84681443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15837.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818344/; classtype:trojan-activity;sid:84681444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49889.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818345/; classtype:trojan-activity;sid:84681445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36782.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818340/; classtype:trojan-activity;sid:84681440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36677.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818341/; classtype:trojan-activity;sid:84681441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22807.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818336/; classtype:trojan-activity;sid:84681436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05947.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818337/; classtype:trojan-activity;sid:84681437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57557.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818338/; classtype:trojan-activity;sid:84681438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16272.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818339/; classtype:trojan-activity;sid:84681439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05801.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818328/; classtype:trojan-activity;sid:84681428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51171.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818329/; classtype:trojan-activity;sid:84681429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64266.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818330/; classtype:trojan-activity;sid:84681430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79483.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818331/; classtype:trojan-activity;sid:84681431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46031.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818332/; classtype:trojan-activity;sid:84681432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02324.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818333/; classtype:trojan-activity;sid:84681433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59828.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818334/; classtype:trojan-activity;sid:84681434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34235.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818335/; classtype:trojan-activity;sid:84681435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38954.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818327/; classtype:trojan-activity;sid:84681427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01788.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818322/; classtype:trojan-activity;sid:84681422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00142.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818323/; classtype:trojan-activity;sid:84681423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56161.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818324/; classtype:trojan-activity;sid:84681424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42322.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818325/; classtype:trojan-activity;sid:84681425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31218.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818326/; classtype:trojan-activity;sid:84681426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78106.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818318/; classtype:trojan-activity;sid:84681418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48154.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818319/; classtype:trojan-activity;sid:84681419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54535.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818320/; classtype:trojan-activity;sid:84681420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71405.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818321/; classtype:trojan-activity;sid:84681421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33769.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818315/; classtype:trojan-activity;sid:84681415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35795.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818316/; classtype:trojan-activity;sid:84681416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35403.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818317/; classtype:trojan-activity;sid:84681417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60726.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818308/; classtype:trojan-activity;sid:84681408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69149.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818309/; classtype:trojan-activity;sid:84681409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76148.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818310/; classtype:trojan-activity;sid:84681410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67655.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818311/; classtype:trojan-activity;sid:84681411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41495.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818312/; classtype:trojan-activity;sid:84681412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09953.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818313/; classtype:trojan-activity;sid:84681413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19266.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818314/; classtype:trojan-activity;sid:84681414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44238.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818299/; classtype:trojan-activity;sid:84681399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63675.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818300/; classtype:trojan-activity;sid:84681400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23255.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818301/; classtype:trojan-activity;sid:84681401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33967.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818302/; classtype:trojan-activity;sid:84681402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25188.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818303/; classtype:trojan-activity;sid:84681403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38075.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818304/; classtype:trojan-activity;sid:84681404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46415.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818305/; classtype:trojan-activity;sid:84681405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10319.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818306/; classtype:trojan-activity;sid:84681406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15791.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818307/; classtype:trojan-activity;sid:84681407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12660.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818297/; classtype:trojan-activity;sid:84681397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37816.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818298/; classtype:trojan-activity;sid:84681398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33845.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818295/; classtype:trojan-activity;sid:84681395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17312.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818296/; classtype:trojan-activity;sid:84681396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57352.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818290/; classtype:trojan-activity;sid:84681390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07367.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818291/; classtype:trojan-activity;sid:84681391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02024.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818292/; classtype:trojan-activity;sid:84681392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65304.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818293/; classtype:trojan-activity;sid:84681393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20295.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818294/; classtype:trojan-activity;sid:84681394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61212.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818285/; classtype:trojan-activity;sid:84681385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79597.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818286/; classtype:trojan-activity;sid:84681386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53051.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818287/; classtype:trojan-activity;sid:84681387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54467.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818288/; classtype:trojan-activity;sid:84681388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41312.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818289/; classtype:trojan-activity;sid:84681389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17562.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818283/; classtype:trojan-activity;sid:84681383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70618.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818284/; classtype:trojan-activity;sid:84681384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64761.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818279/; classtype:trojan-activity;sid:84681379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57655.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818280/; classtype:trojan-activity;sid:84681380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46475.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818281/; classtype:trojan-activity;sid:84681381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47537.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818282/; classtype:trojan-activity;sid:84681382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45276.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818275/; classtype:trojan-activity;sid:84681375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39600.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818276/; classtype:trojan-activity;sid:84681376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49780.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818277/; classtype:trojan-activity;sid:84681377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20296.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818278/; classtype:trojan-activity;sid:84681378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42426.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818271/; classtype:trojan-activity;sid:84681371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45698.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818272/; classtype:trojan-activity;sid:84681372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39368.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818273/; classtype:trojan-activity;sid:84681373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37612.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818274/; classtype:trojan-activity;sid:84681374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55147.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818269/; classtype:trojan-activity;sid:84681369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71512.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818270/; classtype:trojan-activity;sid:84681370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49178.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818265/; classtype:trojan-activity;sid:84681365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50144.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818266/; classtype:trojan-activity;sid:84681366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30908.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818267/; classtype:trojan-activity;sid:84681367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44107.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818268/; classtype:trojan-activity;sid:84681368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73129.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818259/; classtype:trojan-activity;sid:84681359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54542.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818260/; classtype:trojan-activity;sid:84681360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74028.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818261/; classtype:trojan-activity;sid:84681361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33337.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818262/; classtype:trojan-activity;sid:84681362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29513.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818263/; classtype:trojan-activity;sid:84681363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20035.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818264/; classtype:trojan-activity;sid:84681364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18869.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818257/; classtype:trojan-activity;sid:84681357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77324.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818258/; classtype:trojan-activity;sid:84681358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24663.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818247/; classtype:trojan-activity;sid:84681347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52221.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818248/; classtype:trojan-activity;sid:84681348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50931.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818249/; classtype:trojan-activity;sid:84681349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01899.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818250/; classtype:trojan-activity;sid:84681350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60056.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818251/; classtype:trojan-activity;sid:84681351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37707.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818252/; classtype:trojan-activity;sid:84681352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69167.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818253/; classtype:trojan-activity;sid:84681353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59665.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818254/; classtype:trojan-activity;sid:84681354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29943.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818255/; classtype:trojan-activity;sid:84681355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27247.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818256/; classtype:trojan-activity;sid:84681356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47384.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818245/; classtype:trojan-activity;sid:84681345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06113.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818246/; classtype:trojan-activity;sid:84681346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05941.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818240/; classtype:trojan-activity;sid:84681340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52843.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818241/; classtype:trojan-activity;sid:84681341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28358.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818242/; classtype:trojan-activity;sid:84681342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43388.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818243/; classtype:trojan-activity;sid:84681343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30425.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818244/; classtype:trojan-activity;sid:84681344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03796.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818234/; classtype:trojan-activity;sid:84681334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50289.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818235/; classtype:trojan-activity;sid:84681335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43634.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818236/; classtype:trojan-activity;sid:84681336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10888.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818237/; classtype:trojan-activity;sid:84681337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25736.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818238/; classtype:trojan-activity;sid:84681338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41668.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818239/; classtype:trojan-activity;sid:84681339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21603.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818232/; classtype:trojan-activity;sid:84681332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02148.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818233/; classtype:trojan-activity;sid:84681333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35000.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818231/; classtype:trojan-activity;sid:84681331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10789.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818228/; classtype:trojan-activity;sid:84681328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73011.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818229/; classtype:trojan-activity;sid:84681329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24070.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818230/; classtype:trojan-activity;sid:84681330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30968.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818227/; classtype:trojan-activity;sid:84681327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23744.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818223/; classtype:trojan-activity;sid:84681323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38901.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818224/; classtype:trojan-activity;sid:84681324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38899.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818225/; classtype:trojan-activity;sid:84681325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43188.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818226/; classtype:trojan-activity;sid:84681326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19977.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818213/; classtype:trojan-activity;sid:84681313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15217.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818214/; classtype:trojan-activity;sid:84681314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60502.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818215/; classtype:trojan-activity;sid:84681315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55953.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818216/; classtype:trojan-activity;sid:84681316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16010.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818217/; classtype:trojan-activity;sid:84681317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59572.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818218/; classtype:trojan-activity;sid:84681318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15861.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818219/; classtype:trojan-activity;sid:84681319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19556.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818220/; classtype:trojan-activity;sid:84681320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68667.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818221/; classtype:trojan-activity;sid:84681321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05194.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818222/; classtype:trojan-activity;sid:84681322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11549.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818209/; classtype:trojan-activity;sid:84681309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40134.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818210/; classtype:trojan-activity;sid:84681310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35769.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818211/; classtype:trojan-activity;sid:84681311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20882.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818212/; classtype:trojan-activity;sid:84681312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52073.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818207/; classtype:trojan-activity;sid:84681307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66234.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818208/; classtype:trojan-activity;sid:84681308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15163.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818205/; classtype:trojan-activity;sid:84681305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02881.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818206/; classtype:trojan-activity;sid:84681306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12525.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818201/; classtype:trojan-activity;sid:84681301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52315.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818202/; classtype:trojan-activity;sid:84681302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21974.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818203/; classtype:trojan-activity;sid:84681303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10936.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818204/; classtype:trojan-activity;sid:84681304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41604.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818199/; classtype:trojan-activity;sid:84681299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08859.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818200/; classtype:trojan-activity;sid:84681300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61762.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818196/; classtype:trojan-activity;sid:84681296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15314.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818197/; classtype:trojan-activity;sid:84681297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77802.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818198/; classtype:trojan-activity;sid:84681298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68501.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818195/; classtype:trojan-activity;sid:84681295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48879.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818194/; classtype:trojan-activity;sid:84681294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72883.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818192/; classtype:trojan-activity;sid:84681292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24901.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818193/; classtype:trojan-activity;sid:84681293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10718.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818190/; classtype:trojan-activity;sid:84681290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68583.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818191/; classtype:trojan-activity;sid:84681291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77914.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818182/; classtype:trojan-activity;sid:84681282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23919.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818183/; classtype:trojan-activity;sid:84681283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45349.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818184/; classtype:trojan-activity;sid:84681284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37616.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818185/; classtype:trojan-activity;sid:84681285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01622.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818186/; classtype:trojan-activity;sid:84681286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22174.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818187/; classtype:trojan-activity;sid:84681287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57473.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818188/; classtype:trojan-activity;sid:84681288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37394.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818189/; classtype:trojan-activity;sid:84681289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17823.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818180/; classtype:trojan-activity;sid:84681280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47630.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818181/; classtype:trojan-activity;sid:84681281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60666.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818175/; classtype:trojan-activity;sid:84681275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03497.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818176/; classtype:trojan-activity;sid:84681276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16430.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818177/; classtype:trojan-activity;sid:84681277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03767.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818178/; classtype:trojan-activity;sid:84681278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24086.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818179/; classtype:trojan-activity;sid:84681279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36728.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818174/; classtype:trojan-activity;sid:84681274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69740.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818172/; classtype:trojan-activity;sid:84681272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_05895.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818173/; classtype:trojan-activity;sid:84681273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50298.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818162/; classtype:trojan-activity;sid:84681262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01355.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818163/; classtype:trojan-activity;sid:84681263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11651.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818164/; classtype:trojan-activity;sid:84681264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18487.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818165/; classtype:trojan-activity;sid:84681265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15608.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818166/; classtype:trojan-activity;sid:84681266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20126.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818167/; classtype:trojan-activity;sid:84681267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18258.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818168/; classtype:trojan-activity;sid:84681268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28332.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818169/; classtype:trojan-activity;sid:84681269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30450.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818170/; classtype:trojan-activity;sid:84681270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07400.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818171/; classtype:trojan-activity;sid:84681271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45309.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818159/; classtype:trojan-activity;sid:84681259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15848.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818160/; classtype:trojan-activity;sid:84681260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70256.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818161/; classtype:trojan-activity;sid:84681261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43581.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818158/; classtype:trojan-activity;sid:84681258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62511.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818151/; classtype:trojan-activity;sid:84681251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58173.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818152/; classtype:trojan-activity;sid:84681252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61896.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818153/; classtype:trojan-activity;sid:84681253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71885.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818154/; classtype:trojan-activity;sid:84681254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52809.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818155/; classtype:trojan-activity;sid:84681255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08117.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818156/; classtype:trojan-activity;sid:84681256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73678.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818157/; classtype:trojan-activity;sid:84681257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77773.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818147/; classtype:trojan-activity;sid:84681247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07505.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818148/; classtype:trojan-activity;sid:84681248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39818.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818149/; classtype:trojan-activity;sid:84681249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31475.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818150/; classtype:trojan-activity;sid:84681250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11740.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818145/; classtype:trojan-activity;sid:84681245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08999.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818146/; classtype:trojan-activity;sid:84681246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68359.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818140/; classtype:trojan-activity;sid:84681240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60967.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818141/; classtype:trojan-activity;sid:84681241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25276.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818142/; classtype:trojan-activity;sid:84681242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67328.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818143/; classtype:trojan-activity;sid:84681243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07013.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818144/; classtype:trojan-activity;sid:84681244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34916.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818138/; classtype:trojan-activity;sid:84681238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48796.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818139/; classtype:trojan-activity;sid:84681239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28076.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818137/; classtype:trojan-activity;sid:84681237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12397.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818114/; classtype:trojan-activity;sid:84681214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31048.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818115/; classtype:trojan-activity;sid:84681215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44090.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818116/; classtype:trojan-activity;sid:84681216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43919.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818117/; classtype:trojan-activity;sid:84681217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_58844.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818118/; classtype:trojan-activity;sid:84681218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44587.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818119/; classtype:trojan-activity;sid:84681219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56048.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818120/; classtype:trojan-activity;sid:84681220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07853.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818121/; classtype:trojan-activity;sid:84681221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54154.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818122/; classtype:trojan-activity;sid:84681222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72892.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818123/; classtype:trojan-activity;sid:84681223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73959.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818124/; classtype:trojan-activity;sid:84681224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12487.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818125/; classtype:trojan-activity;sid:84681225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31268.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818126/; classtype:trojan-activity;sid:84681226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20137.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818127/; classtype:trojan-activity;sid:84681227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71339.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818128/; classtype:trojan-activity;sid:84681228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22704.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818129/; classtype:trojan-activity;sid:84681229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77813.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818130/; classtype:trojan-activity;sid:84681230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08939.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818131/; classtype:trojan-activity;sid:84681231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26463.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818132/; classtype:trojan-activity;sid:84681232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07828.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818133/; classtype:trojan-activity;sid:84681233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28026.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818134/; classtype:trojan-activity;sid:84681234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06835.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818135/; classtype:trojan-activity;sid:84681235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64307.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818136/; classtype:trojan-activity;sid:84681236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00535.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818104/; classtype:trojan-activity;sid:84681204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11369.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818105/; classtype:trojan-activity;sid:84681205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_51894.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818106/; classtype:trojan-activity;sid:84681206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72679.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818107/; classtype:trojan-activity;sid:84681207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76995.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818108/; classtype:trojan-activity;sid:84681208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55292.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818109/; classtype:trojan-activity;sid:84681209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64538.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818110/; classtype:trojan-activity;sid:84681210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67033.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818111/; classtype:trojan-activity;sid:84681211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18892.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818112/; classtype:trojan-activity;sid:84681212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68622.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818113/; classtype:trojan-activity;sid:84681213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52297.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818102/; classtype:trojan-activity;sid:84681202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37964.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818103/; classtype:trojan-activity;sid:84681203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60401.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818101/; classtype:trojan-activity;sid:84681201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72999.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818098/; classtype:trojan-activity;sid:84681198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04829.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818099/; classtype:trojan-activity;sid:84681199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08074.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818100/; classtype:trojan-activity;sid:84681200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45629.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818093/; classtype:trojan-activity;sid:84681193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78515.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818094/; classtype:trojan-activity;sid:84681194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16922.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818095/; classtype:trojan-activity;sid:84681195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67925.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818096/; classtype:trojan-activity;sid:84681196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65651.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818097/; classtype:trojan-activity;sid:84681197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68221.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818084/; classtype:trojan-activity;sid:84681184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18177.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818085/; classtype:trojan-activity;sid:84681185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03674.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818086/; classtype:trojan-activity;sid:84681186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00826.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818087/; classtype:trojan-activity;sid:84681187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18701.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818088/; classtype:trojan-activity;sid:84681188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36722.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818089/; classtype:trojan-activity;sid:84681189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62563.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818090/; classtype:trojan-activity;sid:84681190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55259.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818091/; classtype:trojan-activity;sid:84681191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49196.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818092/; classtype:trojan-activity;sid:84681192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07384.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818083/; classtype:trojan-activity;sid:84681183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46395.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818079/; classtype:trojan-activity;sid:84681179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50149.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818080/; classtype:trojan-activity;sid:84681180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74798.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818081/; classtype:trojan-activity;sid:84681181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_10539.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818082/; classtype:trojan-activity;sid:84681182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12549.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818072/; classtype:trojan-activity;sid:84681172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66268.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818073/; classtype:trojan-activity;sid:84681173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64549.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818074/; classtype:trojan-activity;sid:84681174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_48752.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818075/; classtype:trojan-activity;sid:84681175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27129.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818076/; classtype:trojan-activity;sid:84681176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36347.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818077/; classtype:trojan-activity;sid:84681177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19872.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818078/; classtype:trojan-activity;sid:84681178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14989.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818071/; classtype:trojan-activity;sid:84681171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_31677.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818068/; classtype:trojan-activity;sid:84681168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00088.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818069/; classtype:trojan-activity;sid:84681169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23356.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818070/; classtype:trojan-activity;sid:84681170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68148.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818067/; classtype:trojan-activity;sid:84681167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76383.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818062/; classtype:trojan-activity;sid:84681162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22739.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818063/; classtype:trojan-activity;sid:84681163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35807.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818064/; classtype:trojan-activity;sid:84681164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56208.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818065/; classtype:trojan-activity;sid:84681165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11055.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818066/; classtype:trojan-activity;sid:84681166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18664.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818059/; classtype:trojan-activity;sid:84681159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40919.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818060/; classtype:trojan-activity;sid:84681160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25110.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818061/; classtype:trojan-activity;sid:84681161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20314.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818057/; classtype:trojan-activity;sid:84681157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56966.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818058/; classtype:trojan-activity;sid:84681158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26097.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818054/; classtype:trojan-activity;sid:84681154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27442.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818055/; classtype:trojan-activity;sid:84681155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08788.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818056/; classtype:trojan-activity;sid:84681156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77949.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818044/; classtype:trojan-activity;sid:84681144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21473.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818045/; classtype:trojan-activity;sid:84681145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57896.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818046/; classtype:trojan-activity;sid:84681146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28608.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818047/; classtype:trojan-activity;sid:84681147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77434.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818048/; classtype:trojan-activity;sid:84681148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63128.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818049/; classtype:trojan-activity;sid:84681149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00007.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818050/; classtype:trojan-activity;sid:84681150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59474.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818051/; classtype:trojan-activity;sid:84681151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21927.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818052/; classtype:trojan-activity;sid:84681152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28346.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818053/; classtype:trojan-activity;sid:84681153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33197.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818041/; classtype:trojan-activity;sid:84681141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26022.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818042/; classtype:trojan-activity;sid:84681142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62911.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818043/; classtype:trojan-activity;sid:84681143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71088.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818036/; classtype:trojan-activity;sid:84681136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65012.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818037/; classtype:trojan-activity;sid:84681137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65872.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818038/; classtype:trojan-activity;sid:84681138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72160.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818039/; classtype:trojan-activity;sid:84681139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64040.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818040/; classtype:trojan-activity;sid:84681140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00279.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818034/; classtype:trojan-activity;sid:84681134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49639.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818035/; classtype:trojan-activity;sid:84681135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08820.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818031/; classtype:trojan-activity;sid:84681131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54969.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818032/; classtype:trojan-activity;sid:84681132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68793.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818033/; classtype:trojan-activity;sid:84681133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43627.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818026/; classtype:trojan-activity;sid:84681126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28403.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818027/; classtype:trojan-activity;sid:84681127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26708.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818028/; classtype:trojan-activity;sid:84681128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34055.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818029/; classtype:trojan-activity;sid:84681129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25599.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818030/; classtype:trojan-activity;sid:84681130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59517.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818024/; classtype:trojan-activity;sid:84681124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08429.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818025/; classtype:trojan-activity;sid:84681125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21336.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818017/; classtype:trojan-activity;sid:84681117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23536.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818018/; classtype:trojan-activity;sid:84681118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06087.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818019/; classtype:trojan-activity;sid:84681119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76835.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818020/; classtype:trojan-activity;sid:84681120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19796.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818021/; classtype:trojan-activity;sid:84681121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_57064.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818022/; classtype:trojan-activity;sid:84681122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13186.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818023/; classtype:trojan-activity;sid:84681123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46358.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818011/; classtype:trojan-activity;sid:84681111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59685.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818012/; classtype:trojan-activity;sid:84681112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_32763.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818013/; classtype:trojan-activity;sid:84681113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74570.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818014/; classtype:trojan-activity;sid:84681114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43152.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818015/; classtype:trojan-activity;sid:84681115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73308.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818016/; classtype:trojan-activity;sid:84681116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06235.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818008/; classtype:trojan-activity;sid:84681108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_71572.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818009/; classtype:trojan-activity;sid:84681109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53604.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818010/; classtype:trojan-activity;sid:84681110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69918.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818007/; classtype:trojan-activity;sid:84681107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78394.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818003/; classtype:trojan-activity;sid:84681103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72520.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818004/; classtype:trojan-activity;sid:84681104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_32532.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818005/; classtype:trojan-activity;sid:84681105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54126.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818006/; classtype:trojan-activity;sid:84681106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47488.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818000/; classtype:trojan-activity;sid:84681100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69721.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818001/; classtype:trojan-activity;sid:84681101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3818002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79078.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3818002/; classtype:trojan-activity;sid:84681102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_11286.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817999/; classtype:trojan-activity;sid:84681099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78413.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817997/; classtype:trojan-activity;sid:84681097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68362.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817998/; classtype:trojan-activity;sid:84681098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37131.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817993/; classtype:trojan-activity;sid:84681093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_76012.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817994/; classtype:trojan-activity;sid:84681094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13663.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817995/; classtype:trojan-activity;sid:84681095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24198.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817996/; classtype:trojan-activity;sid:84681096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49151.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817989/; classtype:trojan-activity;sid:84681089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62931.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817990/; classtype:trojan-activity;sid:84681090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09934.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817991/; classtype:trojan-activity;sid:84681091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04878.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817992/; classtype:trojan-activity;sid:84681092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72068.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817981/; classtype:trojan-activity;sid:84681081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26591.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817982/; classtype:trojan-activity;sid:84681082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27177.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817983/; classtype:trojan-activity;sid:84681083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08683.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817984/; classtype:trojan-activity;sid:84681084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20713.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817985/; classtype:trojan-activity;sid:84681085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_80122.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817986/; classtype:trojan-activity;sid:84681086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46359.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817987/; classtype:trojan-activity;sid:84681087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26726.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817988/; classtype:trojan-activity;sid:84681088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_35790.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817980/; classtype:trojan-activity;sid:84681080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18811.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817972/; classtype:trojan-activity;sid:84681072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41126.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817973/; classtype:trojan-activity;sid:84681073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79294.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817974/; classtype:trojan-activity;sid:84681074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38966.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817975/; classtype:trojan-activity;sid:84681075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16383.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817976/; classtype:trojan-activity;sid:84681076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50628.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817977/; classtype:trojan-activity;sid:84681077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63265.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817978/; classtype:trojan-activity;sid:84681078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19463.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817979/; classtype:trojan-activity;sid:84681079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46899.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817971/; classtype:trojan-activity;sid:84681071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60081.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817965/; classtype:trojan-activity;sid:84681065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02643.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817966/; classtype:trojan-activity;sid:84681066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36834.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817967/; classtype:trojan-activity;sid:84681067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28685.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817968/; classtype:trojan-activity;sid:84681068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63278.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817969/; classtype:trojan-activity;sid:84681069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75813.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817970/; classtype:trojan-activity;sid:84681070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77462.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817956/; classtype:trojan-activity;sid:84681056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01535.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817957/; classtype:trojan-activity;sid:84681057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70376.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817958/; classtype:trojan-activity;sid:84681058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08380.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817959/; classtype:trojan-activity;sid:84681059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_77494.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817960/; classtype:trojan-activity;sid:84681060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12971.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817961/; classtype:trojan-activity;sid:84681061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74209.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817962/; classtype:trojan-activity;sid:84681062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73976.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817963/; classtype:trojan-activity;sid:84681063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18088.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817964/; classtype:trojan-activity;sid:84681064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47014.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817952/; classtype:trojan-activity;sid:84681052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01577.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817953/; classtype:trojan-activity;sid:84681053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29996.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817954/; classtype:trojan-activity;sid:84681054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13309.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817955/; classtype:trojan-activity;sid:84681055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69975.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817947/; classtype:trojan-activity;sid:84681047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49317.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817948/; classtype:trojan-activity;sid:84681048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68476.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817949/; classtype:trojan-activity;sid:84681049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15098.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817950/; classtype:trojan-activity;sid:84681050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41904.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817951/; classtype:trojan-activity;sid:84681051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66742.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817945/; classtype:trojan-activity;sid:84681045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_52758.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817946/; classtype:trojan-activity;sid:84681046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13720.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817939/; classtype:trojan-activity;sid:84681039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39670.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817940/; classtype:trojan-activity;sid:84681040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_74743.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817941/; classtype:trojan-activity;sid:84681041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55365.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817942/; classtype:trojan-activity;sid:84681042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69212.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817943/; classtype:trojan-activity;sid:84681043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23908.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817944/; classtype:trojan-activity;sid:84681044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75025.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817937/; classtype:trojan-activity;sid:84681037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06949.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817938/; classtype:trojan-activity;sid:84681038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72201.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817929/; classtype:trojan-activity;sid:84681029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22533.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817930/; classtype:trojan-activity;sid:84681030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25723.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817931/; classtype:trojan-activity;sid:84681031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22600.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817932/; classtype:trojan-activity;sid:84681032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16220.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817933/; classtype:trojan-activity;sid:84681033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24938.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817934/; classtype:trojan-activity;sid:84681034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_16764.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817935/; classtype:trojan-activity;sid:84681035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04630.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817936/; classtype:trojan-activity;sid:84681036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47978.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817924/; classtype:trojan-activity;sid:84681024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64055.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817925/; classtype:trojan-activity;sid:84681025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01458.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817926/; classtype:trojan-activity;sid:84681026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13579.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817927/; classtype:trojan-activity;sid:84681027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_75034.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817928/; classtype:trojan-activity;sid:84681028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_00492.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817920/; classtype:trojan-activity;sid:84681020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62565.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817921/; classtype:trojan-activity;sid:84681021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15181.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817922/; classtype:trojan-activity;sid:84681022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21490.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817923/; classtype:trojan-activity;sid:84681023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34496.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817912/; classtype:trojan-activity;sid:84681012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15965.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817913/; classtype:trojan-activity;sid:84681013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_41200.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817914/; classtype:trojan-activity;sid:84681014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02185.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817915/; classtype:trojan-activity;sid:84681015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50999.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817916/; classtype:trojan-activity;sid:84681016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07301.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817917/; classtype:trojan-activity;sid:84681017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_63948.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817918/; classtype:trojan-activity;sid:84681018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_50818.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817919/; classtype:trojan-activity;sid:84681019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49929.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817911/; classtype:trojan-activity;sid:84681011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70351.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817910/; classtype:trojan-activity;sid:84681010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_28820.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817909/; classtype:trojan-activity;sid:84681009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_36331.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817903/; classtype:trojan-activity;sid:84681003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53430.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817904/; classtype:trojan-activity;sid:84681004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21012.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817905/; classtype:trojan-activity;sid:84681005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39203.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817906/; classtype:trojan-activity;sid:84681006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59903.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817907/; classtype:trojan-activity;sid:84681007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26701.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817908/; classtype:trojan-activity;sid:84681008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72788.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817901/; classtype:trojan-activity;sid:84681001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55648.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817902/; classtype:trojan-activity;sid:84681002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67100.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817899/; classtype:trojan-activity;sid:84680999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43024.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817900/; classtype:trojan-activity;sid:84681000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20396.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817891/; classtype:trojan-activity;sid:84680991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_19180.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817892/; classtype:trojan-activity;sid:84680992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73549.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817893/; classtype:trojan-activity;sid:84680993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22996.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817894/; classtype:trojan-activity;sid:84680994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53501.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817895/; classtype:trojan-activity;sid:84680995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07212.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817896/; classtype:trojan-activity;sid:84680996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26253.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817897/; classtype:trojan-activity;sid:84680997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69394.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817898/; classtype:trojan-activity;sid:84680998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_18344.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817889/; classtype:trojan-activity;sid:84680989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72145.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817890/; classtype:trojan-activity;sid:84680990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40358.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817887/; classtype:trojan-activity;sid:84680987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27329.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817888/; classtype:trojan-activity;sid:84680988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01986.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817883/; classtype:trojan-activity;sid:84680983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45793.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817884/; classtype:trojan-activity;sid:84680984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_21559.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817885/; classtype:trojan-activity;sid:84680985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07712.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817886/; classtype:trojan-activity;sid:84680986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22301.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817876/; classtype:trojan-activity;sid:84680976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01812.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817877/; classtype:trojan-activity;sid:84680977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_26730.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817878/; classtype:trojan-activity;sid:84680978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_65803.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817879/; classtype:trojan-activity;sid:84680979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_01211.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817880/; classtype:trojan-activity;sid:84680980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_70894.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817881/; classtype:trojan-activity;sid:84680981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_55459.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817882/; classtype:trojan-activity;sid:84680982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59150.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817869/; classtype:trojan-activity;sid:84680969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_22845.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817870/; classtype:trojan-activity;sid:84680970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_67465.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817871/; classtype:trojan-activity;sid:84680971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40469.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817872/; classtype:trojan-activity;sid:84680972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/josetomas.pdf.ps1"; depth:24; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817873/; classtype:trojan-activity;sid:84680973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08811.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817874/; classtype:trojan-activity;sid:84680974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73024.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817875/; classtype:trojan-activity;sid:84680975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17822.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817864/; classtype:trojan-activity;sid:84680964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_09506.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817865/; classtype:trojan-activity;sid:84680965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56406.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817866/; classtype:trojan-activity;sid:84680966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45658.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817867/; classtype:trojan-activity;sid:84680967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61111.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817868/; classtype:trojan-activity;sid:84680968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54122.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817857/; classtype:trojan-activity;sid:84680957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64830.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817858/; classtype:trojan-activity;sid:84680958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_17005.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817859/; classtype:trojan-activity;sid:84680959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69981.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817860/; classtype:trojan-activity;sid:84680960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13097.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817861/; classtype:trojan-activity;sid:84680961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_40082.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817862/; classtype:trojan-activity;sid:84680962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_60161.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817863/; classtype:trojan-activity;sid:84680963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25906.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817856/; classtype:trojan-activity;sid:84680956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43724.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817854/; classtype:trojan-activity;sid:84680954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69626.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817855/; classtype:trojan-activity;sid:84680955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14079.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817851/; classtype:trojan-activity;sid:84680951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53592.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817852/; classtype:trojan-activity;sid:84680952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08686.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817853/; classtype:trojan-activity;sid:84680953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_53894.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817847/; classtype:trojan-activity;sid:84680947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_25525.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817848/; classtype:trojan-activity;sid:84680948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27573.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817849/; classtype:trojan-activity;sid:84680949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78550.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817850/; classtype:trojan-activity;sid:84680950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_78116.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817845/; classtype:trojan-activity;sid:84680945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73989.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817846/; classtype:trojan-activity;sid:84680946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_73779.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817844/; classtype:trojan-activity;sid:84680944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_49515.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817843/; classtype:trojan-activity;sid:84680943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54837.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817840/; classtype:trojan-activity;sid:84680940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_27669.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817841/; classtype:trojan-activity;sid:84680941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62963.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817842/; classtype:trojan-activity;sid:84680942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_03894.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817835/; classtype:trojan-activity;sid:84680935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_08373.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817836/; classtype:trojan-activity;sid:84680936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_46273.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817837/; classtype:trojan-activity;sid:84680937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61938.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817838/; classtype:trojan-activity;sid:84680938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45248.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817839/; classtype:trojan-activity;sid:84680939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_42552.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817829/; classtype:trojan-activity;sid:84680929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_29496.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817830/; classtype:trojan-activity;sid:84680930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62609.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817831/; classtype:trojan-activity;sid:84680931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68809.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817832/; classtype:trojan-activity;sid:84680932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_14388.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817833/; classtype:trojan-activity;sid:84680933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61451.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817834/; classtype:trojan-activity;sid:84680934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_45405.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817823/; classtype:trojan-activity;sid:84680923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_23564.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817824/; classtype:trojan-activity;sid:84680924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12510.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817825/; classtype:trojan-activity;sid:84680925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13316.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817826/; classtype:trojan-activity;sid:84680926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_47796.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817827/; classtype:trojan-activity;sid:84680927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_66147.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817828/; classtype:trojan-activity;sid:84680928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_34163.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817814/; classtype:trojan-activity;sid:84680914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_30329.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817815/; classtype:trojan-activity;sid:84680915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_54776.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817816/; classtype:trojan-activity;sid:84680916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_44883.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817817/; classtype:trojan-activity;sid:84680917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_72606.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817818/; classtype:trojan-activity;sid:84680918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_13843.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817819/; classtype:trojan-activity;sid:84680919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_59180.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817820/; classtype:trojan-activity;sid:84680920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20237.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817821/; classtype:trojan-activity;sid:84680921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_39804.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817822/; classtype:trojan-activity;sid:84680922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_64898.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817811/; classtype:trojan-activity;sid:84680911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_15283.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817812/; classtype:trojan-activity;sid:84680912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_68283.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817813/; classtype:trojan-activity;sid:84680913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_24993.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817810/; classtype:trojan-activity;sid:84680910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07352.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817806/; classtype:trojan-activity;sid:84680906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_43666.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817807/; classtype:trojan-activity;sid:84680907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_62775.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817808/; classtype:trojan-activity;sid:84680908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_56403.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817809/; classtype:trojan-activity;sid:84680909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_12110.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817801/; classtype:trojan-activity;sid:84680901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_04811.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817802/; classtype:trojan-activity;sid:84680902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_37248.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817803/; classtype:trojan-activity;sid:84680903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_07693.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817804/; classtype:trojan-activity;sid:84680904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_38374.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817805/; classtype:trojan-activity;sid:84680905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06585.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817800/; classtype:trojan-activity;sid:84680900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_20786.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817792/; classtype:trojan-activity;sid:84680892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33091.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817793/; classtype:trojan-activity;sid:84680893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_79569.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817794/; classtype:trojan-activity;sid:84680894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_69452.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817795/; classtype:trojan-activity;sid:84680895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_33122.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817796/; classtype:trojan-activity;sid:84680896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_61449.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817797/; classtype:trojan-activity;sid:84680897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_06716.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817798/; classtype:trojan-activity;sid:84680898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_02839.pdf.ps1"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817799/; classtype:trojan-activity;sid:84680899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/form_99131.pdf.vbs"; depth:25; endswith; nocase; http.host; content:"refundonex.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817791/; classtype:trojan-activity;sid:84680891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.130.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817790/; classtype:trojan-activity;sid:84680890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"form4t4-mount.echi6under.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817789/; classtype:trojan-activity;sid:84680889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nenkin.msi"; depth:11; endswith; nocase; http.host; content:"pub-0a6599d7d6394e379b6da3d6bfb5354a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817788/; classtype:trojan-activity;sid:84680888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_080646dbnewvps.png"; depth:23; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817787/; classtype:trojan-activity;sid:84680887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msinewtoo.png"; depth:24; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817786/; classtype:trojan-activity;sid:84680886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yunew.png"; depth:10; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817785/; classtype:trojan-activity;sid:84680885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msiforyu.png"; depth:23; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817784/; classtype:trojan-activity;sid:84680884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.99.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817783/; classtype:trojan-activity;sid:84680883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.105.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817782/; classtype:trojan-activity;sid:84680882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"biom9-hinge.bell-extraterrit.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817781/; classtype:trojan-activity;sid:84680881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"genorne-watch.bell-extraterrit.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817780/; classtype:trojan-activity;sid:84680880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/6sd0a0od839wwehcndldi/merluis-setup-2.0.0.exe"; depth:53; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817779/; classtype:trojan-activity;sid:84680879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.123.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817778/; classtype:trojan-activity;sid:84680878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-br4ve.bell-extraterrit.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817777/; classtype:trojan-activity;sid:84680877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ly12yqh.bell-extraterrit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817776/; classtype:trojan-activity;sid:84680876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crypted_x64.exe"; depth:16; endswith; nocase; http.host; content:"196.251.107.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817774/; classtype:trojan-activity;sid:84680874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10.exe"; depth:7; endswith; nocase; http.host; content:"196.251.107.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817775/; classtype:trojan-activity;sid:84680875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"keldraon.bell-extraterrit.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817773/; classtype:trojan-activity;sid:84680873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.180.15.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817772/; classtype:trojan-activity;sid:84680872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptp.exe"; depth:8; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817770/; classtype:trojan-activity;sid:84680870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inkrog.exe"; depth:11; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817771/; classtype:trojan-activity;sid:84680871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clpr2.exe"; depth:10; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817769/; classtype:trojan-activity;sid:84680869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.235.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817768/; classtype:trojan-activity;sid:84680868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.152.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817767/; classtype:trojan-activity;sid:84680867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"subtlemark.piculi5tep.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817766/; classtype:trojan-activity;sid:84680866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.205.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817765/; classtype:trojan-activity;sid:84680865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mont.txt"; depth:9; endswith; nocase; http.host; content:"loejfrw2.ignorelist.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817764/; classtype:trojan-activity;sid:84680864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/ssad4edd!4d.exe"; depth:28; endswith; nocase; http.host; content:"loejfrw2.ignorelist.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817763/; classtype:trojan-activity;sid:84680863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/shjef2avfde.exe"; depth:28; endswith; nocase; http.host; content:"loejfrw2.ignorelist.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817762/; classtype:trojan-activity;sid:84680862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/winhos32.exe"; depth:25; endswith; nocase; http.host; content:"loejfrw2.ignorelist.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817760/; classtype:trojan-activity;sid:84680860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opt/adm/lct/mont.txt"; depth:21; endswith; nocase; http.host; content:"loejfrw2.ignorelist.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817761/; classtype:trojan-activity;sid:84680861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hotlifycracked.zip"; depth:19; endswith; nocase; http.host; content:"loejfrw2.ignorelist.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817759/; classtype:trojan-activity;sid:84680859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ertfu9pm.piculi5tep.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817758/; classtype:trojan-activity;sid:84680858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.123.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817757/; classtype:trojan-activity;sid:84680857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lk/bhaikecn191.bin"; depth:19; endswith; nocase; http.host; content:"38.49.217.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817756/; classtype:trojan-activity;sid:84680856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mermeshar9.piculi5tep.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817755/; classtype:trojan-activity;sid:84680855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8079848160/osnagaf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817754/; classtype:trojan-activity;sid:84680854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zip/download.php|3f|file=original_payload.zip"; depth:46; endswith; nocase; http.host; content:"adobeready.online"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817753/; classtype:trojan-activity;sid:84680853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gatewa1-wave.piculi5tep.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817752/; classtype:trojan-activity;sid:84680852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.71.28.128"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817751/; classtype:trojan-activity;sid:84680851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.183.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817750/; classtype:trojan-activity;sid:84680850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.71.28.128"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817749/; classtype:trojan-activity;sid:84680849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.205.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817748/; classtype:trojan-activity;sid:84680848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.227.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817747/; classtype:trojan-activity;sid:84680847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"94auswsb.piculi5tep.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817746/; classtype:trojan-activity;sid:84680846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.64.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817745/; classtype:trojan-activity;sid:84680845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nimblcave.piculi5tep.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817744/; classtype:trojan-activity;sid:84680844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5tud1-zone.attit-negligent.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817743/; classtype:trojan-activity;sid:84680843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.82.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817742/; classtype:trojan-activity;sid:84680842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.239.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817741/; classtype:trojan-activity;sid:84680841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zzqm.attit-negligent.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817740/; classtype:trojan-activity;sid:84680840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.182.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817739/; classtype:trojan-activity;sid:84680839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.183.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817738/; classtype:trojan-activity;sid:84680838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.190.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817737/; classtype:trojan-activity;sid:84680837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.227.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817736/; classtype:trojan-activity;sid:84680836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ynykxz.attit-negligent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817735/; classtype:trojan-activity;sid:84680835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dhcy36nr.attit-negligent.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817734/; classtype:trojan-activity;sid:84680834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"royalvita.attit-negligent.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817733/; classtype:trojan-activity;sid:84680833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.182.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817732/; classtype:trojan-activity;sid:84680832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rnatr1-branch.attit-negligent.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817731/; classtype:trojan-activity;sid:84680831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.87.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817730/; classtype:trojan-activity;sid:84680830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.9.228"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817729/; classtype:trojan-activity;sid:84680829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.255.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817728/; classtype:trojan-activity;sid:84680828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deliveryquant.babrevea1ing.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817727/; classtype:trojan-activity;sid:84680827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"main-gate.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817726/; classtype:trojan-activity;sid:84680826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"land-node.bereathfertil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817725/; classtype:trojan-activity;sid:84680825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"grain-log.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817724/; classtype:trojan-activity;sid:84680824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"flux-svc.gnoseonflux.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817722/; classtype:trojan-activity;sid:84680822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8405865752/i0mtjof.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817723/; classtype:trojan-activity;sid:84680823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"point-gate.axiomatrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817718/; classtype:trojan-activity;sid:84680818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vector-svc.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817719/; classtype:trojan-activity;sid:84680819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"farm-api.ryesears.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817720/; classtype:trojan-activity;sid:84680820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"unit-hub.axiomatrixflow.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817721/; classtype:trojan-activity;sid:84680821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"cell-vault.ontocorex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817717/; classtype:trojan-activity;sid:84680817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sphere-api.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817715/; classtype:trojan-activity;sid:84680815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"grow-vault.bereathfertil.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817716/; classtype:trojan-activity;sid:84680816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"base-svc.bereathfertil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817714/; classtype:trojan-activity;sid:84680814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"space-node.theorexuslayer.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817713/; classtype:trojan-activity;sid:84680813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"world-api.ontoversegrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817712/; classtype:trojan-activity;sid:84680812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"logic-gate.dialectraforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817711/; classtype:trojan-activity;sid:84680811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"thesis-log.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817710/; classtype:trojan-activity;sid:84680810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"vector-api.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817708/; classtype:trojan-activity;sid:84680808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"grid-core.ontoversegrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817709/; classtype:trojan-activity;sid:84680809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"thought-api.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817707/; classtype:trojan-activity;sid:84680807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"soil-hub.bereathfertil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817706/; classtype:trojan-activity;sid:84680806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sphere-node.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817704/; classtype:trojan-activity;sid:84680804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"view-svc.theorexuslayer.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817705/; classtype:trojan-activity;sid:84680805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"model-node.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817703/; classtype:trojan-activity;sid:84680803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quormeshos3.babrevea1ing.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817701/; classtype:trojan-activity;sid:84680801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"debate-hub.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817702/; classtype:trojan-activity;sid:84680802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"root-gate.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817700/; classtype:trojan-activity;sid:84680800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"flow-data.epistemiconflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817697/; classtype:trojan-activity;sid:84680797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mind-sync.noospherecore.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817698/; classtype:trojan-activity;sid:84680798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"crop-api.bereathfertil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817699/; classtype:trojan-activity;sid:84680799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"theory-svc.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817696/; classtype:trojan-activity;sid:84680796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.i468"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817695/; classtype:trojan-activity;sid:84680795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"brain-gate.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817694/; classtype:trojan-activity;sid:84680794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm4"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817693/; classtype:trojan-activity;sid:84680793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"store-vault.ryesears.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817692/; classtype:trojan-activity;sid:84680792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817683/; classtype:trojan-activity;sid:84680783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817684/; classtype:trojan-activity;sid:84680784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817685/; classtype:trojan-activity;sid:84680785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817686/; classtype:trojan-activity;sid:84680786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817687/; classtype:trojan-activity;sid:84680787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817688/; classtype:trojan-activity;sid:84680788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817689/; classtype:trojan-activity;sid:84680789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817690/; classtype:trojan-activity;sid:84680790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817691/; classtype:trojan-activity;sid:84680791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"engine-api.systemoraengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817682/; classtype:trojan-activity;sid:84680782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"point-hub.theorivector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817681/; classtype:trojan-activity;sid:84680781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"sense-log.cogniversehub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817680/; classtype:trojan-activity;sid:84680780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"view-vault.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817679/; classtype:trojan-activity;sid:84680779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"hub-gate.theorexuslayer.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817678/; classtype:trojan-activity;sid:84680778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.42.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817677/; classtype:trojan-activity;sid:84680777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"order-svc.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817675/; classtype:trojan-activity;sid:84680775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pure-svc.noetisphere.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817676/; classtype:trojan-activity;sid:84680776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"global-io.noospherecore.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817674/; classtype:trojan-activity;sid:84680774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"trade-svc.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817673/; classtype:trojan-activity;sid:84680773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mind-sync.noetisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817672/; classtype:trojan-activity;sid:84680772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"core-hub.systemoraengine.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817671/; classtype:trojan-activity;sid:84680771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"space-gate.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817670/; classtype:trojan-activity;sid:84680770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"logic-vault.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817669/; classtype:trojan-activity;sid:84680769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"talk-node.dialectosphere.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817667/; classtype:trojan-activity;sid:84680767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"think-node.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817668/; classtype:trojan-activity;sid:84680768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenforgeix.babrevea1ing.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817666/; classtype:trojan-activity;sid:84680766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.106.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817665/; classtype:trojan-activity;sid:84680765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.41.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817664/; classtype:trojan-activity;sid:84680764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"patterndelivery.babrevea1ing.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817663/; classtype:trojan-activity;sid:84680763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.87.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817662/; classtype:trojan-activity;sid:84680762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.9.228"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817661/; classtype:trojan-activity;sid:84680761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cg892665.babrevea1ing.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817659/; classtype:trojan-activity;sid:84680759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.255.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817660/; classtype:trojan-activity;sid:84680760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.42.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817658/; classtype:trojan-activity;sid:84680758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"aliglagoo.babrevea1ing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817657/; classtype:trojan-activity;sid:84680757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mer-draex.personal-danger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817656/; classtype:trojan-activity;sid:84680756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pars-packe.personal-danger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817655/; classtype:trojan-activity;sid:84680755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.147.137.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817654/; classtype:trojan-activity;sid:84680754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"00zk7cis.personal-danger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817653/; classtype:trojan-activity;sid:84680753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"rule-node.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817652/; classtype:trojan-activity;sid:84680752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"root-svc.ontocorex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817651/; classtype:trojan-activity;sid:84680751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"data-api.axiomatrixflow.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817650/; classtype:trojan-activity;sid:84680750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"matrix-flow.axiomatrixflow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817649/; classtype:trojan-activity;sid:84680749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"shift-node.axiomatrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817648/; classtype:trojan-activity;sid:84680748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"link-gate.ontocorex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817647/; classtype:trojan-activity;sid:84680747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"stream-svc.axiomatrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817646/; classtype:trojan-activity;sid:84680746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"main-hub.ontocorex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817645/; classtype:trojan-activity;sid:84680745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"trust-gate.bankingrugnia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817643/; classtype:trojan-activity;sid:84680743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"pay-svc.bankingrugnia.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817644/; classtype:trojan-activity;sid:84680744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"map-log.ontoversegrid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817642/; classtype:trojan-activity;sid:84680742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"shift-svc.epistemiconflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817641/; classtype:trojan-activity;sid:84680741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"thesis-vault.dialectraforge.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817640/; classtype:trojan-activity;sid:84680740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"layer-io.theorexuslayer.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817639/; classtype:trojan-activity;sid:84680739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"space-gate.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817638/; classtype:trojan-activity;sid:84680738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"theory-svc.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817637/; classtype:trojan-activity;sid:84680737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"point-hub.theorivector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817636/; classtype:trojan-activity;sid:84680736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"mind-hub.cogniversehub.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817635/; classtype:trojan-activity;sid:84680735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"rep4-signal.theorivector.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817634/; classtype:trojan-activity;sid:84680734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"velmarkis.theorivector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817633/; classtype:trojan-activity;sid:84680733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"matrix-vault.systemoraengine.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817632/; classtype:trojan-activity;sid:84680732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"safe-vault.bankingrugnia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817631/; classtype:trojan-activity;sid:84680731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"entity-node.ontocorex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817629/; classtype:trojan-activity;sid:84680729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"model-node.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817630/; classtype:trojan-activity;sid:84680730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"cash-flow.bankingrugnia.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817628/; classtype:trojan-activity;sid:84680728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"view-vault.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817627/; classtype:trojan-activity;sid:84680727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"loan-api.bankingrugnia.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817626/; classtype:trojan-activity;sid:84680726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"869n.stravexi.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817625/; classtype:trojan-activity;sid:84680725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"bank-node.bankingrugnia.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817624/; classtype:trojan-activity;sid:84680724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"lumvalea.kyno4rexil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817623/; classtype:trojan-activity;sid:84680723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"velvale7on.vortaqen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817621/; classtype:trojan-activity;sid:84680721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"q6ivtu.vortaqen.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817622/; classtype:trojan-activity;sid:84680722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/buyruqlar/v1/nsm.lic"; depth:29; endswith; nocase; http.host; content:"alimqulov.uz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817620/; classtype:trojan-activity;sid:84680720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zkgorqdo/built_stub.exe"; depth:24; endswith; nocase; http.host; content:"pwndrop.llcsintez-n.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817618/; classtype:trojan-activity;sid:84680718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oje0pv28/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817619/; classtype:trojan-activity;sid:84680719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/buyruqlar/v1/client32.ini"; depth:34; endswith; nocase; http.host; content:"alimqulov.uz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817617/; classtype:trojan-activity;sid:84680717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama5cxnlk.txt"; depth:14; endswith; nocase; http.host; content:"dpaste.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817616/; classtype:trojan-activity;sid:84680716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"composerefine.zeltorinax.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817614/; classtype:trojan-activity;sid:84680714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ekkagmvm/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817615/; classtype:trojan-activity;sid:84680715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/buyruqlar/v1/client32.exe"; depth:34; endswith; nocase; http.host; content:"alimqulov.uz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817612/; classtype:trojan-activity;sid:84680712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google/"; depth:83; endswith; nocase; http.host; content:"jxoov.stravexi.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817613/; classtype:trojan-activity;sid:84680713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clq4fhyf/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817611/; classtype:trojan-activity;sid:84680711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vp4psm.personal-danger.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817610/; classtype:trojan-activity;sid:84680710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama5cxnlk.txt"; depth:14; endswith; nocase; http.host; content:"dpaste.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817608/; classtype:trojan-activity;sid:84680708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3vy69ry7j.txt"; depth:14; endswith; nocase; http.host; content:"dpaste.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817609/; classtype:trojan-activity;sid:84680709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghanioilandgas.zip"; depth:19; endswith; nocase; http.host; content:"ghanioilandgas.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817607/; classtype:trojan-activity;sid:84680707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psd8ezaw/plugins/cred64.dll"; depth:28; endswith; nocase; http.host; content:"176.65.144.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817606/; classtype:trojan-activity;sid:84680706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qu0t6-trail.personal-danger.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817605/; classtype:trojan-activity;sid:84680705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.250.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817604/; classtype:trojan-activity;sid:84680704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iwiax.personal-danger.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817603/; classtype:trojan-activity;sid:84680703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.233.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817602/; classtype:trojan-activity;sid:84680702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.204.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817601/; classtype:trojan-activity;sid:84680701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nimbl-sheet.cry7adiophone.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817600/; classtype:trojan-activity;sid:84680700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.125.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817599/; classtype:trojan-activity;sid:84680699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-trust3d.cry7adiophone.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817598/; classtype:trojan-activity;sid:84680698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sfayxss.cry7adiophone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817597/; classtype:trojan-activity;sid:84680697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.174.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817596/; classtype:trojan-activity;sid:84680696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.76.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817595/; classtype:trojan-activity;sid:84680695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"valeoptic.cry7adiophone.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817594/; classtype:trojan-activity;sid:84680694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.8.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817593/; classtype:trojan-activity;sid:84680693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.204.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817592/; classtype:trojan-activity;sid:84680692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.180.13.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817591/; classtype:trojan-activity;sid:84680691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freightdat.cry7adiophone.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817590/; classtype:trojan-activity;sid:84680690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.125.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817589/; classtype:trojan-activity;sid:84680689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tp3gkrx.cry7adiophone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817588/; classtype:trojan-activity;sid:84680688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"defend.sanctua-ryunt.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817587/; classtype:trojan-activity;sid:84680687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beam.sanctua-ryunt.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817586/; classtype:trojan-activity;sid:84680686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.76.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817585/; classtype:trojan-activity;sid:84680685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.244.36.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817584/; classtype:trojan-activity;sid:84680684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rende.sanctua-ryunt.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817583/; classtype:trojan-activity;sid:84680683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.126.120.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817582/; classtype:trojan-activity;sid:84680682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.227.61.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817581/; classtype:trojan-activity;sid:84680681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.202.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817580/; classtype:trojan-activity;sid:84680680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.8.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817579/; classtype:trojan-activity;sid:84680679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rende7-beam.sanctua-ryunt.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817578/; classtype:trojan-activity;sid:84680678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solspireum.insti1partition.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817577/; classtype:trojan-activity;sid:84680677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-r0ck.danger-style.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817576/; classtype:trojan-activity;sid:84680676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flamemanifest.chandelh2lifa.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817575/; classtype:trojan-activity;sid:84680675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.2.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817574/; classtype:trojan-activity;sid:84680674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.117.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817572/; classtype:trojan-activity;sid:84680672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.48.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817573/; classtype:trojan-activity;sid:84680673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vivi3-watch.mucus-rafter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817571/; classtype:trojan-activity;sid:84680671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.160.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817570/; classtype:trojan-activity;sid:84680670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trilith0en.rebutrew0rk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817569/; classtype:trojan-activity;sid:84680669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bandwi-span.conferen-cesman.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817568/; classtype:trojan-activity;sid:84680668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.242.164.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817567/; classtype:trojan-activity;sid:84680667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"w0rk3-wave.habe7dpermanent.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817566/; classtype:trojan-activity;sid:84680666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.183.196.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817565/; classtype:trojan-activity;sid:84680665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.168.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817564/; classtype:trojan-activity;sid:84680664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.63.246.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817563/; classtype:trojan-activity;sid:84680663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.126.120.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817562/; classtype:trojan-activity;sid:84680662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lywetogx.qul2marox.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817561/; classtype:trojan-activity;sid:84680661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.197.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817560/; classtype:trojan-activity;sid:84680660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"did8.qul2marox.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817559/; classtype:trojan-activity;sid:84680659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.117.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817558/; classtype:trojan-activity;sid:84680658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.228.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817557/; classtype:trojan-activity;sid:84680657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"buffmargi.norxevin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817556/; classtype:trojan-activity;sid:84680656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zennexis.norxevin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817555/; classtype:trojan-activity;sid:84680655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.62.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817554/; classtype:trojan-activity;sid:84680654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.63.246.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817553/; classtype:trojan-activity;sid:84680653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.117.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817552/; classtype:trojan-activity;sid:84680652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.219.14.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817551/; classtype:trojan-activity;sid:84680651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.242.164.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817550/; classtype:trojan-activity;sid:84680650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817549/; classtype:trojan-activity;sid:84680649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"runwspoo.travixon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817548/; classtype:trojan-activity;sid:84680648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.103.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817547/; classtype:trojan-activity;sid:84680647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vmkzuhhq.travixon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817546/; classtype:trojan-activity;sid:84680646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.79.195.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817545/; classtype:trojan-activity;sid:84680645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deliver4-mesh.zeq8morin.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817544/; classtype:trojan-activity;sid:84680644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.210.144.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817543/; classtype:trojan-activity;sid:84680643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.mips"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817529/; classtype:trojan-activity;sid:84680629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.i686"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817530/; classtype:trojan-activity;sid:84680630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.sh4"; depth:16; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817531/; classtype:trojan-activity;sid:84680631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.ppc"; depth:16; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817532/; classtype:trojan-activity;sid:84680632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.x86"; depth:16; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817533/; classtype:trojan-activity;sid:84680633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arc"; depth:16; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817534/; classtype:trojan-activity;sid:84680634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm6"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817535/; classtype:trojan-activity;sid:84680635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm5"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817536/; classtype:trojan-activity;sid:84680636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.mpsl"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817537/; classtype:trojan-activity;sid:84680637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm7"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817538/; classtype:trojan-activity;sid:84680638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.x86_64"; depth:19; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817539/; classtype:trojan-activity;sid:84680639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.spc"; depth:16; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817540/; classtype:trojan-activity;sid:84680640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.m68k"; depth:17; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817541/; classtype:trojan-activity;sid:84680641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm"; depth:16; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817542/; classtype:trojan-activity;sid:84680642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817528/; classtype:trojan-activity;sid:84680628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pxedkzjn.zeq8morin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817527/; classtype:trojan-activity;sid:84680627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.219.14.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817526/; classtype:trojan-activity;sid:84680626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.2.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817525/; classtype:trojan-activity;sid:84680625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.103.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817524/; classtype:trojan-activity;sid:84680624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817522/; classtype:trojan-activity;sid:84680622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.235.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817523/; classtype:trojan-activity;sid:84680623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ygxq.klinavor.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817521/; classtype:trojan-activity;sid:84680621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.62.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817520/; classtype:trojan-activity;sid:84680620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.210.144.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817519/; classtype:trojan-activity;sid:84680619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumnexa.klinavor.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817518/; classtype:trojan-activity;sid:84680618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.197.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817517/; classtype:trojan-activity;sid:84680617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.26.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817516/; classtype:trojan-activity;sid:84680616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"71wxz.vo3xiran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817515/; classtype:trojan-activity;sid:84680615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.129.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817514/; classtype:trojan-activity;sid:84680614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wkodj.vo3xiran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817513/; classtype:trojan-activity;sid:84680613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.159.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817512/; classtype:trojan-activity;sid:84680612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.152.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817511/; classtype:trojan-activity;sid:84680611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.173.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817510/; classtype:trojan-activity;sid:84680610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dih0t.drumoxel.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817509/; classtype:trojan-activity;sid:84680609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.129.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817508/; classtype:trojan-activity;sid:84680608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.25.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817507/; classtype:trojan-activity;sid:84680607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.26.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817506/; classtype:trojan-activity;sid:84680606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-tru5.drumoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817505/; classtype:trojan-activity;sid:84680605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.69.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817503/; classtype:trojan-activity;sid:84680603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.61.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817504/; classtype:trojan-activity;sid:84680604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.197.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817502/; classtype:trojan-activity;sid:84680602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nisjdefz.pra7vexal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817501/; classtype:trojan-activity;sid:84680601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817500/; classtype:trojan-activity;sid:84680600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.173.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817499/; classtype:trojan-activity;sid:84680599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c0ysh.pra7vexal.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817498/; classtype:trojan-activity;sid:84680598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.202.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817497/; classtype:trojan-activity;sid:84680597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.69.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817496/; classtype:trojan-activity;sid:84680596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"x79h.xeltronix.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817495/; classtype:trojan-activity;sid:84680595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vend0r-crest.xeltronix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817494/; classtype:trojan-activity;sid:84680594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.61.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817493/; classtype:trojan-activity;sid:84680593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.84.113.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817492/; classtype:trojan-activity;sid:84680592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"15cqw.sanctua-ryunt.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817491/; classtype:trojan-activity;sid:84680591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.54.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817490/; classtype:trojan-activity;sid:84680590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.40.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817489/; classtype:trojan-activity;sid:84680589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wolorch.sanctua-ryunt.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817488/; classtype:trojan-activity;sid:84680588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.187.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817487/; classtype:trojan-activity;sid:84680587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.202.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817486/; classtype:trojan-activity;sid:84680586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daernon-grid.sanctua-ryunt.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817485/; classtype:trojan-activity;sid:84680585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cryeast.sanctua-ryunt.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817484/; classtype:trojan-activity;sid:84680584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.79.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817483/; classtype:trojan-activity;sid:84680583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817482/; classtype:trojan-activity;sid:84680582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.40.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817481/; classtype:trojan-activity;sid:84680581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.187.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817480/; classtype:trojan-activity;sid:84680580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1707.sanctua-ryunt.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817479/; classtype:trojan-activity;sid:84680579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.59.83.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817478/; classtype:trojan-activity;sid:84680578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"assetrid.sanctua-ryunt.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817477/; classtype:trojan-activity;sid:84680577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vapb64us.insti1partition.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817476/; classtype:trojan-activity;sid:84680576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.79.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817475/; classtype:trojan-activity;sid:84680575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"toos.insti1partition.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817474/; classtype:trojan-activity;sid:84680574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultra-shall0w.insti1partition.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817473/; classtype:trojan-activity;sid:84680573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.239.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817472/; classtype:trojan-activity;sid:84680572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iqwo0.insti1partition.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817471/; classtype:trojan-activity;sid:84680571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.66.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817470/; classtype:trojan-activity;sid:84680570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3zowl.insti1partition.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817469/; classtype:trojan-activity;sid:84680569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"akkcq5.insti1partition.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817468/; classtype:trojan-activity;sid:84680568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817467/; classtype:trojan-activity;sid:84680567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"payloastag.danger-style.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817466/; classtype:trojan-activity;sid:84680566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817465/; classtype:trojan-activity;sid:84680565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.226.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817464/; classtype:trojan-activity;sid:84680564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817458/; classtype:trojan-activity;sid:84680558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817459/; classtype:trojan-activity;sid:84680559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817460/; classtype:trojan-activity;sid:84680560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817461/; classtype:trojan-activity;sid:84680561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817462/; classtype:trojan-activity;sid:84680562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817463/; classtype:trojan-activity;sid:84680563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817457/; classtype:trojan-activity;sid:84680557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817456/; classtype:trojan-activity;sid:84680556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817452/; classtype:trojan-activity;sid:84680552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817453/; classtype:trojan-activity;sid:84680553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817454/; classtype:trojan-activity;sid:84680554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817455/; classtype:trojan-activity;sid:84680555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"39mx.danger-style.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817451/; classtype:trojan-activity;sid:84680551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ydiftfl.danger-style.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817450/; classtype:trojan-activity;sid:84680550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm5"; depth:12; endswith; nocase; http.host; content:"204.76.203.168.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817449/; classtype:trojan-activity;sid:84680549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm7"; depth:12; endswith; nocase; http.host; content:"204.76.203.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817447/; classtype:trojan-activity;sid:84680547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm6"; depth:12; endswith; nocase; http.host; content:"204.76.203.168.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817448/; classtype:trojan-activity;sid:84680548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bj"; depth:3; endswith; nocase; http.host; content:"204.76.203.168.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817444/; classtype:trojan-activity;sid:84680544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.mpsl"; depth:12; endswith; nocase; http.host; content:"204.76.203.168.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817445/; classtype:trojan-activity;sid:84680545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm7"; depth:12; endswith; nocase; http.host; content:"204.76.203.168.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817446/; classtype:trojan-activity;sid:84680546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm5"; depth:12; endswith; nocase; http.host; content:"204.76.203.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817440/; classtype:trojan-activity;sid:84680540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.mpsl"; depth:12; endswith; nocase; http.host; content:"204.76.203.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817441/; classtype:trojan-activity;sid:84680541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ultron.arm6"; depth:12; endswith; nocase; http.host; content:"204.76.203.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817442/; classtype:trojan-activity;sid:84680542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bj"; depth:3; endswith; nocase; http.host; content:"204.76.203.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817443/; classtype:trojan-activity;sid:84680543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5cqwuhoc.danger-style.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817439/; classtype:trojan-activity;sid:84680539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hw62b.danger-style.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817438/; classtype:trojan-activity;sid:84680538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.180.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817437/; classtype:trojan-activity;sid:84680537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8717422379/fcamh42.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817436/; classtype:trojan-activity;sid:84680536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.226.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817435/; classtype:trojan-activity;sid:84680535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"listenercorte.danger-style.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817434/; classtype:trojan-activity;sid:84680534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"103.106.229.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817433/; classtype:trojan-activity;sid:84680533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.124.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817432/; classtype:trojan-activity;sid:84680532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sterileric.chandelh2lifa.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817431/; classtype:trojan-activity;sid:84680531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.180.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817430/; classtype:trojan-activity;sid:84680530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gvxnzo.chandelh2lifa.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817429/; classtype:trojan-activity;sid:84680529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.75.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817428/; classtype:trojan-activity;sid:84680528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.220.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817427/; classtype:trojan-activity;sid:84680527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bold4-loop.chandelh2lifa.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817426/; classtype:trojan-activity;sid:84680526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.134.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817425/; classtype:trojan-activity;sid:84680525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817424/; classtype:trojan-activity;sid:84680524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nhspq.chandelh2lifa.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817423/; classtype:trojan-activity;sid:84680523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"8rnyx.chandelh2lifa.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817422/; classtype:trojan-activity;sid:84680522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-st0ck.chandelh2lifa.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817421/; classtype:trojan-activity;sid:84680521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.134.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817420/; classtype:trojan-activity;sid:84680520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.238.27.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817419/; classtype:trojan-activity;sid:84680519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bandwiglade.mucus-rafter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817418/; classtype:trojan-activity;sid:84680518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"orvfw4.mucus-rafter.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817417/; classtype:trojan-activity;sid:84680517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.17.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817416/; classtype:trojan-activity;sid:84680516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mpjrpw.mucus-rafter.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817415/; classtype:trojan-activity;sid:84680515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.17.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817414/; classtype:trojan-activity;sid:84680514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.44.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817413/; classtype:trojan-activity;sid:84680513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817412/; classtype:trojan-activity;sid:84680512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm5"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817395/; classtype:trojan-activity;sid:84680495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i486"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817396/; classtype:trojan-activity;sid:84680496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.m68k"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817397/; classtype:trojan-activity;sid:84680497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.ppc"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817398/; classtype:trojan-activity;sid:84680498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.sh4"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817399/; classtype:trojan-activity;sid:84680499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.apk"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817400/; classtype:trojan-activity;sid:84680500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i686"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817401/; classtype:trojan-activity;sid:84680501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.spc"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817402/; classtype:trojan-activity;sid:84680502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x64"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817403/; classtype:trojan-activity;sid:84680503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.ppc440"; depth:12; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817404/; classtype:trojan-activity;sid:84680504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mpsl"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817405/; classtype:trojan-activity;sid:84680505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x86"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817406/; classtype:trojan-activity;sid:84680506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm6"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817407/; classtype:trojan-activity;sid:84680507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mips"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817408/; classtype:trojan-activity;sid:84680508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm4"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817409/; classtype:trojan-activity;sid:84680509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm7"; depth:10; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817410/; classtype:trojan-activity;sid:84680510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.dbg"; depth:9; endswith; nocase; http.host; content:"45.128.119.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817411/; classtype:trojan-activity;sid:84680511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"load9-mount.mucus-rafter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817394/; classtype:trojan-activity;sid:84680494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.49.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817393/; classtype:trojan-activity;sid:84680493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/nm8pzxp.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817392/; classtype:trojan-activity;sid:84680492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"norvale5on.mucus-rafter.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817391/; classtype:trojan-activity;sid:84680491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.95.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817390/; classtype:trojan-activity;sid:84680490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.44.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817389/; classtype:trojan-activity;sid:84680489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talmarkum1.mucus-rafter.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817388/; classtype:trojan-activity;sid:84680488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.95.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817387/; classtype:trojan-activity;sid:84680487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"105.184.95.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817385/; classtype:trojan-activity;sid:84680485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"105.184.95.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817386/; classtype:trojan-activity;sid:84680486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.222.59.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817384/; classtype:trojan-activity;sid:84680484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.113.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817383/; classtype:trojan-activity;sid:84680483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"87vq.rebutrew0rk.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817382/; classtype:trojan-activity;sid:84680482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cvsbi.rebutrew0rk.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817381/; classtype:trojan-activity;sid:84680481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"es3tp.rebutrew0rk.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817380/; classtype:trojan-activity;sid:84680480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serlineet.rebutrew0rk.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817379/; classtype:trojan-activity;sid:84680479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.34.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817378/; classtype:trojan-activity;sid:84680478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"modul-scene.rebutrew0rk.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817377/; classtype:trojan-activity;sid:84680477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.113.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817376/; classtype:trojan-activity;sid:84680476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rnoon-wave.rebutrew0rk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817375/; classtype:trojan-activity;sid:84680475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"breezesto.conferen-cesman.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817374/; classtype:trojan-activity;sid:84680474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorcore1a.conferen-cesman.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817373/; classtype:trojan-activity;sid:84680473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.180.15.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817372/; classtype:trojan-activity;sid:84680472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"57vl6.conferen-cesman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817371/; classtype:trojan-activity;sid:84680471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.225.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817370/; classtype:trojan-activity;sid:84680470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.34.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817369/; classtype:trojan-activity;sid:84680469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"handleill.conferen-cesman.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817368/; classtype:trojan-activity;sid:84680468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fresh-crest.conferen-cesman.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817367/; classtype:trojan-activity;sid:84680467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cipherdepo.conferen-cesman.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817366/; classtype:trojan-activity;sid:84680466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dzokbx.habe7dpermanent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817365/; classtype:trojan-activity;sid:84680465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.1.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817364/; classtype:trojan-activity;sid:84680464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.30.145.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817363/; classtype:trojan-activity;sid:84680463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.147.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817362/; classtype:trojan-activity;sid:84680462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817361/; classtype:trojan-activity;sid:84680461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.225.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817360/; classtype:trojan-activity;sid:84680460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quormarkal8.habe7dpermanent.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817359/; classtype:trojan-activity;sid:84680459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.124.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817358/; classtype:trojan-activity;sid:84680458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkcrest5or.habe7dpermanent.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817357/; classtype:trojan-activity;sid:84680457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.227.66.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817356/; classtype:trojan-activity;sid:84680456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deal-mars.habe7dpermanent.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817355/; classtype:trojan-activity;sid:84680455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-crestal.habe7dpermanent.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817354/; classtype:trojan-activity;sid:84680454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.30.145.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817353/; classtype:trojan-activity;sid:84680453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.121.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817352/; classtype:trojan-activity;sid:84680452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xjmzl07n.habe7dpermanent.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817351/; classtype:trojan-activity;sid:84680451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.152.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817350/; classtype:trojan-activity;sid:84680450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"needlsdk.glasso-greconstruct.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817349/; classtype:trojan-activity;sid:84680449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.10.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817348/; classtype:trojan-activity;sid:84680448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.241.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817347/; classtype:trojan-activity;sid:84680447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scre-wes.glasso-greconstruct.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817346/; classtype:trojan-activity;sid:84680446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fiercepale.glasso-greconstruct.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817345/; classtype:trojan-activity;sid:84680445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"exte-lab.glasso-greconstruct.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817344/; classtype:trojan-activity;sid:84680444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.53.147.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817343/; classtype:trojan-activity;sid:84680443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.121.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817342/; classtype:trojan-activity;sid:84680442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumtidea9.glasso-greconstruct.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817341/; classtype:trojan-activity;sid:84680441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.241.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817340/; classtype:trojan-activity;sid:84680440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.241.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817339/; classtype:trojan-activity;sid:84680439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.217.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817338/; classtype:trojan-activity;sid:84680438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lvk5wwb.glasso-greconstruct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817337/; classtype:trojan-activity;sid:84680437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"winterdeliv.decembha1ifa.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817336/; classtype:trojan-activity;sid:84680436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.100.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817335/; classtype:trojan-activity;sid:84680435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/woofer.rar"; depth:11; endswith; nocase; http.host; content:"cloudstorage-hub.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817334/; classtype:trojan-activity;sid:84680434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cmd.bat"; depth:8; endswith; nocase; http.host; content:"cloudstorage-hub.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817333/; classtype:trojan-activity;sid:84680433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/net_launcher.exe"; depth:26; endswith; nocase; http.host; content:"185.149.120.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817332/; classtype:trojan-activity;sid:84680432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.230.19.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817331/; classtype:trojan-activity;sid:84680431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trivenet8.decembha1ifa.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817330/; classtype:trojan-activity;sid:84680430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.77.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817329/; classtype:trojan-activity;sid:84680429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"harves3-spark.decembha1ifa.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817328/; classtype:trojan-activity;sid:84680428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9rmc.decembha1ifa.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817327/; classtype:trojan-activity;sid:84680427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"repairsales.decembha1ifa.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817326/; classtype:trojan-activity;sid:84680426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.42.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817325/; classtype:trojan-activity;sid:84680425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.145.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817324/; classtype:trojan-activity;sid:84680424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gf11j.decembha1ifa.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817323/; classtype:trojan-activity;sid:84680423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.152.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817322/; classtype:trojan-activity;sid:84680422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.116.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817321/; classtype:trojan-activity;sid:84680421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arknexal2.clean-sorted.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817320/; classtype:trojan-activity;sid:84680420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.77.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817319/; classtype:trojan-activity;sid:84680419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.113.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817318/; classtype:trojan-activity;sid:84680418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bkumfd.clean-sorted.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817317/; classtype:trojan-activity;sid:84680417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.75.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817316/; classtype:trojan-activity;sid:84680416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"opt1c-mesh.clean-sorted.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817315/; classtype:trojan-activity;sid:84680415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lum-lineos.clean-sorted.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817314/; classtype:trojan-activity;sid:84680414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.152.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817313/; classtype:trojan-activity;sid:84680413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lwzqvms.clean-sorted.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817312/; classtype:trojan-activity;sid:84680412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.198.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817311/; classtype:trojan-activity;sid:84680411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"odau.clean-sorted.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817310/; classtype:trojan-activity;sid:84680410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.116.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817309/; classtype:trojan-activity;sid:84680409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"genelight.disas5embsilence.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817308/; classtype:trojan-activity;sid:84680408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zl0dsl.disas5embsilence.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817307/; classtype:trojan-activity;sid:84680407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"han9l.disas5embsilence.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817306/; classtype:trojan-activity;sid:84680406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.209.196.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817305/; classtype:trojan-activity;sid:84680405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.151.248.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817304/; classtype:trojan-activity;sid:84680404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.198.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817303/; classtype:trojan-activity;sid:84680403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"agibny9n.disas5embsilence.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817302/; classtype:trojan-activity;sid:84680402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.81.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817301/; classtype:trojan-activity;sid:84680401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"merspireos7.disas5embsilence.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817300/; classtype:trojan-activity;sid:84680400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenspireix9.disas5embsilence.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817299/; classtype:trojan-activity;sid:84680399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"apbc9a.cash-guys.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817298/; classtype:trojan-activity;sid:84680398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.70.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817297/; classtype:trojan-activity;sid:84680397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fl0w-graph.cash-guys.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817296/; classtype:trojan-activity;sid:84680396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817293/; classtype:trojan-activity;sid:84680393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817294/; classtype:trojan-activity;sid:84680394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817295/; classtype:trojan-activity;sid:84680395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.248.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817292/; classtype:trojan-activity;sid:84680392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.209.196.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817291/; classtype:trojan-activity;sid:84680391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moon0-logic.cash-guys.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817290/; classtype:trojan-activity;sid:84680390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817289/; classtype:trojan-activity;sid:84680389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817288/; classtype:trojan-activity;sid:84680388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"68df0.cash-guys.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817287/; classtype:trojan-activity;sid:84680387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.81.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817286/; classtype:trojan-activity;sid:84680386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817285/; classtype:trojan-activity;sid:84680385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817284/; classtype:trojan-activity;sid:84680384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i686"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817283/; classtype:trojan-activity;sid:84680383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817271/; classtype:trojan-activity;sid:84680371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817272/; classtype:trojan-activity;sid:84680372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817273/; classtype:trojan-activity;sid:84680373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817274/; classtype:trojan-activity;sid:84680374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817275/; classtype:trojan-activity;sid:84680375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817276/; classtype:trojan-activity;sid:84680376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817277/; classtype:trojan-activity;sid:84680377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817278/; classtype:trojan-activity;sid:84680378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817279/; classtype:trojan-activity;sid:84680379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm"; depth:12; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817280/; classtype:trojan-activity;sid:84680380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817281/; classtype:trojan-activity;sid:84680381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i486"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817282/; classtype:trojan-activity;sid:84680382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817265/; classtype:trojan-activity;sid:84680365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817266/; classtype:trojan-activity;sid:84680366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817267/; classtype:trojan-activity;sid:84680367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817268/; classtype:trojan-activity;sid:84680368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817269/; classtype:trojan-activity;sid:84680369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817270/; classtype:trojan-activity;sid:84680370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mipsl"; depth:14; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817262/; classtype:trojan-activity;sid:84680362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arc"; depth:12; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817263/; classtype:trojan-activity;sid:84680363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc440"; depth:15; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817264/; classtype:trojan-activity;sid:84680364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm7"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817253/; classtype:trojan-activity;sid:84680353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc"; depth:12; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817254/; classtype:trojan-activity;sid:84680354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.m68k"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817255/; classtype:trojan-activity;sid:84680355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm5"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817256/; classtype:trojan-activity;sid:84680356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_64"; depth:15; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817257/; classtype:trojan-activity;sid:84680357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.sh4"; depth:12; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817258/; classtype:trojan-activity;sid:84680358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_32"; depth:15; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817259/; classtype:trojan-activity;sid:84680359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm6"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817260/; classtype:trojan-activity;sid:84680360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mips"; depth:13; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817261/; classtype:trojan-activity;sid:84680361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"publiccrawl.cash-guys.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817252/; classtype:trojan-activity;sid:84680352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.spc"; depth:12; endswith; nocase; http.host; content:"43.228.157.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817251/; classtype:trojan-activity;sid:84680351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.160.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817250/; classtype:trojan-activity;sid:84680350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nmno.cash-guys.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817249/; classtype:trojan-activity;sid:84680349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=gsgdfqyajpakwztu"; depth:53; endswith; nocase; http.host; content:"m9thskmy.paragonbloomera.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817248/; classtype:trojan-activity;sid:84680348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c4p1-route.charlotte5tereoph.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817247/; classtype:trojan-activity;sid:84680347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.175.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817246/; classtype:trojan-activity;sid:84680346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vub10.charlotte5tereoph.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817245/; classtype:trojan-activity;sid:84680345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817244/; classtype:trojan-activity;sid:84680344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.81.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817243/; classtype:trojan-activity;sid:84680343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jnza.charlotte5tereoph.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817242/; classtype:trojan-activity;sid:84680342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.89.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817241/; classtype:trojan-activity;sid:84680341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"systemott.charlotte5tereoph.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817240/; classtype:trojan-activity;sid:84680340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.94.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817239/; classtype:trojan-activity;sid:84680339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.32.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817238/; classtype:trojan-activity;sid:84680338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.164.96.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817237/; classtype:trojan-activity;sid:84680337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sermarken6.charlotte5tereoph.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817236/; classtype:trojan-activity;sid:84680336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sap-alp.charlotte5tereoph.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817235/; classtype:trojan-activity;sid:84680335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.175.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817234/; classtype:trojan-activity;sid:84680334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"compute-comp.cytolo-gyywniak.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817233/; classtype:trojan-activity;sid:84680333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"normarkix.cytolo-gyywniak.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817232/; classtype:trojan-activity;sid:84680332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.32.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817231/; classtype:trojan-activity;sid:84680331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817230/; classtype:trojan-activity;sid:84680330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.94.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817229/; classtype:trojan-activity;sid:84680329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arklinea.cytolo-gyywniak.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817228/; classtype:trojan-activity;sid:84680328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ybzh.cytolo-gyywniak.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817227/; classtype:trojan-activity;sid:84680327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"96rcki34.cytolo-gyywniak.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817226/; classtype:trojan-activity;sid:84680326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.164.96.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817225/; classtype:trojan-activity;sid:84680325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.207.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817224/; classtype:trojan-activity;sid:84680324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.233.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817223/; classtype:trojan-activity;sid:84680323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"labellively.cytolo-gyywniak.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817222/; classtype:trojan-activity;sid:84680322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1kuz.suicideva1ny.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817221/; classtype:trojan-activity;sid:84680321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.251.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817220/; classtype:trojan-activity;sid:84680320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"41uml3.suicideva1ny.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817219/; classtype:trojan-activity;sid:84680319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload"; depth:8; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817218/; classtype:trojan-activity;sid:84680318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.227.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817217/; classtype:trojan-activity;sid:84680317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coral5-index.suicideva1ny.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817216/; classtype:trojan-activity;sid:84680316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817209/; classtype:trojan-activity;sid:84680309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817210/; classtype:trojan-activity;sid:84680310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817211/; classtype:trojan-activity;sid:84680311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817212/; classtype:trojan-activity;sid:84680312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817213/; classtype:trojan-activity;sid:84680313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817214/; classtype:trojan-activity;sid:84680314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m"; depth:2; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817215/; classtype:trojan-activity;sid:84680315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb2.go"; depth:8; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817208/; classtype:trojan-activity;sid:84680308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7"; depth:6; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817206/; classtype:trojan-activity;sid:84680306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817207/; classtype:trojan-activity;sid:84680307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb3.go"; depth:8; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817205/; classtype:trojan-activity;sid:84680305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_armv7"; depth:10; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817204/; classtype:trojan-activity;sid:84680304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.207.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817203/; classtype:trojan-activity;sid:84680303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"switchfresh.suicideva1ny.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817202/; classtype:trojan-activity;sid:84680302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.135.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817201/; classtype:trojan-activity;sid:84680301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynvenis5.suicideva1ny.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817200/; classtype:trojan-activity;sid:84680300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ht1eqo.suicideva1ny.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817199/; classtype:trojan-activity;sid:84680299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.227.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817197/; classtype:trojan-activity;sid:84680297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.10.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817198/; classtype:trojan-activity;sid:84680298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.53.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817196/; classtype:trojan-activity;sid:84680296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.53.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817195/; classtype:trojan-activity;sid:84680295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"snow-cache.far-guess.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817194/; classtype:trojan-activity;sid:84680294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"review-spr.far-guess.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817193/; classtype:trojan-activity;sid:84680293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.229.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817192/; classtype:trojan-activity;sid:84680292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.198.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817190/; classtype:trojan-activity;sid:84680290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.192.233.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817191/; classtype:trojan-activity;sid:84680291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vitalpure.far-guess.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817189/; classtype:trojan-activity;sid:84680289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.176.104.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817188/; classtype:trojan-activity;sid:84680288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.253.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817187/; classtype:trojan-activity;sid:84680287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"olxx.far-guess.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817186/; classtype:trojan-activity;sid:84680286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kvtk.far-guess.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817185/; classtype:trojan-activity;sid:84680285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.205.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817184/; classtype:trojan-activity;sid:84680284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"izdmpn.far-guess.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817183/; classtype:trojan-activity;sid:84680283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.86.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817182/; classtype:trojan-activity;sid:84680282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ummi5-mark.2rmpitoutstand.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817181/; classtype:trojan-activity;sid:84680281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.176.104.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817180/; classtype:trojan-activity;sid:84680280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"abncti.2rmpitoutstand.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817179/; classtype:trojan-activity;sid:84680279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blwaa.2rmpitoutstand.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817178/; classtype:trojan-activity;sid:84680278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.229.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817177/; classtype:trojan-activity;sid:84680277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.215.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817176/; classtype:trojan-activity;sid:84680276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.75.142"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817175/; classtype:trojan-activity;sid:84680275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.138.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817174/; classtype:trojan-activity;sid:84680274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"southspring.2rmpitoutstand.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817173/; classtype:trojan-activity;sid:84680273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.204.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817172/; classtype:trojan-activity;sid:84680272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"atomicatom.2rmpitoutstand.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817171/; classtype:trojan-activity;sid:84680271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cell4-stream.2rmpitoutstand.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817170/; classtype:trojan-activity;sid:84680270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.46.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817169/; classtype:trojan-activity;sid:84680269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817168/; classtype:trojan-activity;sid:84680268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nkhpvbun.recogniz-rural.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817167/; classtype:trojan-activity;sid:84680267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"104.32.65.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817166/; classtype:trojan-activity;sid:84680266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pale-prime.recogniz-rural.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817165/; classtype:trojan-activity;sid:84680265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.204.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817164/; classtype:trojan-activity;sid:84680264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"macrosummit.recogniz-rural.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817163/; classtype:trojan-activity;sid:84680263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lyav76.recogniz-rural.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817162/; classtype:trojan-activity;sid:84680262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.46.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817161/; classtype:trojan-activity;sid:84680261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vk05p.recogniz-rural.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817160/; classtype:trojan-activity;sid:84680260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.253.133.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817159/; classtype:trojan-activity;sid:84680259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"104.32.65.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817158/; classtype:trojan-activity;sid:84680258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.49.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817157/; classtype:trojan-activity;sid:84680257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clinicfjord.recogniz-rural.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817156/; classtype:trojan-activity;sid:84680256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"royalemb.con9uerbunker.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817155/; classtype:trojan-activity;sid:84680255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817150/; classtype:trojan-activity;sid:84680250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817151/; classtype:trojan-activity;sid:84680251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817152/; classtype:trojan-activity;sid:84680252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817153/; classtype:trojan-activity;sid:84680253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817154/; classtype:trojan-activity;sid:84680254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817141/; classtype:trojan-activity;sid:84680241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817142/; classtype:trojan-activity;sid:84680242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817143/; classtype:trojan-activity;sid:84680243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817144/; classtype:trojan-activity;sid:84680244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817145/; classtype:trojan-activity;sid:84680245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817146/; classtype:trojan-activity;sid:84680246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817147/; classtype:trojan-activity;sid:84680247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817148/; classtype:trojan-activity;sid:84680248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817149/; classtype:trojan-activity;sid:84680249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"143.20.37.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817140/; classtype:trojan-activity;sid:84680240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b4y-signal.con9uerbunker.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817139/; classtype:trojan-activity;sid:84680239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/ja/random.exe"; depth:20; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817138/; classtype:trojan-activity;sid:84680238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.253.133.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817137/; classtype:trojan-activity;sid:84680237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.188.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817136/; classtype:trojan-activity;sid:84680236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"exposmot.con9uerbunker.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817135/; classtype:trojan-activity;sid:84680235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"v1al-sheet.con9uerbunker.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817134/; classtype:trojan-activity;sid:84680234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"reso1-cast.con9uerbunker.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817133/; classtype:trojan-activity;sid:84680233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.220.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817132/; classtype:trojan-activity;sid:84680232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"opticsswi.con9uerbunker.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817131/; classtype:trojan-activity;sid:84680231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pquyrk.qul2marox.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817130/; classtype:trojan-activity;sid:84680230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.49.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817129/; classtype:trojan-activity;sid:84680229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.188.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817128/; classtype:trojan-activity;sid:84680228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"colorpastur.qul2marox.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817127/; classtype:trojan-activity;sid:84680227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.220.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817125/; classtype:trojan-activity;sid:84680225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.36.107.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817126/; classtype:trojan-activity;sid:84680226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.103.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817124/; classtype:trojan-activity;sid:84680224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817123/; classtype:trojan-activity;sid:84680223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yjcyrpx.qul2marox.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817122/; classtype:trojan-activity;sid:84680222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"low.exphelp.life"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817121/; classtype:trojan-activity;sid:84680221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"like.exphelp.life"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817120/; classtype:trojan-activity;sid:84680220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t3st1-track.qul2marox.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817119/; classtype:trojan-activity;sid:84680219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cddvp.qul2marox.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817118/; classtype:trojan-activity;sid:84680218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sound3-gate.qul2marox.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817117/; classtype:trojan-activity;sid:84680217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.13.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817116/; classtype:trojan-activity;sid:84680216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.225.103.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817115/; classtype:trojan-activity;sid:84680215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ridg31-drive.norxevin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817114/; classtype:trojan-activity;sid:84680214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.33.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817113/; classtype:trojan-activity;sid:84680213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yarn"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817112/; classtype:trojan-activity;sid:84680212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/col.sh"; depth:12; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817109/; classtype:trojan-activity;sid:84680209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla2.sh"; depth:13; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817110/; classtype:trojan-activity;sid:84680210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin"; depth:9; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817111/; classtype:trojan-activity;sid:84680211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"merdraex.norxevin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817108/; classtype:trojan-activity;sid:84680208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"///arm5"; depth:7; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817107/; classtype:trojan-activity;sid:84680207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/farhoud/wsfr9o7.exe"; depth:20; endswith; nocase; http.host; content:"31.57.97.180"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817106/; classtype:trojan-activity;sid:84680206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/absencecampstool380/server-query-fake-player-count/raw/refs/heads/main/embark/player-fake-server-query-count-2.9-alpha.5.zip"; depth:125; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817105/; classtype:trojan-activity;sid:84680205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.4.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817104/; classtype:trojan-activity;sid:84680204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/absencecampstool380/server-query-fake-player-count/refs/heads/main/embark/player-fake-server-query-count-2.9-alpha.5.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817103/; classtype:trojan-activity;sid:84680203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"imag-media.norxevin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817102/; classtype:trojan-activity;sid:84680202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.165.93.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817101/; classtype:trojan-activity;sid:84680201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kfhogts"; depth:8; endswith; nocase; http.host; content:"43.228.157.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817100/; classtype:trojan-activity;sid:84680200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/midwestgrey.exe"; depth:16; endswith; nocase; http.host; content:"43.228.157.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817099/; classtype:trojan-activity;sid:84680199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.247.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817098/; classtype:trojan-activity;sid:84680198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dockbrok.norxevin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817097/; classtype:trojan-activity;sid:84680197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.100.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817096/; classtype:trojan-activity;sid:84680196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.33.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817095/; classtype:trojan-activity;sid:84680195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hoyjyxdc.norxevin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817094/; classtype:trojan-activity;sid:84680194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.89.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817093/; classtype:trojan-activity;sid:84680193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gr1m-forge.norxevin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817092/; classtype:trojan-activity;sid:84680192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"printscar.bry5laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817091/; classtype:trojan-activity;sid:84680191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freightrap.bry5laxon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817079/; classtype:trojan-activity;sid:84680179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.100.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817078/; classtype:trojan-activity;sid:84680178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cliff-hinge.bry5laxon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817077/; classtype:trojan-activity;sid:84680177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.247.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817067/; classtype:trojan-activity;sid:84680167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ap-pulse.bry5laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817066/; classtype:trojan-activity;sid:84680166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.165.93.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817065/; classtype:trojan-activity;sid:84680165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sol-draon.bry5laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817064/; classtype:trojan-activity;sid:84680164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.42.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817063/; classtype:trojan-activity;sid:84680163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"basi-sand.bry5laxon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817061/; classtype:trojan-activity;sid:84680161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkkzzz.zip"; depth:11; endswith; nocase; http.host; content:"38.60.241.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817062/; classtype:trojan-activity;sid:84680162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-f0x.travixon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817060/; classtype:trojan-activity;sid:84680160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.171.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817059/; classtype:trojan-activity;sid:84680159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilbertgabe/tuneskit-iphone-unlocker-2-5-0-9-premium-tools/refs/heads/branch/overfearful/premium_iphone_unlocker_tools_tuneskit_2.4.zip"; depth:136; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817057/; classtype:trojan-activity;sid:84680157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edwindoremi/asterisk/raw/refs/heads/main/templates/software_2.1.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817058/; classtype:trojan-activity;sid:84680158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fauzanoktavianto/website-kp/raw/refs/heads/main/one-health/assets/website_kp_2.1.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817053/; classtype:trojan-activity;sid:84680153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilbertgabe/valthrun-cs2/raw/refs/heads/main/radar/shared/src/bin/valthrun_cs_v3.6.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817054/; classtype:trojan-activity;sid:84680154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilbertgabe/tuneskit-iphone-unlocker-2-5-0-9-premium-tools/raw/refs/heads/branch/overfearful/premium_iphone_unlocker_tools_tuneskit_2.4.zip"; depth:140; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817055/; classtype:trojan-activity;sid:84680155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fauzanoktavianto/website-kp/refs/heads/main/one-health/assets/website_kp_2.1.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817056/; classtype:trojan-activity;sid:84680156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edwindoremi/asterisk/refs/heads/main/templates/software_2.1.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817049/; classtype:trojan-activity;sid:84680149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fauzanoktavianto/praktikum2020/refs/heads/master/modul%20pdf/praktikum_2.9-beta.1.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817050/; classtype:trojan-activity;sid:84680150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fauzanoktavianto/praktikum2020/raw/refs/heads/master/modul%20pdf/praktikum_2.9-beta.1.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817051/; classtype:trojan-activity;sid:84680151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilbertgabe/valthrun-cs2/refs/heads/main/radar/shared/src/bin/valthrun_cs_v3.6.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817052/; classtype:trojan-activity;sid:84680152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavchaure/live-chat-app/raw/refs/heads/main/backend/node_modules/undefsafe/lib/app-chat-live-2.7.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817048/; classtype:trojan-activity;sid:84680148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavchaure/travel-website/raw/refs/heads/main/images/website-travel-2.2.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817047/; classtype:trojan-activity;sid:84680147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavchaure/travel-website/refs/heads/main/images/website-travel-2.2.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817046/; classtype:trojan-activity;sid:84680146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavchaure/live-chat-app/refs/heads/main/backend/node_modules/undefsafe/lib/app-chat-live-2.7.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817043/; classtype:trojan-activity;sid:84680143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/d/chromelevator.exe"; depth:24; endswith; nocase; http.host; content:"quaxcheck.com.tr"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817044/; classtype:trojan-activity;sid:84680144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghost1959/indies-on-solana/raw/refs/heads/main/.idea/inspectionprofiles/indies-solana-on-v3.5.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817045/; classtype:trojan-activity;sid:84680145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavchaure/pong-remake/raw/refs/heads/main/stroup/remake_pong_v1.2-alpha.3.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817042/; classtype:trojan-activity;sid:84680142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavchaure/pong-remake/refs/heads/main/stroup/remake_pong_v1.2-alpha.3.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817040/; classtype:trojan-activity;sid:84680140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghost1959/indies-on-solana/refs/heads/main/.idea/inspectionprofiles/indies-solana-on-v3.5.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817041/; classtype:trojan-activity;sid:84680141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaradhya26/login-and-registration-using-room-database/raw/refs/heads/master/chord/login_and_database_registration_room_using_3.9.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817039/; classtype:trojan-activity;sid:84680139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaradhya26/lib/raw/refs/heads/master/referral/software-3.2.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817038/; classtype:trojan-activity;sid:84680138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaradhya26/login-and-registration-using-room-database/refs/heads/master/chord/login_and_database_registration_room_using_3.9.zip"; depth:129; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817036/; classtype:trojan-activity;sid:84680136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaradhya26/swaybaeofficial-v2/refs/heads/master/barrandite/swaybaeofficial_v_3.8.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817037/; classtype:trojan-activity;sid:84680137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manimahsoub/individual_level_project/raw/refs/heads/main/pinny/project_level_individual_v2.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817033/; classtype:trojan-activity;sid:84680133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaradhya26/lib/refs/heads/master/referral/software-3.2.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817034/; classtype:trojan-activity;sid:84680134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaradhya26/swaybaeofficial-v2/raw/refs/heads/master/barrandite/swaybaeofficial_v_3.8.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817035/; classtype:trojan-activity;sid:84680135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bartgastra/web3-rpg/raw/refs/heads/main/contracts/typechain-types/@openzeppelin/contracts/utils/introspection/web_rpg_verulamian.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817031/; classtype:trojan-activity;sid:84680131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manimahsoub/individual_level_project/refs/heads/main/pinny/project_level_individual_v2.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817032/; classtype:trojan-activity;sid:84680132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bartgastra/web3-rpg/refs/heads/main/contracts/typechain-types/%40openzeppelin/contracts/utils/introspection/web_rpg_verulamian.zip"; depth:131; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817030/; classtype:trojan-activity;sid:84680130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f0res-frame.travixon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817029/; classtype:trojan-activity;sid:84680129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sha-dow837/memory-game/refs/heads/main/overlinger/game_memory_1.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817028/; classtype:trojan-activity;sid:84680128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wmmahdi/wmmahdi.github.io/refs/heads/main/uncolored/github-wmmahdi-io-v3.3.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817022/; classtype:trojan-activity;sid:84680122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozomake/lightbrush-moestradamus-art/raw/refs/heads/main/src/components/layout/moestradamus_art_lightbrush_v3.8.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817023/; classtype:trojan-activity;sid:84680123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sha-dow837/curriculum/refs/heads/master/javascript/javascript-playground-questions/js-beginning-and-end-pairs/software_v2.0-alpha.2.zip"; depth:136; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817024/; classtype:trojan-activity;sid:84680124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/michaelnxdstan/intelligentvramnode/refs/heads/main/nimmer/intelligent_vram_node_v3.4.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817025/; classtype:trojan-activity;sid:84680125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozomake/lightbrush-moestradamus-art/refs/heads/main/src/components/layout/moestradamus_art_lightbrush_v3.8.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817026/; classtype:trojan-activity;sid:84680126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/michaelnxdstan/intelligentvramnode/raw/refs/heads/main/nimmer/intelligent_vram_node_v3.4.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817027/; classtype:trojan-activity;sid:84680127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wmmahdi/rps-plus-gemini-ai/raw/refs/heads/main/frontend/rps-plus-ai-gemini-v1.7.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817021/; classtype:trojan-activity;sid:84680121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sha-dow837/curriculum/raw/refs/heads/master/javascript/javascript-playground-questions/js-beginning-and-end-pairs/software_v2.0-alpha.2.zip"; depth:140; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817020/; classtype:trojan-activity;sid:84680120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/walletmfi/c64stream/refs/heads/main/tools/stream-c-v1.0.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817018/; classtype:trojan-activity;sid:84680118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pedraodugas/raylibue/refs/heads/main/source/raylibue/private/raylib-ue-v3.5-alpha.4.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817019/; classtype:trojan-activity;sid:84680119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sha-dow837/memory-game/raw/refs/heads/main/overlinger/game_memory_1.2.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817013/; classtype:trojan-activity;sid:84680113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wmmahdi/wmmahdi.github.io/raw/refs/heads/main/uncolored/github-wmmahdi-io-v3.3.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817014/; classtype:trojan-activity;sid:84680114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wmmahdi/rps-plus-gemini-ai/refs/heads/main/frontend/rps-plus-ai-gemini-v1.7.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817015/; classtype:trojan-activity;sid:84680115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pedraodugas/raylibue/raw/refs/heads/main/source/raylibue/private/raylib-ue-v3.5-alpha.4.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817016/; classtype:trojan-activity;sid:84680116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/walletmfi/c64stream/raw/refs/heads/main/tools/stream-c-v1.0.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817017/; classtype:trojan-activity;sid:84680117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"n0hi.travixon.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817012/; classtype:trojan-activity;sid:84680112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.42.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817011/; classtype:trojan-activity;sid:84680111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su3488499/su3488499.github.io/raw/refs/heads/main/brunelliaceae/io-github-su-v3.4-alpha.3.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817009/; classtype:trojan-activity;sid:84680109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtvcode97/long/raw/refs/heads/main/long/long/message1.txt"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817010/; classtype:trojan-activity;sid:84680110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtvcode97/long/refs/heads/main/long/long/message1.txt"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817008/; classtype:trojan-activity;sid:84680108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawamoah/tetris-on-base/raw/refs/heads/main/tetris-on-base/app/api/base_tetris_on_v3.4.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817007/; classtype:trojan-activity;sid:84680107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawamoah/yawamoah.github.io/refs/heads/main/steppe/io-github-yawamoah-disbalancement.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817003/; classtype:trojan-activity;sid:84680103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su3488499/sourendatta_mega-html-css-project_aeroui-design-system/refs/heads/main/css/system-datta-cs-htm-u-mega-design-souren-aero-project-cariama.zip"; depth:151; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817004/; classtype:trojan-activity;sid:84680104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmadshahid12/ft_transcendence/raw/refs/heads/main/frontend/transcendence_ft_v2.5-alpha.4.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817005/; classtype:trojan-activity;sid:84680105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su3488499/su3488499.github.io/refs/heads/main/brunelliaceae/io-github-su-v3.4-alpha.3.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817006/; classtype:trojan-activity;sid:84680106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawamoah/tetris-on-base/refs/heads/main/tetris-on-base/app/api/base_tetris_on_v3.4.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817001/; classtype:trojan-activity;sid:84680101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmadshahid12/ahmadshahid12.github.io/raw/refs/heads/main/semianarchist/github_ahmadshahid_io_2.4.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817002/; classtype:trojan-activity;sid:84680102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmadshahid12/ft_transcendence/refs/heads/main/frontend/transcendence_ft_v2.5-alpha.4.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816999/; classtype:trojan-activity;sid:84680099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su3488499/sourendatta_mega-html-css-project_aeroui-design-system/raw/refs/heads/main/css/system-datta-cs-htm-u-mega-design-souren-aero-project-cariama.zip"; depth:155; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817000/; classtype:trojan-activity;sid:84680100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmadshahid12/ahmadshahid12.github.io/refs/heads/main/semianarchist/github_ahmadshahid_io_2.4.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816997/; classtype:trojan-activity;sid:84680097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawamoah/yawamoah.github.io/raw/refs/heads/main/steppe/io-github-yawamoah-disbalancement.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816998/; classtype:trojan-activity;sid:84680098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.81.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816996/; classtype:trojan-activity;sid:84680096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sketcult.travixon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816995/; classtype:trojan-activity;sid:84680095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gehansa/gehansa.github.io/raw/refs/heads/main/impetition/io-gehansa-github-1.0.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816994/; classtype:trojan-activity;sid:84680094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riskijeki57/riskijeki57.github.io/refs/heads/main/concupy/github_riskijeki_io_v3.9.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816993/; classtype:trojan-activity;sid:84680093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riskijeki57/riskijeki57.github.io/raw/refs/heads/main/concupy/github_riskijeki_io_v3.9.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816992/; classtype:trojan-activity;sid:84680092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gehansa/3ds-shader-modifier/refs/heads/main/logodaedaly/shader_d_modifier_v1.0.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816991/; classtype:trojan-activity;sid:84680091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riskijeki57/native-snake-ai/refs/heads/master/ovey/snake-ai-native-v3.7.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816990/; classtype:trojan-activity;sid:84680090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riskijeki57/native-snake-ai/raw/refs/heads/master/ovey/snake-ai-native-v3.7.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816989/; classtype:trojan-activity;sid:84680089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gehansa/3ds-shader-modifier/raw/refs/heads/main/logodaedaly/shader_d_modifier_v1.0.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816987/; classtype:trojan-activity;sid:84680087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gehansa/gehansa.github.io/refs/heads/main/impetition/io-gehansa-github-1.0.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816988/; classtype:trojan-activity;sid:84680088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; endswith; nocase; http.host; content:"130.94.41.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816986/; classtype:trojan-activity;sid:84680086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tricrestum.travixon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816985/; classtype:trojan-activity;sid:84680085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rur414-line.travixon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816984/; classtype:trojan-activity;sid:84680084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.198.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816983/; classtype:trojan-activity;sid:84680083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"letteneed.zeq8morin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816982/; classtype:trojan-activity;sid:84680082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pjrlyy.zeq8morin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816981/; classtype:trojan-activity;sid:84680081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.4.9"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816980/; classtype:trojan-activity;sid:84680080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.15.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816979/; classtype:trojan-activity;sid:84680079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sdasrfj.zeq8morin.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816978/; classtype:trojan-activity;sid:84680078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"irfy5j.zeq8morin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816977/; classtype:trojan-activity;sid:84680077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.26.86.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816976/; classtype:trojan-activity;sid:84680076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.198.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816975/; classtype:trojan-activity;sid:84680075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.234.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816974/; classtype:trojan-activity;sid:84680074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deepoutl.zeq8morin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816973/; classtype:trojan-activity;sid:84680073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-proxyd"; depth:18; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816972/; classtype:trojan-activity;sid:84680072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-scand"; depth:17; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816958/; classtype:trojan-activity;sid:84680058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-runcd"; depth:12; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816959/; classtype:trojan-activity;sid:84680059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-sbomd"; depth:17; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816960/; classtype:trojan-activity;sid:84680060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-runcd"; depth:17; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816961/; classtype:trojan-activity;sid:84680061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-buildxd"; depth:14; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816962/; classtype:trojan-activity;sid:84680062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-daemon"; depth:13; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816963/; classtype:trojan-activity;sid:84680063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-daemon"; depth:18; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816964/; classtype:trojan-activity;sid:84680064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-conteinerd-shim"; depth:22; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816965/; classtype:trojan-activity;sid:84680065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-swarmd"; depth:13; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816966/; classtype:trojan-activity;sid:84680066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-composd"; depth:19; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816967/; classtype:trojan-activity;sid:84680067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-sbomd"; depth:12; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816968/; classtype:trojan-activity;sid:84680068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-conteinerd"; depth:17; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816969/; classtype:trojan-activity;sid:84680069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-composd"; depth:14; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816970/; classtype:trojan-activity;sid:84680070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-buildxd"; depth:19; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816971/; classtype:trojan-activity;sid:84680071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-scoutd"; depth:18; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816944/; classtype:trojan-activity;sid:84680044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-proxyd"; depth:13; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816945/; classtype:trojan-activity;sid:84680045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-conteinerd"; depth:22; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816946/; classtype:trojan-activity;sid:84680046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-conteinerd-shim"; depth:27; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816947/; classtype:trojan-activity;sid:84680047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-credentiald"; depth:18; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816948/; classtype:trojan-activity;sid:84680048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-scoutd"; depth:13; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816949/; classtype:trojan-activity;sid:84680049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-swarmd"; depth:18; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816950/; classtype:trojan-activity;sid:84680050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-credentiald"; depth:23; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816951/; classtype:trojan-activity;sid:84680051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armada"; depth:12; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816952/; classtype:trojan-activity;sid:84680052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-initd"; depth:12; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816953/; classtype:trojan-activity;sid:84680053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redis-scand"; depth:12; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816954/; classtype:trojan-activity;sid:84680054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.4.9"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816955/; classtype:trojan-activity;sid:84680055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/redis-initd"; depth:17; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816956/; classtype:trojan-activity;sid:84680056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armada"; depth:7; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816957/; classtype:trojan-activity;sid:84680057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/init.sh"; depth:8; endswith; nocase; http.host; content:"130.12.180.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816943/; classtype:trojan-activity;sid:84680043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sapcha.zeq8morin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816942/; classtype:trojan-activity;sid:84680042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.225.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816941/; classtype:trojan-activity;sid:84680041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system.vbs"; depth:11; endswith; nocase; http.host; content:"178.16.55.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816940/; classtype:trojan-activity;sid:84680040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"summ4-field.klinavor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816939/; classtype:trojan-activity;sid:84680039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system.vbs"; depth:11; endswith; nocase; http.host; content:"178.16.55.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816938/; classtype:trojan-activity;sid:84680038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.15.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816937/; classtype:trojan-activity;sid:84680037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816936/; classtype:trojan-activity;sid:84680036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/ewoba.github.io/refs/heads/main/lampoon/io_github_ewoba_v3.4.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816935/; classtype:trojan-activity;sid:84680035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/kick-tg-rewards/raw/refs/heads/main/backend-python/rem/lib/site-packages/pip/_vendor/packaging/tg-kick-rewards-v2.9.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816934/; classtype:trojan-activity;sid:84680034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/pato851.github.io/raw/refs/heads/main/supraterraneous/io-github-pato-2.6.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816932/; classtype:trojan-activity;sid:84680032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/ewoba.github.io/raw/refs/heads/main/lampoon/io_github_ewoba_v3.4.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816933/; classtype:trojan-activity;sid:84680033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/kick-tg-rewards/refs/heads/main/backend-python/rem/lib/site-packages/pip/_vendor/packaging/tg-kick-rewards-v2.9.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816928/; classtype:trojan-activity;sid:84680028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/rock-breaker/refs/heads/main/src/components/rock_breaker_v1.9.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816929/; classtype:trojan-activity;sid:84680029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/rock-breaker/raw/refs/heads/main/src/components/rock_breaker_v1.9.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816930/; classtype:trojan-activity;sid:84680030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/pato851.github.io/refs/heads/main/supraterraneous/io-github-pato-2.6.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816931/; classtype:trojan-activity;sid:84680031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sparrowultra.klinavor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816927/; classtype:trojan-activity;sid:84680027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"178.16.54.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816925/; classtype:trojan-activity;sid:84680025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"178.16.54.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816926/; classtype:trojan-activity;sid:84680026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.26.86.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816924/; classtype:trojan-activity;sid:84680024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/infinity-snip3/raw/refs/heads/master/audio/infinity_snip_screeve.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816923/; classtype:trojan-activity;sid:84680023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/talktobaby.github.io/raw/refs/heads/main/hymeneals/talktobaby-io-github-v1.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816921/; classtype:trojan-activity;sid:84680021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/infinity-snip3/refs/heads/master/audio/infinity_snip_screeve.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816922/; classtype:trojan-activity;sid:84680022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/talktobaby.github.io/refs/heads/main/hymeneals/talktobaby-io-github-v1.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816920/; classtype:trojan-activity;sid:84680020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.130.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816919/; classtype:trojan-activity;sid:84680019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816917/; classtype:trojan-activity;sid:84680017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.234.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816918/; classtype:trojan-activity;sid:84680018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mhkugefu.klinavor.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816916/; classtype:trojan-activity;sid:84680016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.225.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816915/; classtype:trojan-activity;sid:84680015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.82.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816914/; classtype:trojan-activity;sid:84680014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.58.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816913/; classtype:trojan-activity;sid:84680013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5xhr.klinavor.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816912/; classtype:trojan-activity;sid:84680012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.62.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816911/; classtype:trojan-activity;sid:84680011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.11.208"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816910/; classtype:trojan-activity;sid:84680010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynspireis.klinavor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816909/; classtype:trojan-activity;sid:84680009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.62.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816908/; classtype:trojan-activity;sid:84680008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.82.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816907/; classtype:trojan-activity;sid:84680007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rn1no-hold.klinavor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816906/; classtype:trojan-activity;sid:84680006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.247.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816905/; classtype:trojan-activity;sid:84680005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.133.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816904/; classtype:trojan-activity;sid:84680004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dosb0zd.vo3xiran.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816903/; classtype:trojan-activity;sid:84680003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816902/; classtype:trojan-activity;sid:84680002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.146.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816901/; classtype:trojan-activity;sid:84680001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pulse1-phase.vo3xiran.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816900/; classtype:trojan-activity;sid:84680000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.11.208"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816899/; classtype:trojan-activity;sid:84679999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.111.204.158"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816898/; classtype:trojan-activity;sid:84679998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/servermaker/raw/refs/heads/main/data/maker_server_v3.5.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816897/; classtype:trojan-activity;sid:84679997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/beast700.github.io/refs/heads/main/still/beast_io_github_2.9.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816896/; classtype:trojan-activity;sid:84679996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/flexlkgaming-com/refs/heads/main/firmhearted/com_flexlkgaming_1.9.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816895/; classtype:trojan-activity;sid:84679995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/flexlkgaming-com/raw/refs/heads/main/firmhearted/com_flexlkgaming_1.9.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816893/; classtype:trojan-activity;sid:84679993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/beast700.github.io/raw/refs/heads/main/still/beast_io_github_2.9.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816894/; classtype:trojan-activity;sid:84679994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/servermaker/refs/heads/main/data/maker_server_v3.5.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816892/; classtype:trojan-activity;sid:84679992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neura-vector.vo3xiran.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816891/; classtype:trojan-activity;sid:84679991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.247.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816890/; classtype:trojan-activity;sid:84679990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/xfoxusx.github.io/raw/refs/heads/main/arsenism/github_io_xfoxusx_v1.7.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816888/; classtype:trojan-activity;sid:84679988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/arduino-joystick-and-servo-control/raw/refs/heads/main/lection/servo-arduino-control-and-joystick-1.1.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816889/; classtype:trojan-activity;sid:84679989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/arduino-joystick-and-servo-control/refs/heads/main/lection/servo-arduino-control-and-joystick-1.1.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816887/; classtype:trojan-activity;sid:84679987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/xfoxusx.github.io/refs/heads/main/arsenism/github_io_xfoxusx_v1.7.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816886/; classtype:trojan-activity;sid:84679986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epdevmgr.dll"; depth:13; endswith; nocase; http.host; content:"app.cc-coins.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816885/; classtype:trojan-activity;sid:84679985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mogen.vo3xiran.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816884/; classtype:trojan-activity;sid:84679984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.133.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816883/; classtype:trojan-activity;sid:84679983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.228.61.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816882/; classtype:trojan-activity;sid:84679982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cmomy7g.vo3xiran.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816881/; classtype:trojan-activity;sid:84679981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openclaw%20installation.exe"; depth:28; endswith; nocase; http.host; content:"154.36.188.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816880/; classtype:trojan-activity;sid:84679980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/150.js"; depth:7; endswith; nocase; http.host; content:"154.36.188.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816878/; classtype:trojan-activity;sid:84679978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ware.js"; depth:8; endswith; nocase; http.host; content:"154.36.188.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816879/; classtype:trojan-activity;sid:84679979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.111.204.158"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816877/; classtype:trojan-activity;sid:84679977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"glypipeli.vo3xiran.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816876/; classtype:trojan-activity;sid:84679976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.146.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816875/; classtype:trojan-activity;sid:84679975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"outletarray.drumoxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816874/; classtype:trojan-activity;sid:84679974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.231.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816873/; classtype:trojan-activity;sid:84679973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-cornp.drumoxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816872/; classtype:trojan-activity;sid:84679972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.160.33"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816871/; classtype:trojan-activity;sid:84679971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.133.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816870/; classtype:trojan-activity;sid:84679970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scalelabel.drumoxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816869/; classtype:trojan-activity;sid:84679969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin.exe"; depth:12; endswith; nocase; http.host; content:"193.233.89.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816868/; classtype:trojan-activity;sid:84679968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin.exe"; depth:12; endswith; nocase; http.host; content:"pl.avgkrbw.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816867/; classtype:trojan-activity;sid:84679967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dawnbold.drumoxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816865/; classtype:trojan-activity;sid:84679965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.196.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816864/; classtype:trojan-activity;sid:84679964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin.exe"; depth:12; endswith; nocase; http.host; content:"193.233.89.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816863/; classtype:trojan-activity;sid:84679963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.33.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816862/; classtype:trojan-activity;sid:84679962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyndra8al.drumoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816861/; classtype:trojan-activity;sid:84679961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jymbrdt.drumoxel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816860/; classtype:trojan-activity;sid:84679960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.107.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816858/; classtype:trojan-activity;sid:84679958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.66.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816859/; classtype:trojan-activity;sid:84679959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.231.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816857/; classtype:trojan-activity;sid:84679957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.45.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816856/; classtype:trojan-activity;sid:84679956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sub-runvv.pra7vexal.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816855/; classtype:trojan-activity;sid:84679955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.247.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816854/; classtype:trojan-activity;sid:84679954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.32.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816853/; classtype:trojan-activity;sid:84679953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.196.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816852/; classtype:trojan-activity;sid:84679952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"anccompi.pra7vexal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816851/; classtype:trojan-activity;sid:84679951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"timbecor.pra7vexal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816850/; classtype:trojan-activity;sid:84679950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.141.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816849/; classtype:trojan-activity;sid:84679949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.107.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816848/; classtype:trojan-activity;sid:84679948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.103.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816847/; classtype:trojan-activity;sid:84679947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kel-valear.pra7vexal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816846/; classtype:trojan-activity;sid:84679946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.45.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816845/; classtype:trojan-activity;sid:84679945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f1x8-point.pra7vexal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816844/; classtype:trojan-activity;sid:84679944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.120.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816843/; classtype:trojan-activity;sid:84679943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.32.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816842/; classtype:trojan-activity;sid:84679942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/tic_tac_toe/refs/heads/main/auriculae/toe-tic-tac-v3.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816841/; classtype:trojan-activity;sid:84679941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/32/raw/refs/heads/main/app/(public)/contact/software_v1.6-beta.5.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816837/; classtype:trojan-activity;sid:84679937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/abdalrhmanasif5.github.io/refs/heads/main/torques/github_io_abdalrhmanasif_screwsman.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816838/; classtype:trojan-activity;sid:84679938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/abdalrhmanasif5.github.io/raw/refs/heads/main/torques/github_io_abdalrhmanasif_screwsman.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816839/; classtype:trojan-activity;sid:84679939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/tic_tac_toe/raw/refs/heads/main/auriculae/toe-tic-tac-v3.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816840/; classtype:trojan-activity;sid:84679940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/32/refs/heads/main/app/(public)/contact/software_v1.6-beta.5.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816836/; classtype:trojan-activity;sid:84679936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.42.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816835/; classtype:trojan-activity;sid:84679935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zendra6a.pra7vexal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816834/; classtype:trojan-activity;sid:84679934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.55.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816833/; classtype:trojan-activity;sid:84679933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.161.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816832/; classtype:trojan-activity;sid:84679932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.103.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816831/; classtype:trojan-activity;sid:84679931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nf59jdtk.xeltronix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816830/; classtype:trojan-activity;sid:84679930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q11.txt"; depth:8; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816829/; classtype:trojan-activity;sid:84679929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q12.txt"; depth:8; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816828/; classtype:trojan-activity;sid:84679928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghost.sh"; depth:9; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816827/; classtype:trojan-activity;sid:84679927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.120.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816826/; classtype:trojan-activity;sid:84679926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.152.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816825/; classtype:trojan-activity;sid:84679925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"enclin.xeltronix.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816824/; classtype:trojan-activity;sid:84679924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm64"; depth:12; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816822/; classtype:trojan-activity;sid:84679922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816823/; classtype:trojan-activity;sid:84679923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"77vlmbv.xeltronix.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816821/; classtype:trojan-activity;sid:84679921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.161.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816820/; classtype:trojan-activity;sid:84679920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"toke-plate.xeltronix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816819/; classtype:trojan-activity;sid:84679919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.161.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816818/; classtype:trojan-activity;sid:84679918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ktvkmgqc.xeltronix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816817/; classtype:trojan-activity;sid:84679917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robot.html"; depth:11; endswith; nocase; http.host; content:"85.192.27.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816816/; classtype:trojan-activity;sid:84679916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.63.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816815/; classtype:trojan-activity;sid:84679915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.152.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816814/; classtype:trojan-activity;sid:84679914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.31.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816813/; classtype:trojan-activity;sid:84679913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serlith5ex.xeltronix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816812/; classtype:trojan-activity;sid:84679912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1ink.sox9liven.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816811/; classtype:trojan-activity;sid:84679911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mixteens/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816810/; classtype:trojan-activity;sid:84679910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mixteens/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816809/; classtype:trojan-activity;sid:84679909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.81.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816808/; classtype:trojan-activity;sid:84679908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f0rmate.para5itrecal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816807/; classtype:trojan-activity;sid:84679907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.54.172"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816806/; classtype:trojan-activity;sid:84679906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3.travemox.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816804/; classtype:trojan-activity;sid:84679904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.165.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816805/; classtype:trojan-activity;sid:84679905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.31.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816803/; classtype:trojan-activity;sid:84679903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.159.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816802/; classtype:trojan-activity;sid:84679902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fi1e.bri2xalon.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816801/; classtype:trojan-activity;sid:84679901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b0x.bri2xalon.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816800/; classtype:trojan-activity;sid:84679900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.54.172"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816799/; classtype:trojan-activity;sid:84679899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"a1ea.norqelix.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816798/; classtype:trojan-activity;sid:84679898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.193.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816797/; classtype:trojan-activity;sid:84679897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.43.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816796/; classtype:trojan-activity;sid:84679896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.159.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816795/; classtype:trojan-activity;sid:84679895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ma1n.quv7maren.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816794/; classtype:trojan-activity;sid:84679894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jahredip/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816793/; classtype:trojan-activity;sid:84679893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jahredip/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816791/; classtype:trojan-activity;sid:84679891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trustnobodys/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816792/; classtype:trojan-activity;sid:84679892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trustnobodys/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816790/; classtype:trojan-activity;sid:84679890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main.go"; depth:8; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816789/; classtype:trojan-activity;sid:84679889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aquaelia9084/new-year/releases/download/new/v2.4.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816788/; classtype:trojan-activity;sid:84679888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usu"; depth:4; endswith; nocase; http.host; content:"goragalo.live"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816787/; classtype:trojan-activity;sid:84679887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-main.quv7maren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816786/; classtype:trojan-activity;sid:84679886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.quv7maren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816783/; classtype:trojan-activity;sid:84679883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atteriss/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816784/; classtype:trojan-activity;sid:84679884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atteriss/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816785/; classtype:trojan-activity;sid:84679885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-key.quv7maren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816782/; classtype:trojan-activity;sid:84679882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evanblue/thestar/-/raw/main/259uzds8poxh.exe"; depth:45; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816781/; classtype:trojan-activity;sid:84679881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evanblue/thestar/-/raw/main/4j8576a0e8v3.exe"; depth:45; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816780/; classtype:trojan-activity;sid:84679880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.43.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816779/; classtype:trojan-activity;sid:84679879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-soft.quv7maren.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816778/; classtype:trojan-activity;sid:84679878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-call.quv7maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816777/; classtype:trojan-activity;sid:84679877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"test1-run.quv7maren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816776/; classtype:trojan-activity;sid:84679876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.217.123.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816775/; classtype:trojan-activity;sid:84679875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-area.norqelix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816774/; classtype:trojan-activity;sid:84679874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.4.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816773/; classtype:trojan-activity;sid:84679873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.136.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816770/; classtype:trojan-activity;sid:84679870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.155.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816771/; classtype:trojan-activity;sid:84679871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu9"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816769/; classtype:trojan-activity;sid:84679869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu8"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816768/; classtype:trojan-activity;sid:84679868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu1"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816767/; classtype:trojan-activity;sid:84679867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu5"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816766/; classtype:trojan-activity;sid:84679866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu3"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816765/; classtype:trojan-activity;sid:84679865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu6"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816764/; classtype:trojan-activity;sid:84679864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu7"; depth:25; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816761/; classtype:trojan-activity;sid:84679861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-flow.norqelix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816760/; classtype:trojan-activity;sid:84679860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.156.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816759/; classtype:trojan-activity;sid:84679859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"map4-base.norqelix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816758/; classtype:trojan-activity;sid:84679858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-push.norqelix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816757/; classtype:trojan-activity;sid:84679857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.204.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816756/; classtype:trojan-activity;sid:84679856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-jump.norqelix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816755/; classtype:trojan-activity;sid:84679855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.217.123.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816754/; classtype:trojan-activity;sid:84679854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.136.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816753/; classtype:trojan-activity;sid:84679853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"read1-data.norqelix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816752/; classtype:trojan-activity;sid:84679852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.15.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816751/; classtype:trojan-activity;sid:84679851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-map.bri2xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816750/; classtype:trojan-activity;sid:84679850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.93.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816749/; classtype:trojan-activity;sid:84679849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-info.bri2xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816748/; classtype:trojan-activity;sid:84679848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.251.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816747/; classtype:trojan-activity;sid:84679847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.7.248"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816746/; classtype:trojan-activity;sid:84679846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.9.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816745/; classtype:trojan-activity;sid:84679845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.9.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816744/; classtype:trojan-activity;sid:84679844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"box4-file.bri2xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816743/; classtype:trojan-activity;sid:84679843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz.sh"; depth:9; endswith; nocase; http.host; content:"139.59.231.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816742/; classtype:trojan-activity;sid:84679842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips"; depth:11; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816741/; classtype:trojan-activity;sid:84679841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816739/; classtype:trojan-activity;sid:84679839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816740/; classtype:trojan-activity;sid:84679840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm"; depth:10; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816738/; classtype:trojan-activity;sid:84679838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.229.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816737/; classtype:trojan-activity;sid:84679837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.118.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816736/; classtype:trojan-activity;sid:84679836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-flag.bri2xalon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816735/; classtype:trojan-activity;sid:84679835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.227.10.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816734/; classtype:trojan-activity;sid:84679834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"app2-root.bri2xalon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816733/; classtype:trojan-activity;sid:84679833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base1-site.bri2xalon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816732/; classtype:trojan-activity;sid:84679832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.230.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816731/; classtype:trojan-activity;sid:84679831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-pipe.travemox.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816730/; classtype:trojan-activity;sid:84679830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.46.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816729/; classtype:trojan-activity;sid:84679829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816728/; classtype:trojan-activity;sid:84679828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-scan.travemox.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816727/; classtype:trojan-activity;sid:84679827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.190.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816726/; classtype:trojan-activity;sid:84679826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.240.165.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816725/; classtype:trojan-activity;sid:84679825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816724/; classtype:trojan-activity;sid:84679824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"db4-cache.travemox.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816723/; classtype:trojan-activity;sid:84679823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.227.10.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816722/; classtype:trojan-activity;sid:84679822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.157.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816721/; classtype:trojan-activity;sid:84679821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-link.travemox.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816720/; classtype:trojan-activity;sid:84679820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.233.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816719/; classtype:trojan-activity;sid:84679819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-port.travemox.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816718/; classtype:trojan-activity;sid:84679818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816717/; classtype:trojan-activity;sid:84679817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.31.132"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816716/; classtype:trojan-activity;sid:84679816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file1-swap.travemox.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816715/; classtype:trojan-activity;sid:84679815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.46.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816714/; classtype:trojan-activity;sid:84679814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-link.sox9liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816713/; classtype:trojan-activity;sid:84679813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.165.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816712/; classtype:trojan-activity;sid:84679812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-edge.sox9liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816711/; classtype:trojan-activity;sid:84679811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.157.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816710/; classtype:trojan-activity;sid:84679810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.157.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816709/; classtype:trojan-activity;sid:84679809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"blob4-data.sox9liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816707/; classtype:trojan-activity;sid:84679807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.190.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816708/; classtype:trojan-activity;sid:84679808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-pack.sox9liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816706/; classtype:trojan-activity;sid:84679806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-cert.sox9liven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816705/; classtype:trojan-activity;sid:84679805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816704/; classtype:trojan-activity;sid:84679804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"auth1-user.sox9liven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816703/; classtype:trojan-activity;sid:84679803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.211.117.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816702/; classtype:trojan-activity;sid:84679802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.115.102.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816701/; classtype:trojan-activity;sid:84679801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.121.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816700/; classtype:trojan-activity;sid:84679800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-main.krynexor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816699/; classtype:trojan-activity;sid:84679799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-rule.krynexor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816698/; classtype:trojan-activity;sid:84679798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.132.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816697/; classtype:trojan-activity;sid:84679797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.56.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816696/; classtype:trojan-activity;sid:84679796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api4-sync.krynexor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816695/; classtype:trojan-activity;sid:84679795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-core.krynexor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816694/; classtype:trojan-activity;sid:84679794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816693/; classtype:trojan-activity;sid:84679793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"list2-load.krynexor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816692/; classtype:trojan-activity;sid:84679792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.38.134.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816691/; classtype:trojan-activity;sid:84679791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.121.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816690/; classtype:trojan-activity;sid:84679790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.24.188.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816689/; classtype:trojan-activity;sid:84679789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step1-item.krynexor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816688/; classtype:trojan-activity;sid:84679788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.63.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816687/; classtype:trojan-activity;sid:84679787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.166.255"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816686/; classtype:trojan-activity;sid:84679786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.132.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816685/; classtype:trojan-activity;sid:84679785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"way6-gate.veq4tralis.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816684/; classtype:trojan-activity;sid:84679784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-task.veq4tralis.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816683/; classtype:trojan-activity;sid:84679783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"call4-back.veq4tralis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816682/; classtype:trojan-activity;sid:84679782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-view.veq4tralis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816681/; classtype:trojan-activity;sid:84679781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.204.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816680/; classtype:trojan-activity;sid:84679780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-stage.veq4tralis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816679/; classtype:trojan-activity;sid:84679779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work1-area.veq4tralis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816678/; classtype:trojan-activity;sid:84679778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-root.draxolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816677/; classtype:trojan-activity;sid:84679777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816676/; classtype:trojan-activity;sid:84679776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit5-mesh.draxolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816675/; classtype:trojan-activity;sid:84679775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.118.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816674/; classtype:trojan-activity;sid:84679774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main4-path.draxolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816673/; classtype:trojan-activity;sid:84679773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"srv3-ready.draxolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816672/; classtype:trojan-activity;sid:84679772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.252.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816671/; classtype:trojan-activity;sid:84679771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"peer2-join.draxolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816670/; classtype:trojan-activity;sid:84679770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.252.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816669/; classtype:trojan-activity;sid:84679769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.252.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816668/; classtype:trojan-activity;sid:84679768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816667/; classtype:trojan-activity;sid:84679767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link1-host.draxolin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816666/; classtype:trojan-activity;sid:84679766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.118.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816664/; classtype:trojan-activity;sid:84679764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.48.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816665/; classtype:trojan-activity;sid:84679765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"port6-send.plu8moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816663/; classtype:trojan-activity;sid:84679763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.204.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816662/; classtype:trojan-activity;sid:84679762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub5-local.plu8moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816661/; classtype:trojan-activity;sid:84679761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft4-base.plu8moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816660/; classtype:trojan-activity;sid:84679760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.252.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816659/; classtype:trojan-activity;sid:84679759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"app3-frame.plu8moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816658/; classtype:trojan-activity;sid:84679758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.9.139.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816657/; classtype:trojan-activity;sid:84679757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data2-fast.plu8moran.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816656/; classtype:trojan-activity;sid:84679756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.140.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816655/; classtype:trojan-activity;sid:84679755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7862638382/4zdyedx.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816654/; classtype:trojan-activity;sid:84679754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site1-proxy.plu8moran.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816653/; classtype:trojan-activity;sid:84679753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.150.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816652/; classtype:trojan-activity;sid:84679752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-post.zorvelixan.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816651/; classtype:trojan-activity;sid:84679751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.48.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816650/; classtype:trojan-activity;sid:84679750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.36.133.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816649/; classtype:trojan-activity;sid:84679749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web5-relay.zorvelixan.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816648/; classtype:trojan-activity;sid:84679748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.150.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816647/; classtype:trojan-activity;sid:84679747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sync4-meta.zorvelixan.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816646/; classtype:trojan-activity;sid:84679746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.186.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816645/; classtype:trojan-activity;sid:84679745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-alpha.zorvelixan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816644/; classtype:trojan-activity;sid:84679744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-delta.zorvelixan.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816643/; classtype:trojan-activity;sid:84679743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.203.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816642/; classtype:trojan-activity;sid:84679742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.36.133.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816641/; classtype:trojan-activity;sid:84679741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.29.205"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816640/; classtype:trojan-activity;sid:84679740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow1-point.zorvelixan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816639/; classtype:trojan-activity;sid:84679739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bash6-cmd.qul7vexar.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816638/; classtype:trojan-activity;sid:84679738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816637/; classtype:trojan-activity;sid:84679737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stat5-info.qul7vexar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816636/; classtype:trojan-activity;sid:84679736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.186.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816635/; classtype:trojan-activity;sid:84679735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.203.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816634/; classtype:trojan-activity;sid:84679734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top4-load.qul7vexar.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816633/; classtype:trojan-activity;sid:84679733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.113.60"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816632/; classtype:trojan-activity;sid:84679732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pid3-check.qul7vexar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816631/; classtype:trojan-activity;sid:84679731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"job2-run.qul7vexar.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816630/; classtype:trojan-activity;sid:84679730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cron1-task.qul7vexar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816629/; classtype:trojan-activity;sid:84679729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.189.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816628/; classtype:trojan-activity;sid:84679728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.80.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816627/; classtype:trojan-activity;sid:84679727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"font6-face.norxelium.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816626/; classtype:trojan-activity;sid:84679726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.63.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816625/; classtype:trojan-activity;sid:84679725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.13.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816624/; classtype:trojan-activity;sid:84679724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"img5-asset.norxelium.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816623/; classtype:trojan-activity;sid:84679723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.113.60"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816622/; classtype:trojan-activity;sid:84679722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.133.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816621/; classtype:trojan-activity;sid:84679721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"js4-script.norxelium.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816620/; classtype:trojan-activity;sid:84679720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tag3-attr.norxelium.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816619/; classtype:trojan-activity;sid:84679719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"css2-rule.norxelium.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816618/; classtype:trojan-activity;sid:84679718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.101.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816617/; classtype:trojan-activity;sid:84679717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dom1-tree.norxelium.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816616/; classtype:trojan-activity;sid:84679716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.80.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816615/; classtype:trojan-activity;sid:84679715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.63.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816614/; classtype:trojan-activity;sid:84679714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lib6-share.bryo2maxil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816613/; classtype:trojan-activity;sid:84679713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.13.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816612/; classtype:trojan-activity;sid:84679712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.133.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816611/; classtype:trojan-activity;sid:84679711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bin5-exec.bryo2maxil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816610/; classtype:trojan-activity;sid:84679710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.213.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816609/; classtype:trojan-activity;sid:84679709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tmp4-path.bryo2maxil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816608/; classtype:trojan-activity;sid:84679708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.253.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816607/; classtype:trojan-activity;sid:84679707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dir3-index.bryo2maxil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816606/; classtype:trojan-activity;sid:84679706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.164.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816605/; classtype:trojan-activity;sid:84679705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file2-obj.bryo2maxil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816604/; classtype:trojan-activity;sid:84679704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.55.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816603/; classtype:trojan-activity;sid:84679703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"raw1-blob.bryo2maxil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816602/; classtype:trojan-activity;sid:84679702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.65.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816601/; classtype:trojan-activity;sid:84679701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"txt6-info.travexon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816600/; classtype:trojan-activity;sid:84679700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ptr5-rev.travexon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816599/; classtype:trojan-activity;sid:84679699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.253.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816598/; classtype:trojan-activity;sid:84679698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soa4-start.travexon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816597/; classtype:trojan-activity;sid:84679697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816596/; classtype:trojan-activity;sid:84679696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ttl3-limit.travexon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816595/; classtype:trojan-activity;sid:84679695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.194.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816594/; classtype:trojan-activity;sid:84679694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.164.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816593/; classtype:trojan-activity;sid:84679693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rec2-record.travexon.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816592/; classtype:trojan-activity;sid:84679692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zone1-dns.travexon.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816591/; classtype:trojan-activity;sid:84679691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hop6-route.zeq9lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816590/; classtype:trojan-activity;sid:84679690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ping5-test.zeq9lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816589/; classtype:trojan-activity;sid:84679689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"salt4-byte.zeq9lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816588/; classtype:trojan-activity;sid:84679688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hash3-list.zeq9lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816587/; classtype:trojan-activity;sid:84679687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"seed2-node.zeq9lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816586/; classtype:trojan-activity;sid:84679686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=igmcfyhhkngpwhkn"; depth:53; endswith; nocase; http.host; content:"f13hwmuq.amb1ing-farm.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816585/; classtype:trojan-activity;sid:84679685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"peer1-link.zeq9lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816584/; classtype:trojan-activity;sid:84679684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mac6-bind.krinoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816583/; classtype:trojan-activity;sid:84679683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.66.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816582/; classtype:trojan-activity;sid:84679682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"udp5-recv.krinoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816581/; classtype:trojan-activity;sid:84679681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.150.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816580/; classtype:trojan-activity;sid:84679680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.6.148"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816579/; classtype:trojan-activity;sid:84679679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8042875554/rvsameb.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816578/; classtype:trojan-activity;sid:84679678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tcp4-send.krinoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816577/; classtype:trojan-activity;sid:84679677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"json3-io.krinoxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816576/; classtype:trojan-activity;sid:84679676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.66.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816575/; classtype:trojan-activity;sid:84679675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xml2-data.krinoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816574/; classtype:trojan-activity;sid:84679674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.6.148"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816573/; classtype:trojan-activity;sid:84679673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bit1-flow.krinoxel.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816572/; classtype:trojan-activity;sid:84679672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ssh6-port.voxi3tral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816571/; classtype:trojan-activity;sid:84679671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.150.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816570/; classtype:trojan-activity;sid:84679670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"git5-pull.voxi3tral.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816569/; classtype:trojan-activity;sid:84679669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.206.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816568/; classtype:trojan-activity;sid:84679668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ops4-cache.voxi3tral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816567/; classtype:trojan-activity;sid:84679667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dev3-track.voxi3tral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816566/; classtype:trojan-activity;sid:84679666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-patch.voxi3tral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816565/; classtype:trojan-activity;sid:84679665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"key1-store.voxi3tral.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816564/; classtype:trojan-activity;sid:84679664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wan6-pipe.drumekal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816563/; classtype:trojan-activity;sid:84679663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.92.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816562/; classtype:trojan-activity;sid:84679662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.216.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816561/; classtype:trojan-activity;sid:84679661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vpn5-line.drumekal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816560/; classtype:trojan-activity;sid:84679660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lan4-tunnel.drumekal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816559/; classtype:trojan-activity;sid:84679659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.195.50.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816558/; classtype:trojan-activity;sid:84679658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"db3-storage.drumekal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816557/; classtype:trojan-activity;sid:84679657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.75.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816556/; classtype:trojan-activity;sid:84679656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"load2-bal.drumekal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816555/; classtype:trojan-activity;sid:84679655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.200.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816554/; classtype:trojan-activity;sid:84679654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"part1-state.drumekal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816553/; classtype:trojan-activity;sid:84679653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"app6-router.praxo6lin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816552/; classtype:trojan-activity;sid:84679652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"log5-stream.praxo6lin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816551/; classtype:trojan-activity;sid:84679651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web4-proxy.praxo6lin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816550/; classtype:trojan-activity;sid:84679650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dns3-check.praxo6lin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816549/; classtype:trojan-activity;sid:84679649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.200.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816548/; classtype:trojan-activity;sid:84679648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.92.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816547/; classtype:trojan-activity;sid:84679647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.216.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816546/; classtype:trojan-activity;sid:84679646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cdn2-fetch.praxo6lin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816545/; classtype:trojan-activity;sid:84679645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beam1-point.praxo6lin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816544/; classtype:trojan-activity;sid:84679644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"net6-access.xelvorinax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816543/; classtype:trojan-activity;sid:84679643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=ffulbgyorjufgjjz"; depth:53; endswith; nocase; http.host; content:"o3pjh3hs.paragonbloomera.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816542/; classtype:trojan-activity;sid:84679642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site5-core.xelvorinax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816541/; classtype:trojan-activity;sid:84679641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.195.50.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816540/; classtype:trojan-activity;sid:84679640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"back4-unit.xelvorinax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816539/; classtype:trojan-activity;sid:84679639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.114.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816538/; classtype:trojan-activity;sid:84679638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"srv3-bridge.xelvorinax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816537/; classtype:trojan-activity;sid:84679637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.59.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816536/; classtype:trojan-activity;sid:84679636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.186.208.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816535/; classtype:trojan-activity;sid:84679635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"host2-entry.xelvorinax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816534/; classtype:trojan-activity;sid:84679634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.11.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816533/; classtype:trojan-activity;sid:84679633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"edge1-layer.xelvorinax.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816532/; classtype:trojan-activity;sid:84679632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velcreston.norva2xel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816531/; classtype:trojan-activity;sid:84679631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"oew4ln.norva2xel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816530/; classtype:trojan-activity;sid:84679630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.186.208.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816529/; classtype:trojan-activity;sid:84679629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816528/; classtype:trojan-activity;sid:84679628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"obse1-cache.norva2xel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816527/; classtype:trojan-activity;sid:84679627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rp7gpk.norva2xel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816526/; classtype:trojan-activity;sid:84679626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.176.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816525/; classtype:trojan-activity;sid:84679625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"89gwwu.norva2xel.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816524/; classtype:trojan-activity;sid:84679624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"part1c2-flow.norva2xel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816523/; classtype:trojan-activity;sid:84679623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"uwz7.veltraxis.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816522/; classtype:trojan-activity;sid:84679622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cdecj.veltraxis.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816521/; classtype:trojan-activity;sid:84679621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.165.118.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816520/; classtype:trojan-activity;sid:84679620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4sh-gate.veltraxis.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816519/; classtype:trojan-activity;sid:84679619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"valueink.veltraxis.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816518/; classtype:trojan-activity;sid:84679618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d1rec-panel.veltraxis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816517/; classtype:trojan-activity;sid:84679617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.183.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816516/; classtype:trojan-activity;sid:84679616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.80.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816515/; classtype:trojan-activity;sid:84679615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"45hd.veltraxis.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816514/; classtype:trojan-activity;sid:84679614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816513/; classtype:trojan-activity;sid:84679613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.32.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816512/; classtype:trojan-activity;sid:84679612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tshrx.zexo4mira.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816511/; classtype:trojan-activity;sid:84679611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serlineex9.zexo4mira.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816510/; classtype:trojan-activity;sid:84679610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816509/; classtype:trojan-activity;sid:84679609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quarryaud.zexo4mira.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816508/; classtype:trojan-activity;sid:84679608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thorn2-mark.zexo4mira.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816507/; classtype:trojan-activity;sid:84679607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"onp3.zexo4mira.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816506/; classtype:trojan-activity;sid:84679606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"77.239.112.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816505/; classtype:trojan-activity;sid:84679605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.227.219.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816504/; classtype:trojan-activity;sid:84679604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"misua.zexo4mira.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816503/; classtype:trojan-activity;sid:84679603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.144.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816502/; classtype:trojan-activity;sid:84679602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.188.80.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816501/; classtype:trojan-activity;sid:84679601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cl3a-leaf.kryntalor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816500/; classtype:trojan-activity;sid:84679600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.146.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816499/; classtype:trojan-activity;sid:84679599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sercoreis.kryntalor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816498/; classtype:trojan-activity;sid:84679598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"24.88.242.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816497/; classtype:trojan-activity;sid:84679597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.178.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816496/; classtype:trojan-activity;sid:84679596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c4nvas9-spool.kryntalor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816495/; classtype:trojan-activity;sid:84679595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wildsoc.kryntalor.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816494/; classtype:trojan-activity;sid:84679594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-vi5ua.kryntalor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816493/; classtype:trojan-activity;sid:84679593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ancientrelay.kryntalor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816492/; classtype:trojan-activity;sid:84679592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.146.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816491/; classtype:trojan-activity;sid:84679591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tcf5.plor9vexi.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816490/; classtype:trojan-activity;sid:84679590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816489/; classtype:trojan-activity;sid:84679589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"g3norn-stream.plor9vexi.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816488/; classtype:trojan-activity;sid:84679588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6817977673/taa2ovs.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816487/; classtype:trojan-activity;sid:84679587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"networkmatrix.plor9vexi.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816486/; classtype:trojan-activity;sid:84679586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z"; depth:2; endswith; nocase; http.host; content:"103.232.213.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816485/; classtype:trojan-activity;sid:84679585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumvalear.plor9vexi.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816484/; classtype:trojan-activity;sid:84679584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"suddentermin.plor9vexi.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816483/; classtype:trojan-activity;sid:84679583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.244.9.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816482/; classtype:trojan-activity;sid:84679582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trivenos.plor9vexi.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816481/; classtype:trojan-activity;sid:84679581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.157.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816480/; classtype:trojan-activity;sid:84679580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kajsn.dravonix.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816479/; classtype:trojan-activity;sid:84679579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.160.188.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816478/; classtype:trojan-activity;sid:84679578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.19.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816477/; classtype:trojan-activity;sid:84679577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"assay-hyp.dravonix.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816476/; classtype:trojan-activity;sid:84679576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.19.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816472/; classtype:trojan-activity;sid:84679572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"wzjc.ipwz.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816471/; classtype:trojan-activity;sid:84679571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cliorgan.dravonix.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816470/; classtype:trojan-activity;sid:84679570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel"; depth:13; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816469/; classtype:trojan-activity;sid:84679569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816466/; classtype:trojan-activity;sid:84679566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64el"; depth:15; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816467/; classtype:trojan-activity;sid:84679567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816468/; classtype:trojan-activity;sid:84679568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client"; depth:7; endswith; nocase; http.host; content:"wzjc.ipwz.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816464/; classtype:trojan-activity;sid:84679564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816465/; classtype:trojan-activity;sid:84679565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816463/; classtype:trojan-activity;sid:84679563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816459/; classtype:trojan-activity;sid:84679559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips"; depth:11; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816460/; classtype:trojan-activity;sid:84679560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816461/; classtype:trojan-activity;sid:84679561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"s3.mgirbvre.top"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816462/; classtype:trojan-activity;sid:84679562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.sh"; depth:12; endswith; nocase; http.host; content:"176.65.149.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816457/; classtype:trojan-activity;sid:84679557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816458/; classtype:trojan-activity;sid:84679558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"64.89.163.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816456/; classtype:trojan-activity;sid:84679556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816455/; classtype:trojan-activity;sid:84679555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816454/; classtype:trojan-activity;sid:84679554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"176.65.149.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816453/; classtype:trojan-activity;sid:84679553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"176.65.149.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816452/; classtype:trojan-activity;sid:84679552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.244.9.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816451/; classtype:trojan-activity;sid:84679551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"canvoya.dravonix.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816450/; classtype:trojan-activity;sid:84679550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.160.188.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816449/; classtype:trojan-activity;sid:84679549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neural-mem.dravonix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816448/; classtype:trojan-activity;sid:84679548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yz16m.dravonix.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816447/; classtype:trojan-activity;sid:84679547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"y26me.vexu3larn.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816446/; classtype:trojan-activity;sid:84679546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zencore2en.vexu3larn.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816445/; classtype:trojan-activity;sid:84679545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brandquo.vexu3larn.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816444/; classtype:trojan-activity;sid:84679544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rnacro-layer.vexu3larn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816443/; classtype:trojan-activity;sid:84679543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stolively.vexu3larn.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816442/; classtype:trojan-activity;sid:84679542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vor-coreum.vexu3larn.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816441/; classtype:trojan-activity;sid:84679541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"va1ue-hinge.brinoxal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816440/; classtype:trojan-activity;sid:84679540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"7mpydp.brinoxal.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816439/; classtype:trojan-activity;sid:84679539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.112.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816438/; classtype:trojan-activity;sid:84679538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velv0-sync.brinoxal.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816437/; classtype:trojan-activity;sid:84679537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solcoreal9.brinoxal.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816436/; classtype:trojan-activity;sid:84679536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816435/; classtype:trojan-activity;sid:84679535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vorspireal.brinoxal.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816434/; classtype:trojan-activity;sid:84679534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cjree.brinoxal.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816433/; classtype:trojan-activity;sid:84679533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.132.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816432/; classtype:trojan-activity;sid:84679532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"binaryrapid.qelto5rin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816431/; classtype:trojan-activity;sid:84679531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.69.157.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816430/; classtype:trojan-activity;sid:84679530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.69.157.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816429/; classtype:trojan-activity;sid:84679529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"comp1le-mesh.qelto5rin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816428/; classtype:trojan-activity;sid:84679528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ppb9.qelto5rin.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816427/; classtype:trojan-activity;sid:84679527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816426/; classtype:trojan-activity;sid:84679526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5876083921/rvqcm8c.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816425/; classtype:trojan-activity;sid:84679525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"portalproxy.qelto5rin.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816424/; classtype:trojan-activity;sid:84679524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.132.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816423/; classtype:trojan-activity;sid:84679523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"apcsw.qelto5rin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816422/; classtype:trojan-activity;sid:84679522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.255.251.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816421/; classtype:trojan-activity;sid:84679521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ewgbx.qelto5rin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816420/; classtype:trojan-activity;sid:84679520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kelforgeum8.tremvaxis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816419/; classtype:trojan-activity;sid:84679519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.22.233.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816418/; classtype:trojan-activity;sid:84679518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"l3tte-chain.tremvaxis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816417/; classtype:trojan-activity;sid:84679517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vrtnte.tremvaxis.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816416/; classtype:trojan-activity;sid:84679516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-wag0n.tremvaxis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816415/; classtype:trojan-activity;sid:84679515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.98.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816414/; classtype:trojan-activity;sid:84679514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"l1gh-scope.tremvaxis.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816413/; classtype:trojan-activity;sid:84679513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.228.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816412/; classtype:trojan-activity;sid:84679512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"piloroo.tremvaxis.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816411/; classtype:trojan-activity;sid:84679511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.22.233.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816410/; classtype:trojan-activity;sid:84679510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stri3-hold.histo-ricthe.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816409/; classtype:trojan-activity;sid:84679509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/889380751/9cfsjpu.exe"; depth:28; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816408/; classtype:trojan-activity;sid:84679508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.65.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816407/; classtype:trojan-activity;sid:84679507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.103.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816406/; classtype:trojan-activity;sid:84679506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mskho2rr.histo-ricthe.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816405/; classtype:trojan-activity;sid:84679505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.177.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816404/; classtype:trojan-activity;sid:84679504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.29.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816403/; classtype:trojan-activity;sid:84679503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qu4rry0-track.histo-ricthe.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816402/; classtype:trojan-activity;sid:84679502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.98.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816401/; classtype:trojan-activity;sid:84679501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.228.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816400/; classtype:trojan-activity;sid:84679500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"q16zhmu.histo-ricthe.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816399/; classtype:trojan-activity;sid:84679499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyn-markal.histo-ricthe.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816398/; classtype:trojan-activity;sid:84679498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.23.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816397/; classtype:trojan-activity;sid:84679497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fexbfw.histo-ricthe.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816396/; classtype:trojan-activity;sid:84679496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.177.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816395/; classtype:trojan-activity;sid:84679495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.65.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816394/; classtype:trojan-activity;sid:84679494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fs1zh.nab2lamstibles.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816393/; classtype:trojan-activity;sid:84679493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sapcave.nab2lamstibles.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816392/; classtype:trojan-activity;sid:84679492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.86.234.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816391/; classtype:trojan-activity;sid:84679491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.93.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816390/; classtype:trojan-activity;sid:84679490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lexckh.nab2lamstibles.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816389/; classtype:trojan-activity;sid:84679489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.49.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816388/; classtype:trojan-activity;sid:84679488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"banne-plate.nab2lamstibles.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816387/; classtype:trojan-activity;sid:84679487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/net_launcher.exe"; depth:26; endswith; nocase; http.host; content:"furystaff.tech"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816386/; classtype:trojan-activity;sid:84679486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/woofer.rar"; depth:20; endswith; nocase; http.host; content:"setupproducts.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816385/; classtype:trojan-activity;sid:84679485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/explorer.bat"; depth:22; endswith; nocase; http.host; content:"setupproducts.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816384/; classtype:trojan-activity;sid:84679484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p1xel7-cast.nab2lamstibles.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816383/; classtype:trojan-activity;sid:84679483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.23.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816382/; classtype:trojan-activity;sid:84679482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"1una-glow.nab2lamstibles.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816380/; classtype:trojan-activity;sid:84679480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.247.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816377/; classtype:trojan-activity;sid:84679477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.225.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816378/; classtype:trojan-activity;sid:84679478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.225.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816379/; classtype:trojan-activity;sid:84679479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.37.0.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816376/; classtype:trojan-activity;sid:84679476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2hvdt1.inven-tornon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816375/; classtype:trojan-activity;sid:84679475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.126.86.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816374/; classtype:trojan-activity;sid:84679474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.86.234.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816373/; classtype:trojan-activity;sid:84679473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.93.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816372/; classtype:trojan-activity;sid:84679472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-th1cket.inven-tornon.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816371/; classtype:trojan-activity;sid:84679471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.25.132.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816370/; classtype:trojan-activity;sid:84679470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-runcd"; depth:18; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816365/; classtype:trojan-activity;sid:84679465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-swarmd"; depth:19; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816366/; classtype:trojan-activity;sid:84679466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.225.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816367/; classtype:trojan-activity;sid:84679467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"convoynoble.inven-tornon.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816356/; classtype:trojan-activity;sid:84679456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-sbomd"; depth:18; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816348/; classtype:trojan-activity;sid:84679448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-scoutd"; depth:19; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816338/; classtype:trojan-activity;sid:84679438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-scand"; depth:18; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816339/; classtype:trojan-activity;sid:84679439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-conteinerd"; depth:23; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816340/; classtype:trojan-activity;sid:84679440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-conteinerd-shim"; depth:28; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816341/; classtype:trojan-activity;sid:84679441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-initd"; depth:18; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816342/; classtype:trojan-activity;sid:84679442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-proxyd"; depth:19; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816343/; classtype:trojan-activity;sid:84679443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-buildxd"; depth:20; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816344/; classtype:trojan-activity;sid:84679444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-credentiald"; depth:24; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816345/; classtype:trojan-activity;sid:84679445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-daemon"; depth:19; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816346/; classtype:trojan-activity;sid:84679446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-composd"; depth:20; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816347/; classtype:trojan-activity;sid:84679447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/redis-machined"; depth:21; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816337/; classtype:trojan-activity;sid:84679437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.kok/temp.tar"; depth:14; endswith; nocase; http.host; content:"167.172.154.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816336/; classtype:trojan-activity;sid:84679436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816335/; classtype:trojan-activity;sid:84679435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z"; depth:2; endswith; nocase; http.host; content:"77.221.157.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816333/; classtype:trojan-activity;sid:84679433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/bash"; depth:15; endswith; nocase; http.host; content:"77.221.157.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816334/; classtype:trojan-activity;sid:84679434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/start.sh"; depth:9; endswith; nocase; http.host; content:"176.65.148.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816332/; classtype:trojan-activity;sid:84679432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"linric.inven-tornon.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816331/; classtype:trojan-activity;sid:84679431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"142.248.80.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816330/; classtype:trojan-activity;sid:84679430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816329/; classtype:trojan-activity;sid:84679429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86"; depth:8; endswith; nocase; http.host; content:"31.56.229.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816327/; classtype:trojan-activity;sid:84679427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a"; depth:2; endswith; nocase; http.host; content:"176.65.150.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816328/; classtype:trojan-activity;sid:84679428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.87.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816326/; classtype:trojan-activity;sid:84679426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816321/; classtype:trojan-activity;sid:84679421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816322/; classtype:trojan-activity;sid:84679422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816323/; classtype:trojan-activity;sid:84679423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816324/; classtype:trojan-activity;sid:84679424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"2.26.98.67"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816325/; classtype:trojan-activity;sid:84679425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ciphersha.inven-tornon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816320/; classtype:trojan-activity;sid:84679420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.247.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816319/; classtype:trojan-activity;sid:84679419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.225.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816318/; classtype:trojan-activity;sid:84679418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.37.0.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816317/; classtype:trojan-activity;sid:84679417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gatewaybalance.inven-tornon.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816316/; classtype:trojan-activity;sid:84679416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.37.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816315/; classtype:trojan-activity;sid:84679415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ctlxx5r.cerbe7usout.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816314/; classtype:trojan-activity;sid:84679414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.84.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816313/; classtype:trojan-activity;sid:84679413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vvest0-path.cerbe7usout.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816312/; classtype:trojan-activity;sid:84679412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.99.61.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816311/; classtype:trojan-activity;sid:84679411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.87.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816310/; classtype:trojan-activity;sid:84679410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"30qmgzf.cerbe7usout.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816309/; classtype:trojan-activity;sid:84679409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.99.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816308/; classtype:trojan-activity;sid:84679408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"asse9-point.cerbe7usout.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816307/; classtype:trojan-activity;sid:84679407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.143.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816306/; classtype:trojan-activity;sid:84679406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nornexix2.cerbe7usout.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816305/; classtype:trojan-activity;sid:84679405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.106.18.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816304/; classtype:trojan-activity;sid:84679404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.211.79.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816303/; classtype:trojan-activity;sid:84679403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"181.99.61.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816302/; classtype:trojan-activity;sid:84679402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.84.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816301/; classtype:trojan-activity;sid:84679401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sub-5ecure.cerbe7usout.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816300/; classtype:trojan-activity;sid:84679400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.19.217.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816299/; classtype:trojan-activity;sid:84679399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.37.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816298/; classtype:trojan-activity;sid:84679398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tri-mesha.awry-pause.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816297/; classtype:trojan-activity;sid:84679397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.65.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816296/; classtype:trojan-activity;sid:84679396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.135.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816295/; classtype:trojan-activity;sid:84679395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ntcecfct.awry-pause.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816294/; classtype:trojan-activity;sid:84679394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1401316133/vsefvug.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816293/; classtype:trojan-activity;sid:84679393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.98.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816292/; classtype:trojan-activity;sid:84679392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816291/; classtype:trojan-activity;sid:84679391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"harvestfern.awry-pause.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816290/; classtype:trojan-activity;sid:84679390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qyfx7uy.awry-pause.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816289/; classtype:trojan-activity;sid:84679389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816288/; classtype:trojan-activity;sid:84679388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.27.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816287/; classtype:trojan-activity;sid:84679387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.253.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816286/; classtype:trojan-activity;sid:84679386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"majofres.awry-pause.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816285/; classtype:trojan-activity;sid:84679385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.19.217.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816284/; classtype:trojan-activity;sid:84679384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.157.162.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816283/; classtype:trojan-activity;sid:84679383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fixthicket.awry-pause.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816282/; classtype:trojan-activity;sid:84679382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.78.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816281/; classtype:trojan-activity;sid:84679381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816280/; classtype:trojan-activity;sid:84679380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.88.186.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816279/; classtype:trojan-activity;sid:84679379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.94.31.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816278/; classtype:trojan-activity;sid:84679378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0blj.di5honorman.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816277/; classtype:trojan-activity;sid:84679377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.88.186.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816276/; classtype:trojan-activity;sid:84679376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.135.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816274/; classtype:trojan-activity;sid:84679374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.98.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816275/; classtype:trojan-activity;sid:84679375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.31.215"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816273/; classtype:trojan-activity;sid:84679373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816271/; classtype:trojan-activity;sid:84679371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816272/; classtype:trojan-activity;sid:84679372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.138.16.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816269/; classtype:trojan-activity;sid:84679369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.28.4"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816270/; classtype:trojan-activity;sid:84679370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.141.215.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816268/; classtype:trojan-activity;sid:84679368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816266/; classtype:trojan-activity;sid:84679366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816267/; classtype:trojan-activity;sid:84679367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vvi1d-line.di5honorman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816265/; classtype:trojan-activity;sid:84679365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816263/; classtype:trojan-activity;sid:84679363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816264/; classtype:trojan-activity;sid:84679364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816258/; classtype:trojan-activity;sid:84679358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816259/; classtype:trojan-activity;sid:84679359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816260/; classtype:trojan-activity;sid:84679360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816261/; classtype:trojan-activity;sid:84679361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"169.40.135.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816262/; classtype:trojan-activity;sid:84679362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816257/; classtype:trojan-activity;sid:84679357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816256/; classtype:trojan-activity;sid:84679356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816254/; classtype:trojan-activity;sid:84679354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"194.26.192.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816255/; classtype:trojan-activity;sid:84679355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816252/; classtype:trojan-activity;sid:84679352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.26.115.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816253/; classtype:trojan-activity;sid:84679353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bundleser.di5honorman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816251/; classtype:trojan-activity;sid:84679351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.91.58.255"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816250/; classtype:trojan-activity;sid:84679350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psbcrnbaqk"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816249/; classtype:trojan-activity;sid:84679349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i4z51e1kds"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816248/; classtype:trojan-activity;sid:84679348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tztuz83uk4"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816244/; classtype:trojan-activity;sid:84679344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5gx9u07gi"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816245/; classtype:trojan-activity;sid:84679345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ln3lues0p"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816246/; classtype:trojan-activity;sid:84679346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.233.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816247/; classtype:trojan-activity;sid:84679347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bl1e67obm3"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816238/; classtype:trojan-activity;sid:84679338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo7un5no4d"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816239/; classtype:trojan-activity;sid:84679339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u7455i1vg3"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816240/; classtype:trojan-activity;sid:84679340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9sf2t3505q"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816241/; classtype:trojan-activity;sid:84679341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jc4z4ut4mb"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816242/; classtype:trojan-activity;sid:84679342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.27.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816243/; classtype:trojan-activity;sid:84679343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yl27ps.sh"; depth:10; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816237/; classtype:trojan-activity;sid:84679337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crateeast.di5honorman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816236/; classtype:trojan-activity;sid:84679336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arklith4os.di5honorman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816235/; classtype:trojan-activity;sid:84679335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/putty.exe"; depth:10; endswith; nocase; http.host; content:"2.58.56.51"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816234/; classtype:trojan-activity;sid:84679334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.251.51.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816233/; classtype:trojan-activity;sid:84679333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816232/; classtype:trojan-activity;sid:84679332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.158.40.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816231/; classtype:trojan-activity;sid:84679331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bwglxvk.di5honorman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816230/; classtype:trojan-activity;sid:84679330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.91.58.255"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816229/; classtype:trojan-activity;sid:84679329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d3ns-sheet.identify-celebrate.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816228/; classtype:trojan-activity;sid:84679328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"03wc5c.identify-celebrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816227/; classtype:trojan-activity;sid:84679327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.13.233.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816226/; classtype:trojan-activity;sid:84679326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"narr-que.identify-celebrate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816225/; classtype:trojan-activity;sid:84679325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816224/; classtype:trojan-activity;sid:84679324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.24.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816223/; classtype:trojan-activity;sid:84679323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"npcmrc.identify-celebrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816222/; classtype:trojan-activity;sid:84679322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.251.51.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816221/; classtype:trojan-activity;sid:84679321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qbknlas.identify-celebrate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816220/; classtype:trojan-activity;sid:84679320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.252.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816219/; classtype:trojan-activity;sid:84679319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cdr35.identify-celebrate.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816218/; classtype:trojan-activity;sid:84679318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vvorke-core.halturitmel7ed.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816217/; classtype:trojan-activity;sid:84679317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.109.218.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816216/; classtype:trojan-activity;sid:84679316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.245.101.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816215/; classtype:trojan-activity;sid:84679315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"211.158.40.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816214/; classtype:trojan-activity;sid:84679314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geyseropen.halturitmel7ed.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816213/; classtype:trojan-activity;sid:84679313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816212/; classtype:trojan-activity;sid:84679312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.84.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816211/; classtype:trojan-activity;sid:84679311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.185.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816210/; classtype:trojan-activity;sid:84679310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fjordvine.halturitmel7ed.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816209/; classtype:trojan-activity;sid:84679309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"reportmeadow.halturitmel7ed.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816208/; classtype:trojan-activity;sid:84679308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.84.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816207/; classtype:trojan-activity;sid:84679307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wb9g.halturitmel7ed.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816206/; classtype:trojan-activity;sid:84679306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.24.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816205/; classtype:trojan-activity;sid:84679305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.213.163.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816204/; classtype:trojan-activity;sid:84679304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.24.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816203/; classtype:trojan-activity;sid:84679303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.185.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816202/; classtype:trojan-activity;sid:84679302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-5hip.accentol-federat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816201/; classtype:trojan-activity;sid:84679301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.245.101.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816200/; classtype:trojan-activity;sid:84679300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"epgl608r.accentol-federat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816199/; classtype:trojan-activity;sid:84679299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.156.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816198/; classtype:trojan-activity;sid:84679298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tokencouri.accentol-federat.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816197/; classtype:trojan-activity;sid:84679297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.221.224.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816196/; classtype:trojan-activity;sid:84679296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lqwstnf.accentol-federat.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816195/; classtype:trojan-activity;sid:84679295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816194/; classtype:trojan-activity;sid:84679294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.213.163.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816193/; classtype:trojan-activity;sid:84679293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"51tcb.accentol-federat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816192/; classtype:trojan-activity;sid:84679292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.246.40.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816191/; classtype:trojan-activity;sid:84679291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.113.129.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816190/; classtype:trojan-activity;sid:84679290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fjor-dis.accentol-federat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816189/; classtype:trojan-activity;sid:84679289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.234.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816188/; classtype:trojan-activity;sid:84679288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.221.224.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816186/; classtype:trojan-activity;sid:84679286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.156.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816187/; classtype:trojan-activity;sid:84679287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.208.242.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816185/; classtype:trojan-activity;sid:84679285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.234.207.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816184/; classtype:trojan-activity;sid:84679284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rive-wag.particu1silomer.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816183/; classtype:trojan-activity;sid:84679283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tawg.particu1silomer.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816182/; classtype:trojan-activity;sid:84679282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.131.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816180/; classtype:trojan-activity;sid:84679280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.131.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816181/; classtype:trojan-activity;sid:84679281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splppc"; depth:7; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816173/; classtype:trojan-activity;sid:84679273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splspc"; depth:7; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816174/; classtype:trojan-activity;sid:84679274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splmips"; depth:8; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816175/; classtype:trojan-activity;sid:84679275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm7"; depth:8; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816176/; classtype:trojan-activity;sid:84679276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splx86"; depth:7; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816177/; classtype:trojan-activity;sid:84679277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm5"; depth:8; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816178/; classtype:trojan-activity;sid:84679278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splsh4"; depth:7; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816179/; classtype:trojan-activity;sid:84679279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm"; depth:7; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816172/; classtype:trojan-activity;sid:84679272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splmpsl"; depth:8; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816170/; classtype:trojan-activity;sid:84679270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f"; depth:2; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816171/; classtype:trojan-activity;sid:84679271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splm68k"; depth:8; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816168/; classtype:trojan-activity;sid:84679268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm6"; depth:8; endswith; nocase; http.host; content:"141.98.10.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816169/; classtype:trojan-activity;sid:84679269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.59.118.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816167/; classtype:trojan-activity;sid:84679267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c34pp.particu1silomer.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816166/; classtype:trojan-activity;sid:84679266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"f3rn-dock.particu1silomer.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816165/; classtype:trojan-activity;sid:84679265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.246.40.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816164/; classtype:trojan-activity;sid:84679264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.75.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816163/; classtype:trojan-activity;sid:84679263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.69.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816162/; classtype:trojan-activity;sid:84679262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"processthor.particu1silomer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816161/; classtype:trojan-activity;sid:84679261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.234.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816160/; classtype:trojan-activity;sid:84679260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.122.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816159/; classtype:trojan-activity;sid:84679259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.29.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816158/; classtype:trojan-activity;sid:84679258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.234.207.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816157/; classtype:trojan-activity;sid:84679257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"agentsca.particu1silomer.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816156/; classtype:trojan-activity;sid:84679256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6723359323/b3otisk.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816155/; classtype:trojan-activity;sid:84679255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.112.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816154/; classtype:trojan-activity;sid:84679254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5y.prime-media-gate.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816153/; classtype:trojan-activity;sid:84679253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mips"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816152/; classtype:trojan-activity;sid:84679252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i486"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816151/; classtype:trojan-activity;sid:84679251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_x86"; depth:18; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816147/; classtype:trojan-activity;sid:84679247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"relay.urban-growth-data.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816148/; classtype:trojan-activity;sid:84679248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm5"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816149/; classtype:trojan-activity;sid:84679249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i686"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816150/; classtype:trojan-activity;sid:84679250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_i586"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816145/; classtype:trojan-activity;sid:84679245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm"; depth:18; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816146/; classtype:trojan-activity;sid:84679246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_aarch64"; depth:22; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816137/; classtype:trojan-activity;sid:84679237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm7"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816138/; classtype:trojan-activity;sid:84679238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mpsl"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816139/; classtype:trojan-activity;sid:84679239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_m68k"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816140/; classtype:trojan-activity;sid:84679240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_sh4"; depth:18; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816141/; classtype:trojan-activity;sid:84679241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_arm6"; depth:19; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816142/; classtype:trojan-activity;sid:84679242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_mips64"; depth:21; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816143/; classtype:trojan-activity;sid:84679243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_ppc"; depth:18; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816144/; classtype:trojan-activity;sid:84679244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/ciubuc_spc"; depth:18; endswith; nocase; http.host; content:"43.228.157.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816136/; classtype:trojan-activity;sid:84679236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.7.235.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816135/; classtype:trojan-activity;sid:84679235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.69.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816134/; classtype:trojan-activity;sid:84679234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.249.199.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816133/; classtype:trojan-activity;sid:84679233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api.global-health-check.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816132/; classtype:trojan-activity;sid:84679232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.7.235.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816131/; classtype:trojan-activity;sid:84679231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.78.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816130/; classtype:trojan-activity;sid:84679230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.29.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816129/; classtype:trojan-activity;sid:84679229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.254.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816128/; classtype:trojan-activity;sid:84679228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file.prime-media-gate.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816127/; classtype:trojan-activity;sid:84679227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.6.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816126/; classtype:trojan-activity;sid:84679226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.105.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816125/; classtype:trojan-activity;sid:84679225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.202.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816124/; classtype:trojan-activity;sid:84679224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.132.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816122/; classtype:trojan-activity;sid:84679222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"active.solid-build-trace.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816123/; classtype:trojan-activity;sid:84679223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8788678720/nqgweq6.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816121/; classtype:trojan-activity;sid:84679221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate7.solid-build-trace.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816120/; classtype:trojan-activity;sid:84679220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816119/; classtype:trojan-activity;sid:84679219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816117/; classtype:trojan-activity;sid:84679217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.6.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816118/; classtype:trojan-activity;sid:84679218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.6.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816116/; classtype:trojan-activity;sid:84679216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.202.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816115/; classtype:trojan-activity;sid:84679215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816114/; classtype:trojan-activity;sid:84679214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816112/; classtype:trojan-activity;sid:84679212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816113/; classtype:trojan-activity;sid:84679213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.224.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816111/; classtype:trojan-activity;sid:84679211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816110/; classtype:trojan-activity;sid:84679210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816100/; classtype:trojan-activity;sid:84679200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816101/; classtype:trojan-activity;sid:84679201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816102/; classtype:trojan-activity;sid:84679202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dss"; depth:4; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816103/; classtype:trojan-activity;sid:84679203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816104/; classtype:trojan-activity;sid:84679204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816105/; classtype:trojan-activity;sid:84679205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816106/; classtype:trojan-activity;sid:84679206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm61"; depth:6; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816107/; classtype:trojan-activity;sid:84679207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/co"; depth:3; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816108/; classtype:trojan-activity;sid:84679208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816109/; classtype:trojan-activity;sid:84679209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/co"; depth:3; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816098/; classtype:trojan-activity;sid:84679198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/586"; depth:4; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816099/; classtype:trojan-activity;sid:84679199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm61"; depth:6; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816093/; classtype:trojan-activity;sid:84679193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816094/; classtype:trojan-activity;sid:84679194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816095/; classtype:trojan-activity;sid:84679195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/586"; depth:4; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816096/; classtype:trojan-activity;sid:84679196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816097/; classtype:trojan-activity;sid:84679197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816091/; classtype:trojan-activity;sid:84679191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816092/; classtype:trojan-activity;sid:84679192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816090/; classtype:trojan-activity;sid:84679190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dss"; depth:4; endswith; nocase; http.host; content:"outel.linchens.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816088/; classtype:trojan-activity;sid:84679188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; endswith; nocase; http.host; content:"linchens.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816089/; classtype:trojan-activity;sid:84679189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816087/; classtype:trojan-activity;sid:84679187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816086/; classtype:trojan-activity;sid:84679186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816084/; classtype:trojan-activity;sid:84679184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816085/; classtype:trojan-activity;sid:84679185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816083/; classtype:trojan-activity;sid:84679183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816070/; classtype:trojan-activity;sid:84679170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816071/; classtype:trojan-activity;sid:84679171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816072/; classtype:trojan-activity;sid:84679172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816073/; classtype:trojan-activity;sid:84679173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816074/; classtype:trojan-activity;sid:84679174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816075/; classtype:trojan-activity;sid:84679175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816076/; classtype:trojan-activity;sid:84679176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816077/; classtype:trojan-activity;sid:84679177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816078/; classtype:trojan-activity;sid:84679178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816079/; classtype:trojan-activity;sid:84679179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816080/; classtype:trojan-activity;sid:84679180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816081/; classtype:trojan-activity;sid:84679181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"85.11.167.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816082/; classtype:trojan-activity;sid:84679182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/co"; depth:3; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816068/; classtype:trojan-activity;sid:84679168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816069/; classtype:trojan-activity;sid:84679169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816059/; classtype:trojan-activity;sid:84679159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/586"; depth:4; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816060/; classtype:trojan-activity;sid:84679160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816061/; classtype:trojan-activity;sid:84679161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816062/; classtype:trojan-activity;sid:84679162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816063/; classtype:trojan-activity;sid:84679163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dss"; depth:4; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816064/; classtype:trojan-activity;sid:84679164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm61"; depth:6; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816065/; classtype:trojan-activity;sid:84679165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816066/; classtype:trojan-activity;sid:84679166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"45.156.87.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816067/; classtype:trojan-activity;sid:84679167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lk/mhiodh1.bin"; depth:15; endswith; nocase; http.host; content:"38.49.217.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816058/; classtype:trojan-activity;sid:84679158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.118.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816057/; classtype:trojan-activity;sid:84679157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.113.206.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816056/; classtype:trojan-activity;sid:84679156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816055/; classtype:trojan-activity;sid:84679155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.solid-build-trace.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816054/; classtype:trojan-activity;sid:84679154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.solid-build-trace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816053/; classtype:trojan-activity;sid:84679153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.164.179.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816052/; classtype:trojan-activity;sid:84679152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-root.solid-build-trace.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816051/; classtype:trojan-activity;sid:84679151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-arch.solid-build-trace.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816050/; classtype:trojan-activity;sid:84679150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-draw.solid-build-trace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816049/; classtype:trojan-activity;sid:84679149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"plan1-data.solid-build-trace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816048/; classtype:trojan-activity;sid:84679148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.213.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816047/; classtype:trojan-activity;sid:84679147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.40.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816046/; classtype:trojan-activity;sid:84679146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-main.prime-media-gate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816045/; classtype:trojan-activity;sid:84679145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.prime-media-gate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816044/; classtype:trojan-activity;sid:84679144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-file.prime-media-gate.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816043/; classtype:trojan-activity;sid:84679143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-gate.prime-media-gate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816042/; classtype:trojan-activity;sid:84679142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.213.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816041/; classtype:trojan-activity;sid:84679141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-sync.prime-media-gate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816040/; classtype:trojan-activity;sid:84679140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kharon_https_443.x64.svc.exe"; depth:29; endswith; nocase; http.host; content:"139.99.75.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816037/; classtype:trojan-activity;sid:84679137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kharon_https_443.x64.exe"; depth:25; endswith; nocase; http.host; content:"139.99.75.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816038/; classtype:trojan-activity;sid:84679138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kharon_https_443.x64.dll"; depth:25; endswith; nocase; http.host; content:"139.99.75.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816039/; classtype:trojan-activity;sid:84679139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web1-media.prime-media-gate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816036/; classtype:trojan-activity;sid:84679136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-gate.global-health-check.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816034/; classtype:trojan-activity;sid:84679134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.184.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816035/; classtype:trojan-activity;sid:84679135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.150.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816033/; classtype:trojan-activity;sid:84679133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.x86_64"; depth:19; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816029/; classtype:trojan-activity;sid:84679129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.arm6"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816030/; classtype:trojan-activity;sid:84679130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.sh4"; depth:16; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816031/; classtype:trojan-activity;sid:84679131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.mips"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816032/; classtype:trojan-activity;sid:84679132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.arm"; depth:16; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816022/; classtype:trojan-activity;sid:84679122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.arm5"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816023/; classtype:trojan-activity;sid:84679123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.arm7"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816024/; classtype:trojan-activity;sid:84679124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.i686"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816025/; classtype:trojan-activity;sid:84679125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.arc"; depth:16; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816026/; classtype:trojan-activity;sid:84679126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.spc"; depth:16; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816027/; classtype:trojan-activity;sid:84679127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.i468"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816028/; classtype:trojan-activity;sid:84679128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.x86"; depth:16; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816018/; classtype:trojan-activity;sid:84679118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.ppc"; depth:16; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816019/; classtype:trojan-activity;sid:84679119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.mpsl"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816020/; classtype:trojan-activity;sid:84679120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main.m68k"; depth:17; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816021/; classtype:trojan-activity;sid:84679121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips64"; depth:7; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816016/; classtype:trojan-activity;sid:84679116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816017/; classtype:trojan-activity;sid:84679117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.global-health-check.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816015/; classtype:trojan-activity;sid:84679115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zh/letsvpn-latestx64.zip"; depth:25; endswith; nocase; http.host; content:"dows.1v5s.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816011/; classtype:trojan-activity;sid:84679111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/htgghrehtherthreth/1234.exe"; depth:28; endswith; nocase; http.host; content:"178.16.52.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816006/; classtype:trojan-activity;sid:84679106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-safe.global-health-check.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816005/; classtype:trojan-activity;sid:84679105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816004/; classtype:trojan-activity;sid:84679104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-audit.global-health-check.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816003/; classtype:trojan-activity;sid:84679103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.224.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816002/; classtype:trojan-activity;sid:84679102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-info.global-health-check.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816001/; classtype:trojan-activity;sid:84679101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.184.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816000/; classtype:trojan-activity;sid:84679100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"test1-api.global-health-check.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815999/; classtype:trojan-activity;sid:84679099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.150.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815998/; classtype:trojan-activity;sid:84679098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815997/; classtype:trojan-activity;sid:84679097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-main.urban-growth-data.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815996/; classtype:trojan-activity;sid:84679096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.202.178.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815995/; classtype:trojan-activity;sid:84679095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.123.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815994/; classtype:trojan-activity;sid:84679094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-sync.urban-growth-data.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815992/; classtype:trojan-activity;sid:84679092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815993/; classtype:trojan-activity;sid:84679093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/run.sh"; depth:12; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815991/; classtype:trojan-activity;sid:84679091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.178.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815990/; classtype:trojan-activity;sid:84679090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815989/; classtype:trojan-activity;sid:84679089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815988/; classtype:trojan-activity;sid:84679088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-chart.urban-growth-data.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815987/; classtype:trojan-activity;sid:84679087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-area.urban-growth-data.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815986/; classtype:trojan-activity;sid:84679086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.29.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815985/; classtype:trojan-activity;sid:84679085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.153.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815984/; classtype:trojan-activity;sid:84679084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-gate.office-task-sync.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815983/; classtype:trojan-activity;sid:84679083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815977/; classtype:trojan-activity;sid:84679077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815978/; classtype:trojan-activity;sid:84679078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815979/; classtype:trojan-activity;sid:84679079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815980/; classtype:trojan-activity;sid:84679080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815981/; classtype:trojan-activity;sid:84679081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815982/; classtype:trojan-activity;sid:84679082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815972/; classtype:trojan-activity;sid:84679072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815973/; classtype:trojan-activity;sid:84679073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815974/; classtype:trojan-activity;sid:84679074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815975/; classtype:trojan-activity;sid:84679075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"45.83.207.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815976/; classtype:trojan-activity;sid:84679076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.209.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815971/; classtype:trojan-activity;sid:84679071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.office-task-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815970/; classtype:trojan-activity;sid:84679070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.123.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815969/; classtype:trojan-activity;sid:84679069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-file.office-task-sync.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815968/; classtype:trojan-activity;sid:84679068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.69.90.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815967/; classtype:trojan-activity;sid:84679067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.39.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815966/; classtype:trojan-activity;sid:84679066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-work.office-task-sync.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815965/; classtype:trojan-activity;sid:84679065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-task.office-task-sync.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815964/; classtype:trojan-activity;sid:84679064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.29.31.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815961/; classtype:trojan-activity;sid:84679061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"job1-sync.office-task-sync.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815962/; classtype:trojan-activity;sid:84679062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.209.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815963/; classtype:trojan-activity;sid:84679063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.172.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815960/; classtype:trojan-activity;sid:84679060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.travel-point-trace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815959/; classtype:trojan-activity;sid:84679059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.141.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815958/; classtype:trojan-activity;sid:84679058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.128.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815957/; classtype:trojan-activity;sid:84679057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.travel-point-trace.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815956/; classtype:trojan-activity;sid:84679056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.47.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815955/; classtype:trojan-activity;sid:84679055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-sync.travel-point-trace.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815954/; classtype:trojan-activity;sid:84679054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-trace.travel-point-trace.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815953/; classtype:trojan-activity;sid:84679053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.56.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815952/; classtype:trojan-activity;sid:84679052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-map.travel-point-trace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815951/; classtype:trojan-activity;sid:84679051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.11.175.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815950/; classtype:trojan-activity;sid:84679050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.172.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815949/; classtype:trojan-activity;sid:84679049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trip1-point.travel-point-trace.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815948/; classtype:trojan-activity;sid:84679048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-gate.local-market-hub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815947/; classtype:trojan-activity;sid:84679047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.176.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815946/; classtype:trojan-activity;sid:84679046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.48.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815945/; classtype:trojan-activity;sid:84679045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.local-market-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815944/; classtype:trojan-activity;sid:84679044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.106.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815943/; classtype:trojan-activity;sid:84679043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-root.local-market-hub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815942/; classtype:trojan-activity;sid:84679042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.139.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815941/; classtype:trojan-activity;sid:84679041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-trade.local-market-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815940/; classtype:trojan-activity;sid:84679040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-list.local-market-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815939/; classtype:trojan-activity;sid:84679039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shop1-data.local-market-hub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815938/; classtype:trojan-activity;sid:84679038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.249.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815937/; classtype:trojan-activity;sid:84679037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.smart-home-verify.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815936/; classtype:trojan-activity;sid:84679036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.139.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815935/; classtype:trojan-activity;sid:84679035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.smart-home-verify.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815934/; classtype:trojan-activity;sid:84679034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-info.smart-home-verify.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815933/; classtype:trojan-activity;sid:84679033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-safe.smart-home-verify.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815932/; classtype:trojan-activity;sid:84679032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.192.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815931/; classtype:trojan-activity;sid:84679031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-check.smart-home-verify.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815930/; classtype:trojan-activity;sid:84679030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"home1-verify.smart-home-verify.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815929/; classtype:trojan-activity;sid:84679029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.249.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815928/; classtype:trojan-activity;sid:84679028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815927/; classtype:trojan-activity;sid:84679027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.29.31.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815926/; classtype:trojan-activity;sid:84679026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-relay.green-energy-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815925/; classtype:trojan-activity;sid:84679025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.100.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815924/; classtype:trojan-activity;sid:84679024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.32.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815923/; classtype:trojan-activity;sid:84679023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.249.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815922/; classtype:trojan-activity;sid:84679022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-solar.green-energy-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815921/; classtype:trojan-activity;sid:84679021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.249.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815920/; classtype:trojan-activity;sid:84679020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-data.green-energy-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815919/; classtype:trojan-activity;sid:84679019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-grid.green-energy-flow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815918/; classtype:trojan-activity;sid:84679018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.134.56.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815917/; classtype:trojan-activity;sid:84679017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-power.green-energy-flow.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815916/; classtype:trojan-activity;sid:84679016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.89.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815915/; classtype:trojan-activity;sid:84679015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.159.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815914/; classtype:trojan-activity;sid:84679014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"eco1-trace.green-energy-flow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815913/; classtype:trojan-activity;sid:84679013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.32.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815912/; classtype:trojan-activity;sid:84679012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815911/; classtype:trojan-activity;sid:84679011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-main.quick-support-portal.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815910/; classtype:trojan-activity;sid:84679010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.137.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815909/; classtype:trojan-activity;sid:84679009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.quick-support-portal.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815908/; classtype:trojan-activity;sid:84679008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-file.quick-support-portal.in.net"; depth:39; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815907/; classtype:trojan-activity;sid:84679007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.50.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815906/; classtype:trojan-activity;sid:84679006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api3-auth.quick-support-portal.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815905/; classtype:trojan-activity;sid:84679005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.159.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815904/; classtype:trojan-activity;sid:84679004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.165.118.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815903/; classtype:trojan-activity;sid:84679003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815902/; classtype:trojan-activity;sid:84679002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-desk.quick-support-portal.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815901/; classtype:trojan-activity;sid:84679001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"help1-sync.quick-support-portal.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815900/; classtype:trojan-activity;sid:84679000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.89.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815899/; classtype:trojan-activity;sid:84678999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.69.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815898/; classtype:trojan-activity;sid:84678998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.130.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815897/; classtype:trojan-activity;sid:84678997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.don2tdouching.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815896/; classtype:trojan-activity;sid:84678996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.9.69.240"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815895/; classtype:trojan-activity;sid:84678995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815894/; classtype:trojan-activity;sid:84678994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.50.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815893/; classtype:trojan-activity;sid:84678993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub5-base.don2tdouching.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815892/; classtype:trojan-activity;sid:84678992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc4-relay.don2tdouching.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815891/; classtype:trojan-activity;sid:84678991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault3-info.don2tdouching.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815890/; classtype:trojan-activity;sid:84678990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-soft.don2tdouching.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815889/; classtype:trojan-activity;sid:84678989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.9.69.240"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815888/; classtype:trojan-activity;sid:84678988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.130.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815887/; classtype:trojan-activity;sid:84678987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean1-api.don2tdouching.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815886/; classtype:trojan-activity;sid:84678986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-hub.creep-score.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815885/; classtype:trojan-activity;sid:84678985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.254.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815884/; classtype:trojan-activity;sid:84678984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-match.creep-score.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815883/; classtype:trojan-activity;sid:84678983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.220.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815882/; classtype:trojan-activity;sid:84678982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-data.creep-score.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815881/; classtype:trojan-activity;sid:84678981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-play.creep-score.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815880/; classtype:trojan-activity;sid:84678980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815879/; classtype:trojan-activity;sid:84678979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.32.41.127"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815878/; classtype:trojan-activity;sid:84678978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-score.creep-score.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815877/; classtype:trojan-activity;sid:84678977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"game1-log.creep-score.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815876/; classtype:trojan-activity;sid:84678976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.235.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815875/; classtype:trojan-activity;sid:84678975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.220.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815874/; classtype:trojan-activity;sid:84678974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"point6-svc.pestte1ex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815873/; classtype:trojan-activity;sid:84678973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub5-gate.pestte1ex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815872/; classtype:trojan-activity;sid:84678972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc4-relay.pestte1ex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815871/; classtype:trojan-activity;sid:84678971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.102.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815870/; classtype:trojan-activity;sid:84678970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault3-io.pestte1ex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815869/; classtype:trojan-activity;sid:84678969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node2-info.pestte1ex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815868/; classtype:trojan-activity;sid:84678968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.125.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815867/; classtype:trojan-activity;sid:84678967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"test1-api.pestte1ex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815866/; classtype:trojan-activity;sid:84678966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.236.65.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815864/; classtype:trojan-activity;sid:84678964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815865/; classtype:trojan-activity;sid:84678965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-hub.consiliumundu-lat.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815863/; classtype:trojan-activity;sid:84678963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815862/; classtype:trojan-activity;sid:84678962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-base.consiliumundu-lat.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815861/; classtype:trojan-activity;sid:84678961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.102.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815860/; classtype:trojan-activity;sid:84678960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-root.consiliumundu-lat.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815859/; classtype:trojan-activity;sid:84678959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7900572318/dh9skih.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815858/; classtype:trojan-activity;sid:84678958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-link.consiliumundu-lat.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815857/; classtype:trojan-activity;sid:84678957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-unit.consiliumundu-lat.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815856/; classtype:trojan-activity;sid:84678956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team1-work.consiliumundu-lat.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815855/; classtype:trojan-activity;sid:84678955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-secure.exhib1torknot.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815854/; classtype:trojan-activity;sid:84678954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-mark.exhib1torknot.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815853/; classtype:trojan-activity;sid:84678953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815852/; classtype:trojan-activity;sid:84678952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-file.exhib1torknot.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815851/; classtype:trojan-activity;sid:84678951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.252.119.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815850/; classtype:trojan-activity;sid:84678950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-view.exhib1torknot.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815849/; classtype:trojan-activity;sid:84678949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-knot.exhib1torknot.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815848/; classtype:trojan-activity;sid:84678948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"show1-data.exhib1torknot.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815847/; classtype:trojan-activity;sid:84678947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-point.semiunder-lear.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815846/; classtype:trojan-activity;sid:84678946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-hub.semiunder-lear.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815845/; classtype:trojan-activity;sid:84678945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.20.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815844/; classtype:trojan-activity;sid:84678944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault4-sync.semiunder-lear.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815843/; classtype:trojan-activity;sid:84678943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.166.231.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815842/; classtype:trojan-activity;sid:84678942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-base.semiunder-lear.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815841/; classtype:trojan-activity;sid:84678941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/irrossm.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815840/; classtype:trojan-activity;sid:84678940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"study2-api.semiunder-lear.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815839/; classtype:trojan-activity;sid:84678939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.15.123.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815838/; classtype:trojan-activity;sid:84678938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/dt0jmhc.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815837/; classtype:trojan-activity;sid:84678937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"learn1-app.semiunder-lear.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815836/; classtype:trojan-activity;sid:84678936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.37.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815835/; classtype:trojan-activity;sid:84678935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.20.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815834/; classtype:trojan-activity;sid:84678934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main6-gate.8rivastyinfamy.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815833/; classtype:trojan-activity;sid:84678933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.65.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815832/; classtype:trojan-activity;sid:84678932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub5-relay.8rivastyinfamy.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815831/; classtype:trojan-activity;sid:84678931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.55.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815830/; classtype:trojan-activity;sid:84678930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.55.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815829/; classtype:trojan-activity;sid:84678929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file4-svc.8rivastyinfamy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815828/; classtype:trojan-activity;sid:84678928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-vault.8rivastyinfamy.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815827/; classtype:trojan-activity;sid:84678927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.15.123.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815826/; classtype:trojan-activity;sid:84678926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.43.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815825/; classtype:trojan-activity;sid:84678925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.37.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815824/; classtype:trojan-activity;sid:84678924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"api2-cloud.8rivastyinfamy.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815823/; classtype:trojan-activity;sid:84678923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.169.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815822/; classtype:trojan-activity;sid:84678922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"track1-io.8rivastyinfamy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815821/; classtype:trojan-activity;sid:84678921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.45.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815820/; classtype:trojan-activity;sid:84678920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-main.cesura-wate7y.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815819/; classtype:trojan-activity;sid:84678919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.246.81.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815818/; classtype:trojan-activity;sid:84678918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.202.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815817/; classtype:trojan-activity;sid:84678917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-secure.cesura-wate7y.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815816/; classtype:trojan-activity;sid:84678916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.73.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815815/; classtype:trojan-activity;sid:84678915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.246.81.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815814/; classtype:trojan-activity;sid:84678914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"info4-vault.cesura-wate7y.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815813/; classtype:trojan-activity;sid:84678913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.45.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815812/; classtype:trojan-activity;sid:84678912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.43.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815811/; classtype:trojan-activity;sid:84678911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.239.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815810/; classtype:trojan-activity;sid:84678910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data3-node.cesura-wate7y.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815809/; classtype:trojan-activity;sid:84678909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow2-api.cesura-wate7y.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815808/; classtype:trojan-activity;sid:84678908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.197.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815807/; classtype:trojan-activity;sid:84678907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.100.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815806/; classtype:trojan-activity;sid:84678906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8115679349/h00dkau.msi"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815805/; classtype:trojan-activity;sid:84678905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.45.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815804/; classtype:trojan-activity;sid:84678904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.228.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815803/; classtype:trojan-activity;sid:84678903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"web1-state.cesura-wate7y.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815802/; classtype:trojan-activity;sid:84678902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub6-gate.l2vashs-calpel.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815801/; classtype:trojan-activity;sid:84678901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc5-relay.l2vashs-calpel.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815800/; classtype:trojan-activity;sid:84678900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.26.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815799/; classtype:trojan-activity;sid:84678899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.134.56.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815798/; classtype:trojan-activity;sid:84678898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.93.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815797/; classtype:trojan-activity;sid:84678897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.26.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815796/; classtype:trojan-activity;sid:84678896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8115679349/h00dkau.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815795/; classtype:trojan-activity;sid:84678895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.239.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815794/; classtype:trojan-activity;sid:84678894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base4-vault.l2vashs-calpel.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815791/; classtype:trojan-activity;sid:84678891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815792/; classtype:trojan-activity;sid:84678892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm"; depth:10; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815793/; classtype:trojan-activity;sid:84678893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815789/; classtype:trojan-activity;sid:84678889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm6"; depth:11; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815790/; classtype:trojan-activity;sid:84678890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.169.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815787/; classtype:trojan-activity;sid:84678887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815788/; classtype:trojan-activity;sid:84678888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tool3-node.l2vashs-calpel.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815786/; classtype:trojan-activity;sid:84678886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.132.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815785/; classtype:trojan-activity;sid:84678885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.209.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815784/; classtype:trojan-activity;sid:84678884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.100.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815783/; classtype:trojan-activity;sid:84678883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.102.18.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815782/; classtype:trojan-activity;sid:84678882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sharp2-api.l2vashs-calpel.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815781/; classtype:trojan-activity;sid:84678881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.228.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815780/; classtype:trojan-activity;sid:84678880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cut1-point.l2vashs-calpel.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815778/; classtype:trojan-activity;sid:84678878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.125.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815779/; classtype:trojan-activity;sid:84678879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.240.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815777/; classtype:trojan-activity;sid:84678877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate6-way.p1aster-voice.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815776/; classtype:trojan-activity;sid:84678876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.228.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815775/; classtype:trojan-activity;sid:84678875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.89.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815774/; classtype:trojan-activity;sid:84678874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"audio-hub5.p1aster-voice.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815773/; classtype:trojan-activity;sid:84678873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.228.191.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815772/; classtype:trojan-activity;sid:84678872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.126.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815771/; classtype:trojan-activity;sid:84678871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vault-svc4.p1aster-voice.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815770/; classtype:trojan-activity;sid:84678870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"node3-call.p1aster-voice.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815769/; classtype:trojan-activity;sid:84678869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8115679349/5jhrkxx.msi"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815768/; classtype:trojan-activity;sid:84678868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talk-api2.p1aster-voice.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815767/; classtype:trojan-activity;sid:84678867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6560547276/8rtmsh6.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815766/; classtype:trojan-activity;sid:84678866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"voice1-sync.p1aster-voice.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815765/; classtype:trojan-activity;sid:84678865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stoneroad.clin8company.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815764/; classtype:trojan-activity;sid:84678864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.228.191.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815763/; classtype:trojan-activity;sid:84678863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/eventvpcardsc_pu1kqzvw_installer.msi"; depth:43; endswith; nocase; http.host; content:"sesdigitalsolutions.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815762/; classtype:trojan-activity;sid:84678862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"8cnv5b.clin8company.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815761/; classtype:trojan-activity;sid:84678861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.70.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815760/; classtype:trojan-activity;sid:84678860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"balance-ring.clin8company.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815759/; classtype:trojan-activity;sid:84678859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.70.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815758/; classtype:trojan-activity;sid:84678858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mndchnr.clin8company.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815757/; classtype:trojan-activity;sid:84678857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rpmfki.clin8company.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815756/; classtype:trojan-activity;sid:84678856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pc7il3.clin8company.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815755/; classtype:trojan-activity;sid:84678855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vjdxcj1y.particulscoop.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815754/; classtype:trojan-activity;sid:84678854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ser-marken.particulscoop.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815753/; classtype:trojan-activity;sid:84678853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1202156955/oazztcm.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815752/; classtype:trojan-activity;sid:84678852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.228.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815751/; classtype:trojan-activity;sid:84678851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vor-litha.particulscoop.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815750/; classtype:trojan-activity;sid:84678850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"west-reach.particulscoop.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815749/; classtype:trojan-activity;sid:84678849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.254.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815748/; classtype:trojan-activity;sid:84678848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"endpo7-port.particulscoop.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815747/; classtype:trojan-activity;sid:84678847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8366134864/z69rt8z.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815746/; classtype:trojan-activity;sid:84678846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cach-route.particulscoop.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815745/; classtype:trojan-activity;sid:84678845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.254.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815744/; classtype:trojan-activity;sid:84678844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"byte-mesh.flamesre5ent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815743/; classtype:trojan-activity;sid:84678843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vvind-frame.flamesre5ent.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815742/; classtype:trojan-activity;sid:84678842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.144.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815741/; classtype:trojan-activity;sid:84678841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rs8ize.flamesre5ent.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815740/; classtype:trojan-activity;sid:84678840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.80.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815739/; classtype:trojan-activity;sid:84678839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"moraltest.flamesre5ent.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815738/; classtype:trojan-activity;sid:84678838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815737/; classtype:trojan-activity;sid:84678837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/launcher.dll"; depth:22; endswith; nocase; http.host; content:"185.149.120.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815736/; classtype:trojan-activity;sid:84678836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unilink.flamesre5ent.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815734/; classtype:trojan-activity;sid:84678834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/net_launcher.exe"; depth:26; endswith; nocase; http.host; content:"setupproducts.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815735/; classtype:trojan-activity;sid:84678835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/joshua/random.exe"; depth:24; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815733/; classtype:trojan-activity;sid:84678833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tr4ce5-trail.flamesre5ent.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815732/; classtype:trojan-activity;sid:84678832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mhspcr.predestincent.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815731/; classtype:trojan-activity;sid:84678831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.144.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815730/; classtype:trojan-activity;sid:84678830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"castgrove.predestincent.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815729/; classtype:trojan-activity;sid:84678829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.80.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815728/; classtype:trojan-activity;sid:84678828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"si1ent-dock.predestincent.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815727/; classtype:trojan-activity;sid:84678827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.69.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815726/; classtype:trojan-activity;sid:84678826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arklith0os.predestincent.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815725/; classtype:trojan-activity;sid:84678825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123/scan.py"; depth:12; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815719/; classtype:trojan-activity;sid:84678819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n1/q1.py"; depth:9; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815720/; classtype:trojan-activity;sid:84678820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/py.py"; depth:8; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815721/; classtype:trojan-activity;sid:84678821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/scanner.py"; depth:15; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815722/; classtype:trojan-activity;sid:84678822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sc/py.py"; depth:9; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815723/; classtype:trojan-activity;sid:84678823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sc/scan.py"; depth:11; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815724/; classtype:trojan-activity;sid:84678824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"finalatom.predestincent.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815718/; classtype:trojan-activity;sid:84678818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7900572318/ew8thew.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815717/; classtype:trojan-activity;sid:84678817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"exposedeep.predestincent.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815716/; classtype:trojan-activity;sid:84678816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmr.gz"; depth:7; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815715/; classtype:trojan-activity;sid:84678815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmm.gz"; depth:7; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815714/; classtype:trojan-activity;sid:84678814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/min1.sh"; depth:8; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815712/; classtype:trojan-activity;sid:84678812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghost.sh"; depth:9; endswith; nocase; http.host; content:"77.110.96.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815713/; classtype:trojan-activity;sid:84678813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815711/; classtype:trojan-activity;sid:84678811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"195.177.94.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815707/; classtype:trojan-activity;sid:84678807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"104.249.10.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815708/; classtype:trojan-activity;sid:84678808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"195.177.94.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815709/; classtype:trojan-activity;sid:84678809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815710/; classtype:trojan-activity;sid:84678810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815703/; classtype:trojan-activity;sid:84678803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815704/; classtype:trojan-activity;sid:84678804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815705/; classtype:trojan-activity;sid:84678805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"195.177.94.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815706/; classtype:trojan-activity;sid:84678806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815701/; classtype:trojan-activity;sid:84678801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"195.177.94.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815702/; classtype:trojan-activity;sid:84678802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"195.177.94.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815697/; classtype:trojan-activity;sid:84678797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"104.249.10.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815698/; classtype:trojan-activity;sid:84678798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"195.177.94.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815699/; classtype:trojan-activity;sid:84678799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815700/; classtype:trojan-activity;sid:84678800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815696/; classtype:trojan-activity;sid:84678796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815694/; classtype:trojan-activity;sid:84678794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"94.154.32.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815695/; classtype:trojan-activity;sid:84678795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.131.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815693/; classtype:trojan-activity;sid:84678793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815692/; classtype:trojan-activity;sid:84678792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"60moi.canone7node.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815691/; classtype:trojan-activity;sid:84678791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.68.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815690/; classtype:trojan-activity;sid:84678790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"asset5-track.canone7node.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815689/; classtype:trojan-activity;sid:84678789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815688/; classtype:trojan-activity;sid:84678788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.27.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815687/; classtype:trojan-activity;sid:84678787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.200.80.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815686/; classtype:trojan-activity;sid:84678786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.98.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815685/; classtype:trojan-activity;sid:84678785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solcoreal5.canone7node.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815684/; classtype:trojan-activity;sid:84678784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soundencode.canone7node.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815683/; classtype:trojan-activity;sid:84678783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.160.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815682/; classtype:trojan-activity;sid:84678782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.227.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815680/; classtype:trojan-activity;sid:84678780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.12.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815681/; classtype:trojan-activity;sid:84678781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ubped.canone7node.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815679/; classtype:trojan-activity;sid:84678779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.178.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815678/; classtype:trojan-activity;sid:84678778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meta-5udd.canone7node.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815677/; classtype:trojan-activity;sid:84678777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7742504508/3nuj75t.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815676/; classtype:trojan-activity;sid:84678776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"reef-drive.airportbude.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815675/; classtype:trojan-activity;sid:84678775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.31.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815674/; classtype:trojan-activity;sid:84678774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultra-gr4nit.airportbude.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815673/; classtype:trojan-activity;sid:84678773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clpr.exe"; depth:9; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815672/; classtype:trojan-activity;sid:84678772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zpubeynbswoznhk172.bin"; depth:23; endswith; nocase; http.host; content:"104.249.10.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815669/; classtype:trojan-activity;sid:84678769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kxxysbztqp98.bin"; depth:17; endswith; nocase; http.host; content:"104.249.10.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815670/; classtype:trojan-activity;sid:84678770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwshexisrsnrlvjgydtuuuuakqr204.bin"; depth:35; endswith; nocase; http.host; content:"104.249.10.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815671/; classtype:trojan-activity;sid:84678771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.241.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815668/; classtype:trojan-activity;sid:84678768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrrdnxofrvemzg85.bin"; depth:21; endswith; nocase; http.host; content:"104.249.10.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815667/; classtype:trojan-activity;sid:84678767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.166.231.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815666/; classtype:trojan-activity;sid:84678766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.158.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815664/; classtype:trojan-activity;sid:84678764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.227.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815665/; classtype:trojan-activity;sid:84678765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yssym17.airportbude.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815663/; classtype:trojan-activity;sid:84678763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.49.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815662/; classtype:trojan-activity;sid:84678762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"loosematrix.airportbude.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815661/; classtype:trojan-activity;sid:84678761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.178.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815660/; classtype:trojan-activity;sid:84678760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"formatmeas.airportbude.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815659/; classtype:trojan-activity;sid:84678759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"impo-casc.airportbude.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815658/; classtype:trojan-activity;sid:84678758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5csau02h.faultmincin8.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815657/; classtype:trojan-activity;sid:84678757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"suyjbrc.faultmincin8.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815656/; classtype:trojan-activity;sid:84678756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.66.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815655/; classtype:trojan-activity;sid:84678755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0hyb.faultmincin8.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815654/; classtype:trojan-activity;sid:84678754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.87.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815653/; classtype:trojan-activity;sid:84678753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"b4rk-craft.faultmincin8.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815652/; classtype:trojan-activity;sid:84678752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"passivedusk.faultmincin8.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815651/; classtype:trojan-activity;sid:84678751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815650/; classtype:trojan-activity;sid:84678750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=hlfcaddszirfxdrk"; depth:53; endswith; nocase; http.host; content:"j84f4g0p.quantumharbinger.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815649/; classtype:trojan-activity;sid:84678749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.241.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815648/; classtype:trojan-activity;sid:84678748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freightdynam.faultmincin8.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815647/; classtype:trojan-activity;sid:84678747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.68.168.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815646/; classtype:trojan-activity;sid:84678746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.236.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815645/; classtype:trojan-activity;sid:84678745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-hinge.fineon1y.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815644/; classtype:trojan-activity;sid:84678744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.205.163.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815643/; classtype:trojan-activity;sid:84678743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sercrestos9.fineon1y.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815642/; classtype:trojan-activity;sid:84678742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.119.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815641/; classtype:trojan-activity;sid:84678741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.66.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815640/; classtype:trojan-activity;sid:84678740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.236.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815639/; classtype:trojan-activity;sid:84678739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-5i1ver.fineon1y.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815638/; classtype:trojan-activity;sid:84678738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.119.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815637/; classtype:trojan-activity;sid:84678737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"primpartn.fineon1y.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815636/; classtype:trojan-activity;sid:84678736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lab3l-node.fineon1y.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815635/; classtype:trojan-activity;sid:84678735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rh0zttub.erectreset.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815634/; classtype:trojan-activity;sid:84678734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serven0ix.erectreset.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815633/; classtype:trojan-activity;sid:84678733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"importsnow.erectreset.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815632/; classtype:trojan-activity;sid:84678732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.156.166.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815631/; classtype:trojan-activity;sid:84678731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenvaleex.erectreset.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815630/; classtype:trojan-activity;sid:84678730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"updv1.erectreset.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815629/; classtype:trojan-activity;sid:84678729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"851xsk.erectreset.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815628/; classtype:trojan-activity;sid:84678728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.27.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815627/; classtype:trojan-activity;sid:84678727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.228.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815626/; classtype:trojan-activity;sid:84678726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.114.12.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815624/; classtype:trojan-activity;sid:84678724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ligfleet.bravo1nixu.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815625/; classtype:trojan-activity;sid:84678725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"valley-con.bravo1nixu.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815623/; classtype:trojan-activity;sid:84678723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fleestrict.bravo1nixu.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815622/; classtype:trojan-activity;sid:84678722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815621/; classtype:trojan-activity;sid:84678721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm6"; depth:13; endswith; nocase; http.host; content:"176.65.139.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815620/; classtype:trojan-activity;sid:84678720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm7"; depth:13; endswith; nocase; http.host; content:"176.65.139.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815616/; classtype:trojan-activity;sid:84678716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm5"; depth:13; endswith; nocase; http.host; content:"176.65.139.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815617/; classtype:trojan-activity;sid:84678717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mpsl"; depth:13; endswith; nocase; http.host; content:"176.65.139.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815618/; classtype:trojan-activity;sid:84678718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815619/; classtype:trojan-activity;sid:84678719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.254.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815615/; classtype:trojan-activity;sid:84678715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.126.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815614/; classtype:trojan-activity;sid:84678714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.230.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815611/; classtype:trojan-activity;sid:84678711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.164.29.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815612/; classtype:trojan-activity;sid:84678712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.27.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815613/; classtype:trojan-activity;sid:84678713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.230.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815610/; classtype:trojan-activity;sid:84678710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vi5u4l-branch.bravo1nixu.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815609/; classtype:trojan-activity;sid:84678709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.252.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815608/; classtype:trojan-activity;sid:84678708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.126.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815607/; classtype:trojan-activity;sid:84678707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dynvenor.bravo1nixu.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815606/; classtype:trojan-activity;sid:84678706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"porter.bravo1nixu.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815605/; classtype:trojan-activity;sid:84678705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.23.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815604/; classtype:trojan-activity;sid:84678704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.254.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815603/; classtype:trojan-activity;sid:84678703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.104.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815602/; classtype:trojan-activity;sid:84678702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"iktol.zeltorinax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815601/; classtype:trojan-activity;sid:84678701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hsp96wn.zeltorinax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815600/; classtype:trojan-activity;sid:84678700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.164.29.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815599/; classtype:trojan-activity;sid:84678699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"decodebran.zeltorinax.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815598/; classtype:trojan-activity;sid:84678698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.103.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815597/; classtype:trojan-activity;sid:84678697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"289rabl.zeltorinax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815596/; classtype:trojan-activity;sid:84678696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p4rtn0-forge.zeltorinax.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815595/; classtype:trojan-activity;sid:84678695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.23.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815594/; classtype:trojan-activity;sid:84678694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7640890992/dhiku6l.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815593/; classtype:trojan-activity;sid:84678693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"composerefine.zeltorinax.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815592/; classtype:trojan-activity;sid:84678692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.166.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815590/; classtype:trojan-activity;sid:84678690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.7.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815591/; classtype:trojan-activity;sid:84678691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.104.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815589/; classtype:trojan-activity;sid:84678689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"metri-oak.kyno4rexil.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815588/; classtype:trojan-activity;sid:84678688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"d1sc4-wave.kyno4rexil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815587/; classtype:trojan-activity;sid:84678687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"st4bi-spool.kyno4rexil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815586/; classtype:trojan-activity;sid:84678686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.103.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815585/; classtype:trojan-activity;sid:84678685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.178.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815584/; classtype:trojan-activity;sid:84678684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumvalea.kyno4rexil.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815583/; classtype:trojan-activity;sid:84678683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.128.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815582/; classtype:trojan-activity;sid:84678682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"equity-colum.kyno4rexil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815581/; classtype:trojan-activity;sid:84678681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ngwq.kyno4rexil.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815580/; classtype:trojan-activity;sid:84678680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultglyp.vortaqen.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815579/; classtype:trojan-activity;sid:84678679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1401316133/jog1sdt.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815578/; classtype:trojan-activity;sid:84678678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.156.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815577/; classtype:trojan-activity;sid:84678677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.178.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815576/; classtype:trojan-activity;sid:84678676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geysermars.vortaqen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815575/; classtype:trojan-activity;sid:84678675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.79.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815574/; classtype:trojan-activity;sid:84678674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"norforge2ar.vortaqen.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815573/; classtype:trojan-activity;sid:84678673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"80ycuu.vortaqen.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815572/; classtype:trojan-activity;sid:84678672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"q6ivtu.vortaqen.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815571/; classtype:trojan-activity;sid:84678671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.134.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815570/; classtype:trojan-activity;sid:84678670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velvale7on.vortaqen.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815569/; classtype:trojan-activity;sid:84678669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kk.exe"; depth:7; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815568/; classtype:trojan-activity;sid:84678668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815567/; classtype:trojan-activity;sid:84678667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tradesyn.plix9anor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815566/; classtype:trojan-activity;sid:84678666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.98.237"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815565/; classtype:trojan-activity;sid:84678665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neuralvau.plix9anor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815564/; classtype:trojan-activity;sid:84678664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4zure-hold.plix9anor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815563/; classtype:trojan-activity;sid:84678663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815562/; classtype:trojan-activity;sid:84678662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.228.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815561/; classtype:trojan-activity;sid:84678661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"v31vet0-sheet.plix9anor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815560/; classtype:trojan-activity;sid:84678660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.168.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815559/; classtype:trojan-activity;sid:84678659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.134.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815558/; classtype:trojan-activity;sid:84678658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lum-tidear.plix9anor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815557/; classtype:trojan-activity;sid:84678657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trans-vocal.plix9anor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815556/; classtype:trojan-activity;sid:84678656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xpprcq.drimoxel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815555/; classtype:trojan-activity;sid:84678655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xgi87u.drimoxel.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815554/; classtype:trojan-activity;sid:84678654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815553/; classtype:trojan-activity;sid:84678653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"equitytorre.drimoxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815552/; classtype:trojan-activity;sid:84678652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slatedraft.drimoxel.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815551/; classtype:trojan-activity;sid:84678651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyncresten9.drimoxel.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815550/; classtype:trojan-activity;sid:84678650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sub-ch3c.drimoxel.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815549/; classtype:trojan-activity;sid:84678649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.98.237"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815548/; classtype:trojan-activity;sid:84678648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkfluxal.qorvy3nal.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815547/; classtype:trojan-activity;sid:84678647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.165.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815546/; classtype:trojan-activity;sid:84678646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vaultwagon.qorvy3nal.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815545/; classtype:trojan-activity;sid:84678645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trai0-plate.qorvy3nal.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815544/; classtype:trojan-activity;sid:84678644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.32.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815543/; classtype:trojan-activity;sid:84678643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"videovit.qorvy3nal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815542/; classtype:trojan-activity;sid:84678642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"7mic.qorvy3nal.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815541/; classtype:trojan-activity;sid:84678641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.165.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815540/; classtype:trojan-activity;sid:84678640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"xmkzarzz.qorvy3nal.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815539/; classtype:trojan-activity;sid:84678639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.174.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815538/; classtype:trojan-activity;sid:84678638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815529/; classtype:trojan-activity;sid:84678629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815530/; classtype:trojan-activity;sid:84678630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815531/; classtype:trojan-activity;sid:84678631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815532/; classtype:trojan-activity;sid:84678632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815533/; classtype:trojan-activity;sid:84678633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815534/; classtype:trojan-activity;sid:84678634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815535/; classtype:trojan-activity;sid:84678635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815536/; classtype:trojan-activity;sid:84678636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"85.11.167.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815537/; classtype:trojan-activity;sid:84678637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jxoov.stravexi.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815528/; classtype:trojan-activity;sid:84678628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.206.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815526/; classtype:trojan-activity;sid:84678626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.32.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815527/; classtype:trojan-activity;sid:84678627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wtnbx.stravexi.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815525/; classtype:trojan-activity;sid:84678625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.224.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815524/; classtype:trojan-activity;sid:84678624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cleanbind.stravexi.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815523/; classtype:trojan-activity;sid:84678623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-hyp3r.stravexi.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815522/; classtype:trojan-activity;sid:84678622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"869n.stravexi.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815521/; classtype:trojan-activity;sid:84678621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talvenos2.stravexi.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815520/; classtype:trojan-activity;sid:84678620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"celllaunch.velqo7rin.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815519/; classtype:trojan-activity;sid:84678619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.224.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815518/; classtype:trojan-activity;sid:84678618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/376289280/zzdnqak.exe"; depth:28; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815517/; classtype:trojan-activity;sid:84678617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.88.7.48"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815516/; classtype:trojan-activity;sid:84678616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"0izjx27i.velqo7rin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815515/; classtype:trojan-activity;sid:84678615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"daevia.velqo7rin.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815514/; classtype:trojan-activity;sid:84678614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"01bdp.velqo7rin.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815513/; classtype:trojan-activity;sid:84678613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neo-3xpo.velqo7rin.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815512/; classtype:trojan-activity;sid:84678612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sync6-signal.velqo7rin.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815511/; classtype:trojan-activity;sid:84678611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.88.7.48"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815510/; classtype:trojan-activity;sid:84678610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alignsort.xynotrax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815509/; classtype:trojan-activity;sid:84678609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm6"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815508/; classtype:trojan-activity;sid:84678608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm"; depth:13; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815499/; classtype:trojan-activity;sid:84678599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm5"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815500/; classtype:trojan-activity;sid:84678600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh4"; depth:13; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815501/; classtype:trojan-activity;sid:84678601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.m68k"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815502/; classtype:trojan-activity;sid:84678602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.spc"; depth:13; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815503/; classtype:trojan-activity;sid:84678603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm7"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815504/; classtype:trojan-activity;sid:84678604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mpsl"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815505/; classtype:trojan-activity;sid:84678605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.ppc"; depth:13; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815506/; classtype:trojan-activity;sid:84678606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815507/; classtype:trojan-activity;sid:84678607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guardfierce.xynotrax.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815498/; classtype:trojan-activity;sid:84678598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.174.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815497/; classtype:trojan-activity;sid:84678597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"autu-grid.xynotrax.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815496/; classtype:trojan-activity;sid:84678596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.6.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815495/; classtype:trojan-activity;sid:84678595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mark-roo.xynotrax.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815494/; classtype:trojan-activity;sid:84678594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sudden-lab.xynotrax.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815493/; classtype:trojan-activity;sid:84678593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.215.173.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815492/; classtype:trojan-activity;sid:84678592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.215.173.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815491/; classtype:trojan-activity;sid:84678591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ouya691.xynotrax.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815490/; classtype:trojan-activity;sid:84678590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.151.156.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815489/; classtype:trojan-activity;sid:84678589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"qy55tnaq.aurasamodians.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815488/; classtype:trojan-activity;sid:84678588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nordraa8.aurasamodians.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815487/; classtype:trojan-activity;sid:84678587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.75.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815486/; classtype:trojan-activity;sid:84678586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pbpx.aurasamodians.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815485/; classtype:trojan-activity;sid:84678585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.218.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815484/; classtype:trojan-activity;sid:84678584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dense3-trail.honeupwar.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815483/; classtype:trojan-activity;sid:84678583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.151.156.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815482/; classtype:trojan-activity;sid:84678582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scenevivid.honeupwar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815481/; classtype:trojan-activity;sid:84678581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.126.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815480/; classtype:trojan-activity;sid:84678580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.241.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815479/; classtype:trojan-activity;sid:84678579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rapivelv.honeupwar.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815478/; classtype:trojan-activity;sid:84678578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jv0nel9.pampushkatimp.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815477/; classtype:trojan-activity;sid:84678577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"meadow-bro.pampushkatimp.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815476/; classtype:trojan-activity;sid:84678576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rhexjd.pampushkatimp.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815475/; classtype:trojan-activity;sid:84678575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gr1m2-vault.againstvisitor.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815474/; classtype:trojan-activity;sid:84678574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.241.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815473/; classtype:trojan-activity;sid:84678573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.231.183.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815472/; classtype:trojan-activity;sid:84678572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"extendplain.againstvisitor.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815471/; classtype:trojan-activity;sid:84678571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.67.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815470/; classtype:trojan-activity;sid:84678570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"expor-sor.againstvisitor.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815469/; classtype:trojan-activity;sid:84678569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.30.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815468/; classtype:trojan-activity;sid:84678568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"factoryserver.obsessivescum.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815467/; classtype:trojan-activity;sid:84678567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.187.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815466/; classtype:trojan-activity;sid:84678566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sparkecho.obsessivescum.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815465/; classtype:trojan-activity;sid:84678565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.136.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815464/; classtype:trojan-activity;sid:84678564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-so11d.obsessivescum.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815463/; classtype:trojan-activity;sid:84678563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fressolar.choreograpshrew.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815462/; classtype:trojan-activity;sid:84678562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"campaigndecode.choreograpshrew.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815461/; classtype:trojan-activity;sid:84678561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.116.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815460/; classtype:trojan-activity;sid:84678560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.67.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815459/; classtype:trojan-activity;sid:84678559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vorvale7um.choreograpshrew.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815458/; classtype:trojan-activity;sid:84678558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.187.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815457/; classtype:trojan-activity;sid:84678557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815455/; classtype:trojan-activity;sid:84678555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815456/; classtype:trojan-activity;sid:84678556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hubsyntax.symposiumwash.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815454/; classtype:trojan-activity;sid:84678554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.136.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815453/; classtype:trojan-activity;sid:84678553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"msez.symposiumwash.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815452/; classtype:trojan-activity;sid:84678552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.30.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815451/; classtype:trojan-activity;sid:84678551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mixech.symposiumwash.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815450/; classtype:trojan-activity;sid:84678550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6nyoswt3ky"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815449/; classtype:trojan-activity;sid:84678549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dzgcdhze.athleticscrew.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815448/; classtype:trojan-activity;sid:84678548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.113.247.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815447/; classtype:trojan-activity;sid:84678547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"falc0n0-phase.athleticscrew.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815446/; classtype:trojan-activity;sid:84678546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.109.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815444/; classtype:trojan-activity;sid:84678544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.109.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815445/; classtype:trojan-activity;sid:84678545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.89.252.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815443/; classtype:trojan-activity;sid:84678543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815442/; classtype:trojan-activity;sid:84678542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"securesocket.athleticscrew.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815441/; classtype:trojan-activity;sid:84678541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.203.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815440/; classtype:trojan-activity;sid:84678540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"150.255.251.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815439/; classtype:trojan-activity;sid:84678539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"p4cket-stack.hisslytori.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815438/; classtype:trojan-activity;sid:84678538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.218.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815437/; classtype:trojan-activity;sid:84678537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lunopen.hisslytori.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815436/; classtype:trojan-activity;sid:84678536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velcoreal.hisslytori.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815435/; classtype:trojan-activity;sid:84678535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.28.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815434/; classtype:trojan-activity;sid:84678534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sdkpasture.firstbeasts.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815433/; classtype:trojan-activity;sid:84678533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.192.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815432/; classtype:trojan-activity;sid:84678532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lichensparrow.firstbeasts.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815431/; classtype:trojan-activity;sid:84678531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.242.0.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815430/; classtype:trojan-activity;sid:84678530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sgqh.firstbeasts.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815429/; classtype:trojan-activity;sid:84678529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-gate.aurasamodians.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815428/; classtype:trojan-activity;sid:84678528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.230.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815427/; classtype:trojan-activity;sid:84678527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.158.212.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815426/; classtype:trojan-activity;sid:84678526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.39.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815425/; classtype:trojan-activity;sid:84678525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.28.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815424/; classtype:trojan-activity;sid:84678524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sky-hub.aurasamodians.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815423/; classtype:trojan-activity;sid:84678523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.226.225.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815422/; classtype:trojan-activity;sid:84678522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"star-svc.aurasamodians.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815421/; classtype:trojan-activity;sid:84678521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.160.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815420/; classtype:trojan-activity;sid:84678520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"light-vault.aurasamodians.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815419/; classtype:trojan-activity;sid:84678519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"154.242.0.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815418/; classtype:trojan-activity;sid:84678518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.39.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815417/; classtype:trojan-activity;sid:84678517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sam-node.aurasamodians.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815416/; classtype:trojan-activity;sid:84678516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.230.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815415/; classtype:trojan-activity;sid:84678515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.66.32.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815414/; classtype:trojan-activity;sid:84678514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"aura-api.aurasamodians.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815413/; classtype:trojan-activity;sid:84678513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.118.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815412/; classtype:trojan-activity;sid:84678512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.244.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815411/; classtype:trojan-activity;sid:84678511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.248.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815410/; classtype:trojan-activity;sid:84678510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate-check.honeupwar.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815409/; classtype:trojan-activity;sid:84678509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub-relay.honeupwar.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815408/; classtype:trojan-activity;sid:84678508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hone-svc.honeupwar.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815407/; classtype:trojan-activity;sid:84678507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.191.182.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815406/; classtype:trojan-activity;sid:84678506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"up-vault.honeupwar.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815405/; classtype:trojan-activity;sid:84678505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"war-node.honeupwar.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815404/; classtype:trojan-activity;sid:84678504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.255.209.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815403/; classtype:trojan-activity;sid:84678503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"set-api.honeupwar.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815402/; classtype:trojan-activity;sid:84678502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.179.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815401/; classtype:trojan-activity;sid:84678501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate-node.pampushkatimp.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815400/; classtype:trojan-activity;sid:84678500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"menu-hub.pampushkatimp.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815399/; classtype:trojan-activity;sid:84678499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pamp-svc.pampushkatimp.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815398/; classtype:trojan-activity;sid:84678498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.229.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815397/; classtype:trojan-activity;sid:84678497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.191.182.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815396/; classtype:trojan-activity;sid:84678496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.221.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815395/; classtype:trojan-activity;sid:84678495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"timp-vault.pampushkatimp.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815394/; classtype:trojan-activity;sid:84678494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cook-node.pampushkatimp.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815393/; classtype:trojan-activity;sid:84678493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.179.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815392/; classtype:trojan-activity;sid:84678492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"food-api.pampushkatimp.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815391/; classtype:trojan-activity;sid:84678491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.160.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815390/; classtype:trojan-activity;sid:84678490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate-api.againstvisitor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815389/; classtype:trojan-activity;sid:84678489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.255.209.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815388/; classtype:trojan-activity;sid:84678488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"host-hub.againstvisitor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815387/; classtype:trojan-activity;sid:84678487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.53.111.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815386/; classtype:trojan-activity;sid:84678486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.213.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815385/; classtype:trojan-activity;sid:84678485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe-svc.againstvisitor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815384/; classtype:trojan-activity;sid:84678484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"visit-vault.againstvisitor.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815383/; classtype:trojan-activity;sid:84678483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guest-node.againstvisitor.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815382/; classtype:trojan-activity;sid:84678482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.166.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815381/; classtype:trojan-activity;sid:84678481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stay-api.againstvisitor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815380/; classtype:trojan-activity;sid:84678480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.151.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815379/; classtype:trojan-activity;sid:84678479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.91.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815378/; classtype:trojan-activity;sid:84678478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815377/; classtype:trojan-activity;sid:84678477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-gate.obsessivescum.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815376/; classtype:trojan-activity;sid:84678476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.170.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815375/; classtype:trojan-activity;sid:84678475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.53.111.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815374/; classtype:trojan-activity;sid:84678474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-hub.obsessivescum.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815373/; classtype:trojan-activity;sid:84678473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.221.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815372/; classtype:trojan-activity;sid:84678472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"task-svc.obsessivescum.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815371/; classtype:trojan-activity;sid:84678471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.2.167"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815370/; classtype:trojan-activity;sid:84678470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.3.240"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815369/; classtype:trojan-activity;sid:84678469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scum-vault.obsessivescum.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815368/; classtype:trojan-activity;sid:84678468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815367/; classtype:trojan-activity;sid:84678467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"focus-node.obsessivescum.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815366/; classtype:trojan-activity;sid:84678466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815365/; classtype:trojan-activity;sid:84678465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.170.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815364/; classtype:trojan-activity;sid:84678464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mind-api.obsessivescum.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815363/; classtype:trojan-activity;sid:84678463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.115.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815362/; classtype:trojan-activity;sid:84678462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.179.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815361/; classtype:trojan-activity;sid:84678461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate-svc.choreograpshrew.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815360/; classtype:trojan-activity;sid:84678460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit-hub.choreograpshrew.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815359/; classtype:trojan-activity;sid:84678459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shrew-svc.choreograpshrew.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815358/; classtype:trojan-activity;sid:84678458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.151.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815357/; classtype:trojan-activity;sid:84678457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dance-vault.choreograpshrew.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815356/; classtype:trojan-activity;sid:84678456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.57.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815355/; classtype:trojan-activity;sid:84678455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-node.choreograpshrew.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815354/; classtype:trojan-activity;sid:84678454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.x86"; depth:13; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815353/; classtype:trojan-activity;sid:84678453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.202.183.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815352/; classtype:trojan-activity;sid:84678452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.234.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815351/; classtype:trojan-activity;sid:84678451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"art-api.choreograpshrew.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815350/; classtype:trojan-activity;sid:84678450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.156.90.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815349/; classtype:trojan-activity;sid:84678449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link-gate.symposiumwash.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815348/; classtype:trojan-activity;sid:84678448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.222.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815347/; classtype:trojan-activity;sid:84678447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-hub.symposiumwash.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815346/; classtype:trojan-activity;sid:84678446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clean-svc.symposiumwash.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815345/; classtype:trojan-activity;sid:84678445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.209.254.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815344/; classtype:trojan-activity;sid:84678444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wash-vault.symposiumwash.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815343/; classtype:trojan-activity;sid:84678443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.114.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815342/; classtype:trojan-activity;sid:84678442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.68.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815341/; classtype:trojan-activity;sid:84678441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.5.94"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815340/; classtype:trojan-activity;sid:84678440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"event-node.symposiumwash.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815339/; classtype:trojan-activity;sid:84678439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815337/; classtype:trojan-activity;sid:84678437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815338/; classtype:trojan-activity;sid:84678438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.arm5"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815336/; classtype:trojan-activity;sid:84678436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.spc"; depth:10; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815321/; classtype:trojan-activity;sid:84678421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.mpsl"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815322/; classtype:trojan-activity;sid:84678422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.arc"; depth:10; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815323/; classtype:trojan-activity;sid:84678423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.arm7"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815324/; classtype:trojan-activity;sid:84678424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.x86"; depth:10; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815325/; classtype:trojan-activity;sid:84678425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.ppc-440fp"; depth:16; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815326/; classtype:trojan-activity;sid:84678426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.m68k"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815327/; classtype:trojan-activity;sid:84678427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.arm6"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815328/; classtype:trojan-activity;sid:84678428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.ppc"; depth:10; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815329/; classtype:trojan-activity;sid:84678429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.arm4"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815330/; classtype:trojan-activity;sid:84678430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.mips"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815331/; classtype:trojan-activity;sid:84678431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.i486"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815332/; classtype:trojan-activity;sid:84678432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.i686"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815333/; classtype:trojan-activity;sid:84678433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.i586"; depth:11; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815334/; classtype:trojan-activity;sid:84678434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipz.sh4"; depth:10; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815335/; classtype:trojan-activity;sid:84678435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talk-api.symposiumwash.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815320/; classtype:trojan-activity;sid:84678420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-gate.athleticscrew.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815319/; classtype:trojan-activity;sid:84678419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815318/; classtype:trojan-activity;sid:84678418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.107.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815317/; classtype:trojan-activity;sid:84678417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"club-hub.athleticscrew.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815316/; classtype:trojan-activity;sid:84678416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.127.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815315/; classtype:trojan-activity;sid:84678415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.209.254.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815314/; classtype:trojan-activity;sid:84678414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"run-svc.athleticscrew.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815313/; classtype:trojan-activity;sid:84678413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.48.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815312/; classtype:trojan-activity;sid:84678412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.5.94"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815311/; classtype:trojan-activity;sid:84678411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sport-vault.athleticscrew.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815310/; classtype:trojan-activity;sid:84678410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.107.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815309/; classtype:trojan-activity;sid:84678409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crew-node.athleticscrew.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815308/; classtype:trojan-activity;sid:84678408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.54.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815307/; classtype:trojan-activity;sid:84678407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"team-api.athleticscrew.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815306/; classtype:trojan-activity;sid:84678406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"read-gate.hisslytori.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815305/; classtype:trojan-activity;sid:84678405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.127.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815304/; classtype:trojan-activity;sid:84678404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"book-hub.hisslytori.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815303/; classtype:trojan-activity;sid:84678403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.sh"; depth:5; endswith; nocase; http.host; content:"62.164.130.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815302/; classtype:trojan-activity;sid:84678402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"text-svc.hisslytori.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815301/; classtype:trojan-activity;sid:84678401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gold.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815300/; classtype:trojan-activity;sid:84678400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-vault.hisslytori.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815299/; classtype:trojan-activity;sid:84678399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.251.127.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815298/; classtype:trojan-activity;sid:84678398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tale-node.hisslytori.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815297/; classtype:trojan-activity;sid:84678397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"story-api.hisslytori.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815296/; classtype:trojan-activity;sid:84678396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.191.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815295/; classtype:trojan-activity;sid:84678395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate-node.firstbeasts.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815294/; classtype:trojan-activity;sid:84678394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pack-hub.firstbeasts.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815293/; classtype:trojan-activity;sid:84678393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.251.127.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815292/; classtype:trojan-activity;sid:84678392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alpha-svc.firstbeasts.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815291/; classtype:trojan-activity;sid:84678391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"beast-vault.firstbeasts.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815290/; classtype:trojan-activity;sid:84678390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"track-node.firstbeasts.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815289/; classtype:trojan-activity;sid:84678389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wild-api.firstbeasts.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815288/; classtype:trojan-activity;sid:84678388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.191.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815287/; classtype:trojan-activity;sid:84678387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tencreek.buildingstab.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815286/; classtype:trojan-activity;sid:84678386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ancientpipeline.buildingstab.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815285/; classtype:trojan-activity;sid:84678385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trispire1ar.buildingstab.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815284/; classtype:trojan-activity;sid:84678384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/makefile"; depth:9; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815283/; classtype:trojan-activity;sid:84678383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.183.165.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815282/; classtype:trojan-activity;sid:84678382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sol-lithum.buildingstab.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815281/; classtype:trojan-activity;sid:84678381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.15.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815280/; classtype:trojan-activity;sid:84678380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kb0xbi23.buildingstab.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815279/; classtype:trojan-activity;sid:84678379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ambe8-trace.buildingstab.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815278/; classtype:trojan-activity;sid:84678378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.211.8.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815277/; classtype:trojan-activity;sid:84678377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"inkcoo.selflessrowdy.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815276/; classtype:trojan-activity;sid:84678376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"genomedeco.selflessrowdy.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815275/; classtype:trojan-activity;sid:84678375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.183.165.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815274/; classtype:trojan-activity;sid:84678374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.253.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815273/; classtype:trojan-activity;sid:84678373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"price-basic.selflessrowdy.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815272/; classtype:trojan-activity;sid:84678372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.253.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815271/; classtype:trojan-activity;sid:84678371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ew59tugm.selflessrowdy.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815270/; classtype:trojan-activity;sid:84678370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.135.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815269/; classtype:trojan-activity;sid:84678369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"serforgea.selflessrowdy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815268/; classtype:trojan-activity;sid:84678368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.124.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815267/; classtype:trojan-activity;sid:84678367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pqxyg.selflessrowdy.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815266/; classtype:trojan-activity;sid:84678366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.211.8.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815265/; classtype:trojan-activity;sid:84678365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.135.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815264/; classtype:trojan-activity;sid:84678364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zigstdj.largechildren.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815263/; classtype:trojan-activity;sid:84678363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"patternreed.largechildren.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815262/; classtype:trojan-activity;sid:84678362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.138.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815261/; classtype:trojan-activity;sid:84678361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"m4r5-scope.largechildren.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815260/; classtype:trojan-activity;sid:84678360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.186.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815259/; classtype:trojan-activity;sid:84678359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.193.111.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815258/; classtype:trojan-activity;sid:84678358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.48.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815257/; classtype:trojan-activity;sid:84678357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"freshclinic.largechildren.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815256/; classtype:trojan-activity;sid:84678356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815255/; classtype:trojan-activity;sid:84678355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815254/; classtype:trojan-activity;sid:84678354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815246/; classtype:trojan-activity;sid:84678346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815247/; classtype:trojan-activity;sid:84678347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815248/; classtype:trojan-activity;sid:84678348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815249/; classtype:trojan-activity;sid:84678349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815250/; classtype:trojan-activity;sid:84678350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815251/; classtype:trojan-activity;sid:84678351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815252/; classtype:trojan-activity;sid:84678352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"145.223.68.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815253/; classtype:trojan-activity;sid:84678353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.114.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815245/; classtype:trojan-activity;sid:84678345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"primesun.largechildren.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815244/; classtype:trojan-activity;sid:84678344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.236.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815243/; classtype:trojan-activity;sid:84678343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.41.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815242/; classtype:trojan-activity;sid:84678342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.79.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815241/; classtype:trojan-activity;sid:84678341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.41.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815240/; classtype:trojan-activity;sid:84678340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.113.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815239/; classtype:trojan-activity;sid:84678339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.236.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815238/; classtype:trojan-activity;sid:84678338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"z55hx.largechildren.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815237/; classtype:trojan-activity;sid:84678337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.79.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815236/; classtype:trojan-activity;sid:84678336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.113.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815235/; classtype:trojan-activity;sid:84678335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zenlithex.backeddown.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815234/; classtype:trojan-activity;sid:84678334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"42ck8.backeddown.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815233/; classtype:trojan-activity;sid:84678333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.114.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815232/; classtype:trojan-activity;sid:84678332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.124.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815231/; classtype:trojan-activity;sid:84678331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/runer.exe"; depth:10; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815230/; classtype:trojan-activity;sid:84678330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ni9n3sio.exe"; depth:13; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815229/; classtype:trojan-activity;sid:84678329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"c1ip-signal.backeddown.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815228/; classtype:trojan-activity;sid:84678328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matri-node.backeddown.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815227/; classtype:trojan-activity;sid:84678327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.153.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815226/; classtype:trojan-activity;sid:84678326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.65.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815225/; classtype:trojan-activity;sid:84678325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"3af4dq.backeddown.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815224/; classtype:trojan-activity;sid:84678324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vortide5ix.backeddown.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815223/; classtype:trojan-activity;sid:84678323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.79.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815222/; classtype:trojan-activity;sid:84678322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ivorysta.technocsnatch.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815221/; classtype:trojan-activity;sid:84678321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.32.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815220/; classtype:trojan-activity;sid:84678320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"portastora.technocsnatch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815219/; classtype:trojan-activity;sid:84678319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.75.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815218/; classtype:trojan-activity;sid:84678318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.65.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815217/; classtype:trojan-activity;sid:84678317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.237.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815215/; classtype:trojan-activity;sid:84678315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.153.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815216/; classtype:trojan-activity;sid:84678316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.32.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815214/; classtype:trojan-activity;sid:84678314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"biomeharvest.technocsnatch.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815213/; classtype:trojan-activity;sid:84678313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.191.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815212/; classtype:trojan-activity;sid:84678312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"61cyrs.technocsnatch.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815211/; classtype:trojan-activity;sid:84678311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.26.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815210/; classtype:trojan-activity;sid:84678310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"uefvnscr.technocsnatch.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815209/; classtype:trojan-activity;sid:84678309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6tyjqgjx.technocsnatch.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815208/; classtype:trojan-activity;sid:84678308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"agentunite.gablewagon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815207/; classtype:trojan-activity;sid:84678307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.145.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815205/; classtype:trojan-activity;sid:84678305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.75.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815206/; classtype:trojan-activity;sid:84678306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"uigjpx.gablewagon.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815204/; classtype:trojan-activity;sid:84678304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.156.166.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815203/; classtype:trojan-activity;sid:84678303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.87.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815202/; classtype:trojan-activity;sid:84678302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.191.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815201/; classtype:trojan-activity;sid:84678301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bl0om-dock.gablewagon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815200/; classtype:trojan-activity;sid:84678300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ip085.gablewagon.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815199/; classtype:trojan-activity;sid:84678299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5ynt4x2-logic.gablewagon.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815198/; classtype:trojan-activity;sid:84678298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.208.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815197/; classtype:trojan-activity;sid:84678297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nor-forgeor.gablewagon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815196/; classtype:trojan-activity;sid:84678296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.208.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815195/; classtype:trojan-activity;sid:84678295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-cort3.learnstingray.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815194/; classtype:trojan-activity;sid:84678294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.87.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815193/; classtype:trojan-activity;sid:84678293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.60.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815192/; classtype:trojan-activity;sid:84678292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"retaine2-drive.learnstingray.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815191/; classtype:trojan-activity;sid:84678291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815190/; classtype:trojan-activity;sid:84678290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quorlithon3.learnstingray.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815189/; classtype:trojan-activity;sid:84678289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.251.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815188/; classtype:trojan-activity;sid:84678288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ia22i03.learnstingray.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815187/; classtype:trojan-activity;sid:84678287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gr4n-panel.learnstingray.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815186/; classtype:trojan-activity;sid:84678286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.147.100.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815185/; classtype:trojan-activity;sid:84678285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"client-gro.learnstingray.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815184/; classtype:trojan-activity;sid:84678284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.93.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815183/; classtype:trojan-activity;sid:84678283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.116.218.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815182/; classtype:trojan-activity;sid:84678282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hyper-s0lid.citizenconjunct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815181/; classtype:trojan-activity;sid:84678281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bann3-hinge.citizenconjunct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815180/; classtype:trojan-activity;sid:84678280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.142.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815179/; classtype:trojan-activity;sid:84678279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.5.252"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815178/; classtype:trojan-activity;sid:84678278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shadowneural.citizenconjunct.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815177/; classtype:trojan-activity;sid:84678277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6749237131/wjrzcsk.msi"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815176/; classtype:trojan-activity;sid:84678276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/cwyzsxe.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815175/; classtype:trojan-activity;sid:84678275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"17qaxj2h.citizenconjunct.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815174/; classtype:trojan-activity;sid:84678274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.200.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815172/; classtype:trojan-activity;sid:84678272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ultra-tr4d.citizenconjunct.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815173/; classtype:trojan-activity;sid:84678273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815170/; classtype:trojan-activity;sid:84678270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815171/; classtype:trojan-activity;sid:84678271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.dbg"; depth:10; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815167/; classtype:trojan-activity;sid:84678267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/o.xml"; depth:21; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815168/; classtype:trojan-activity;sid:84678268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815169/; classtype:trojan-activity;sid:84678269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"v1de0-mark.citizenconjunct.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815166/; classtype:trojan-activity;sid:84678266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6749237131/wjrzcsk.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815165/; classtype:trojan-activity;sid:84678265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.5.252"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815164/; classtype:trojan-activity;sid:84678264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"btvpo7.makemicrophone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815163/; classtype:trojan-activity;sid:84678263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"9tdrxs7.makemicrophone.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815162/; classtype:trojan-activity;sid:84678262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.60"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815161/; classtype:trojan-activity;sid:84678261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.186.206.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815160/; classtype:trojan-activity;sid:84678260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.183.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815159/; classtype:trojan-activity;sid:84678259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"goldgeyse.makemicrophone.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815158/; classtype:trojan-activity;sid:84678258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"etttiinm.makemicrophone.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815157/; classtype:trojan-activity;sid:84678257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"k0ejxai.makemicrophone.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815156/; classtype:trojan-activity;sid:84678256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.71.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815155/; classtype:trojan-activity;sid:84678255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"96.245.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815154/; classtype:trojan-activity;sid:84678254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rough9-point.makemicrophone.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815153/; classtype:trojan-activity;sid:84678253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gpon.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815152/; classtype:trojan-activity;sid:84678252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.60"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815151/; classtype:trojan-activity;sid:84678251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bajla4.dreswaoaky.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815150/; classtype:trojan-activity;sid:84678250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.200.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815149/; classtype:trojan-activity;sid:84678249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.183.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815148/; classtype:trojan-activity;sid:84678248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"marshfiel.dreswaoaky.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815147/; classtype:trojan-activity;sid:84678247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.186.206.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815146/; classtype:trojan-activity;sid:84678246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tens-forge.dreswaoaky.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815145/; classtype:trojan-activity;sid:84678245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pipe1-trail.dreswaoaky.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815144/; classtype:trojan-activity;sid:84678244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.158.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815143/; classtype:trojan-activity;sid:84678243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815142/; classtype:trojan-activity;sid:84678242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"yj6t.dreswaoaky.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815141/; classtype:trojan-activity;sid:84678241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1202156955/jagqzhe.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815140/; classtype:trojan-activity;sid:84678240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.241.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815139/; classtype:trojan-activity;sid:84678239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talvenal7.dreswaoaky.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815138/; classtype:trojan-activity;sid:84678238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.69.90.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815137/; classtype:trojan-activity;sid:84678237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7742504508/96f9qz3.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815136/; classtype:trojan-activity;sid:84678236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.10.209.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815135/; classtype:trojan-activity;sid:84678235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.139.213.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815134/; classtype:trojan-activity;sid:84678234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815133/; classtype:trojan-activity;sid:84678233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sparrowhones.inferlogic.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815132/; classtype:trojan-activity;sid:84678232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sparrowhones.inferlogic.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815131/; classtype:trojan-activity;sid:84678231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.168.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815130/; classtype:trojan-activity;sid:84678230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vor-lineet.inferlogic.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815129/; classtype:trojan-activity;sid:84678229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grid8-glow.inferlogic.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815128/; classtype:trojan-activity;sid:84678228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.25.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815127/; classtype:trojan-activity;sid:84678227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.174.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815126/; classtype:trojan-activity;sid:84678226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"t57294m.dialectraflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815125/; classtype:trojan-activity;sid:84678225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.194.227.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815124/; classtype:trojan-activity;sid:84678224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ruralgrove.dialectraflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815123/; classtype:trojan-activity;sid:84678223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.139.213.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815122/; classtype:trojan-activity;sid:84678222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tag3s.dialectraflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815121/; classtype:trojan-activity;sid:84678221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.1.114"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815120/; classtype:trojan-activity;sid:84678220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.80.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815119/; classtype:trojan-activity;sid:84678219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"arkvale0ex.dialectraflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815118/; classtype:trojan-activity;sid:84678218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"streamerspectrum.dialectraflux.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815117/; classtype:trojan-activity;sid:84678217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.174.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815116/; classtype:trojan-activity;sid:84678216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.25.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815115/; classtype:trojan-activity;sid:84678215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"227p0.dialectraflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815114/; classtype:trojan-activity;sid:84678214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.213.177.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815113/; classtype:trojan-activity;sid:84678213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.80.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815112/; classtype:trojan-activity;sid:84678212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.213.177.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815111/; classtype:trojan-activity;sid:84678211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.23.135.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815110/; classtype:trojan-activity;sid:84678210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.110.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815109/; classtype:trojan-activity;sid:84678209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tren-sta.ontofabric.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815108/; classtype:trojan-activity;sid:84678208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.110.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815107/; classtype:trojan-activity;sid:84678207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mist-sub.ontofabric.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815106/; classtype:trojan-activity;sid:84678206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dyndra1is.ontofabric.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815105/; classtype:trojan-activity;sid:84678205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.89.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815104/; classtype:trojan-activity;sid:84678204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pdwex6.ontofabric.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815103/; classtype:trojan-activity;sid:84678203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.249.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815102/; classtype:trojan-activity;sid:84678202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.249.194.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815101/; classtype:trojan-activity;sid:84678201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.82.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815100/; classtype:trojan-activity;sid:84678200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sfu2.ontofabric.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815099/; classtype:trojan-activity;sid:84678199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"6ud07.ontofabric.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815098/; classtype:trojan-activity;sid:84678198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815097/; classtype:trojan-activity;sid:84678197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ikpxa.epistemflow.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815096/; classtype:trojan-activity;sid:84678196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6849343518/nxpvmw4.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815095/; classtype:trojan-activity;sid:84678195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.201.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815094/; classtype:trojan-activity;sid:84678194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lanepla.epistemflow.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815093/; classtype:trojan-activity;sid:84678193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.89.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815092/; classtype:trojan-activity;sid:84678192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mervale8on.epistemflow.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815091/; classtype:trojan-activity;sid:84678191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6849343518/ncp6usn.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815090/; classtype:trojan-activity;sid:84678190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dustdefend.epistemflow.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815089/; classtype:trojan-activity;sid:84678189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.82.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815088/; classtype:trojan-activity;sid:84678188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815087/; classtype:trojan-activity;sid:84678187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"capita-stack.epistemflow.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815086/; classtype:trojan-activity;sid:84678186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815085/; classtype:trojan-activity;sid:84678185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kel-coreex.epistemflow.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815084/; classtype:trojan-activity;sid:84678184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.201.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815083/; classtype:trojan-activity;sid:84678183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.110.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815082/; classtype:trojan-activity;sid:84678182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"compres0-watch.gnosistack.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815081/; classtype:trojan-activity;sid:84678181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talspireor.gnosistack.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815080/; classtype:trojan-activity;sid:84678180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proto-n1mb.gnosistack.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815079/; classtype:trojan-activity;sid:84678179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pale-beam.gnosistack.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815078/; classtype:trojan-activity;sid:84678178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.25.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815077/; classtype:trojan-activity;sid:84678177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"observernet.gnosistack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815076/; classtype:trojan-activity;sid:84678176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.100.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815075/; classtype:trojan-activity;sid:84678175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"canyondeliver.gnosistack.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815074/; classtype:trojan-activity;sid:84678174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.244.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815073/; classtype:trojan-activity;sid:84678173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5hor-line.metaphysixhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815072/; classtype:trojan-activity;sid:84678172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ebqje.metaphysixhub.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815071/; classtype:trojan-activity;sid:84678171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hp301u.metaphysixhub.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815070/; classtype:trojan-activity;sid:84678170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.173.88.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815069/; classtype:trojan-activity;sid:84678169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.110.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815068/; classtype:trojan-activity;sid:84678168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quor-forgear.metaphysixhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815067/; classtype:trojan-activity;sid:84678167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.109.33"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815066/; classtype:trojan-activity;sid:84678166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rhuhgz.metaphysixhub.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815065/; classtype:trojan-activity;sid:84678165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.143.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815064/; classtype:trojan-activity;sid:84678164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cre5t-port.metaphysixhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815063/; classtype:trojan-activity;sid:84678163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lum-draar.cognifluxion.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815062/; classtype:trojan-activity;sid:84678162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.109.33"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815061/; classtype:trojan-activity;sid:84678161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"i61l.cognifluxion.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815060/; classtype:trojan-activity;sid:84678160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"majorloca.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815059/; classtype:trojan-activity;sid:84678159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.173.88.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815058/; classtype:trojan-activity;sid:84678158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.12.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815057/; classtype:trojan-activity;sid:84678157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.33.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815056/; classtype:trojan-activity;sid:84678156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5trea-crest.systemoraengine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815055/; classtype:trojan-activity;sid:84678155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.12.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815054/; classtype:trojan-activity;sid:84678154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rep4-signal.theorivector.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815053/; classtype:trojan-activity;sid:84678153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815052/; classtype:trojan-activity;sid:84678152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.255.173.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815051/; classtype:trojan-activity;sid:84678151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.47.188.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815050/; classtype:trojan-activity;sid:84678150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"velmarkis.theorivector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815049/; classtype:trojan-activity;sid:84678149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"zen-venen.inferentrixhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815048/; classtype:trojan-activity;sid:84678148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"713c.inferentrixhub.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815047/; classtype:trojan-activity;sid:84678147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.143.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815046/; classtype:trojan-activity;sid:84678146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"kerryglow.info"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815045/; classtype:trojan-activity;sid:84678145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.58.118.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815044/; classtype:trojan-activity;sid:84678144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/od1zv/gluedig.hta"; depth:18; endswith; nocase; http.host; content:"163.5.102.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815043/; classtype:trojan-activity;sid:84678143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.148.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815042/; classtype:trojan-activity;sid:84678142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|1/_x"; depth:9; endswith; nocase; http.host; content:"stawel.terrae.rest"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815041/; classtype:trojan-activity;sid:84678141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.234.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815040/; classtype:trojan-activity;sid:84678140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tide-dock.dialectraforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815039/; classtype:trojan-activity;sid:84678139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.138.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815038/; classtype:trojan-activity;sid:84678138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"150.255.173.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815037/; classtype:trojan-activity;sid:84678137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs321rr/horrorreamer.hta"; depth:25; endswith; nocase; http.host; content:"163.5.102.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815036/; classtype:trojan-activity;sid:84678136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815035/; classtype:trojan-activity;sid:84678135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"deeppublic.dialectraforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815034/; classtype:trojan-activity;sid:84678134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.59.83.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815033/; classtype:trojan-activity;sid:84678133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"formsola.axiomatrixflow.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815032/; classtype:trojan-activity;sid:84678132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lumvenor1.axiomatrixflow.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815031/; classtype:trojan-activity;sid:84678131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.94.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815030/; classtype:trojan-activity;sid:84678130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.115.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815029/; classtype:trojan-activity;sid:84678129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rapidgold.ontocorex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815028/; classtype:trojan-activity;sid:84678128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.58.118.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815027/; classtype:trojan-activity;sid:84678127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.33.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815025/; classtype:trojan-activity;sid:84678125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.77.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815026/; classtype:trojan-activity;sid:84678126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sh13l-mount.ontocorex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815024/; classtype:trojan-activity;sid:84678124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.94.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815023/; classtype:trojan-activity;sid:84678123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"breeze2-lab.epistemevault.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815022/; classtype:trojan-activity;sid:84678122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815021/; classtype:trojan-activity;sid:84678121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.133.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815020/; classtype:trojan-activity;sid:84678120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"2vw0eqz.epistemevault.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815019/; classtype:trojan-activity;sid:84678119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sexogaycomtravesti/bkp/chrome_update_old.exe"; depth:45; endswith; nocase; http.host; content:"147.93.3.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815018/; classtype:trojan-activity;sid:84678118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sexogaycomtravesti/bkp/chrome_update.exe"; depth:41; endswith; nocase; http.host; content:"147.93.3.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815017/; classtype:trojan-activity;sid:84678117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pbby.gnoseonflux.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815016/; classtype:trojan-activity;sid:84678116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sexogaycomtravesti/main.exe"; depth:28; endswith; nocase; http.host; content:"147.93.3.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815015/; classtype:trojan-activity;sid:84678115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sexogaycomtravesti/chrome_update.exe"; depth:37; endswith; nocase; http.host; content:"147.93.3.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815014/; classtype:trojan-activity;sid:84678114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gwryxarc.gnoseonflux.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815013/; classtype:trojan-activity;sid:84678113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.149.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815012/; classtype:trojan-activity;sid:84678112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"northdusk.noetisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815011/; classtype:trojan-activity;sid:84678111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1980571880/t6u2tbq.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815010/; classtype:trojan-activity;sid:84678110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.113.247.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815009/; classtype:trojan-activity;sid:84678109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gbfezss.noetisphere.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815008/; classtype:trojan-activity;sid:84678108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815007/; classtype:trojan-activity;sid:84678107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cascadeaudit.cdmilestone.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815006/; classtype:trojan-activity;sid:84678106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.97.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815005/; classtype:trojan-activity;sid:84678105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tal-lineis.cdmilestone.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815004/; classtype:trojan-activity;sid:84678104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.97.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815003/; classtype:trojan-activity;sid:84678103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"curiousport.bobinaslums.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815002/; classtype:trojan-activity;sid:84678102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.203.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815001/; classtype:trojan-activity;sid:84678101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"learnmed.bobinaslums.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815000/; classtype:trojan-activity;sid:84678100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.87.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814999/; classtype:trojan-activity;sid:84678099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"travelconvoy.literallukom.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814998/; classtype:trojan-activity;sid:84678098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814996/; classtype:trojan-activity;sid:84678096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814997/; classtype:trojan-activity;sid:84678097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814995/; classtype:trojan-activity;sid:84678095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riscv64"; depth:8; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814991/; classtype:trojan-activity;sid:84678091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814992/; classtype:trojan-activity;sid:84678092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814993/; classtype:trojan-activity;sid:84678093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"129.213.9.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814994/; classtype:trojan-activity;sid:84678094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"jgmwuf2l.literallukom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814990/; classtype:trojan-activity;sid:84678090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.221.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814989/; classtype:trojan-activity;sid:84678089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.225.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814988/; classtype:trojan-activity;sid:84678088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"4gzx0ikx.bankingrugnia.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814987/; classtype:trojan-activity;sid:84678087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shapefinal.bankingrugnia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814986/; classtype:trojan-activity;sid:84678086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.30.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814985/; classtype:trojan-activity;sid:84678085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kerneldiscov.crumpledzev.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814984/; classtype:trojan-activity;sid:84678084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.87.108"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814983/; classtype:trojan-activity;sid:84678083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.137.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814982/; classtype:trojan-activity;sid:84678082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"enzyrne-craft.crumpledzev.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814981/; classtype:trojan-activity;sid:84678081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.211.79.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814980/; classtype:trojan-activity;sid:84678080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.241.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814979/; classtype:trojan-activity;sid:84678079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.87.108"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814978/; classtype:trojan-activity;sid:84678078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-pay1.desertpract.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814977/; classtype:trojan-activity;sid:84678077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l8vblxgy/image1.png"; depth:20; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814976/; classtype:trojan-activity;sid:84678076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y06d8klh/image4.png"; depth:20; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814975/; classtype:trojan-activity;sid:84678075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shsuwc5f/raw|3f|part=obrmdan.txt"; depth:33; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814974/; classtype:trojan-activity;sid:84678074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stackstone.desertpract.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814973/; classtype:trojan-activity;sid:84678073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.44.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814972/; classtype:trojan-activity;sid:84678072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"5uv69r.friskynanos.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814971/; classtype:trojan-activity;sid:84678071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.160.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814970/; classtype:trojan-activity;sid:84678070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.156.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814969/; classtype:trojan-activity;sid:84678069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n0gcyfbk/image1.png"; depth:20; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814968/; classtype:trojan-activity;sid:84678068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"convertamp.friskynanos.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814967/; classtype:trojan-activity;sid:84678067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kggm.ryesears.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814966/; classtype:trojan-activity;sid:84678066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bannerfor.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814965/; classtype:trojan-activity;sid:84678065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"alt-m1x.bereathfertil.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814964/; classtype:trojan-activity;sid:84678064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.32.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814963/; classtype:trojan-activity;sid:84678063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.154.118.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814962/; classtype:trojan-activity;sid:84678062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cr4ft-pulse.importantserv.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814961/; classtype:trojan-activity;sid:84678061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.156.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814960/; classtype:trojan-activity;sid:84678060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814958/; classtype:trojan-activity;sid:84678058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814959/; classtype:trojan-activity;sid:84678059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814957/; classtype:trojan-activity;sid:84678057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814952/; classtype:trojan-activity;sid:84678052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814953/; classtype:trojan-activity;sid:84678053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814954/; classtype:trojan-activity;sid:84678054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814955/; classtype:trojan-activity;sid:84678055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814956/; classtype:trojan-activity;sid:84678056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.137.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814951/; classtype:trojan-activity;sid:84678051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814947/; classtype:trojan-activity;sid:84678047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814948/; classtype:trojan-activity;sid:84678048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814949/; classtype:trojan-activity;sid:84678049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814950/; classtype:trojan-activity;sid:84678050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"proto-1oad.importantserv.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814946/; classtype:trojan-activity;sid:84678046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814945/; classtype:trojan-activity;sid:84678045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814944/; classtype:trojan-activity;sid:84678044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.241.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814943/; classtype:trojan-activity;sid:84678043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814942/; classtype:trojan-activity;sid:84678042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fdode.ontocorex.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814941/; classtype:trojan-activity;sid:84678041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"road-gate.cdmilestone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814940/; classtype:trojan-activity;sid:84678040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"next-svc.cdmilestone.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814939/; classtype:trojan-activity;sid:84678039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.220.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814938/; classtype:trojan-activity;sid:84678038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"task-vault.cdmilestone.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814937/; classtype:trojan-activity;sid:84678037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814936/; classtype:trojan-activity;sid:84678036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814935/; classtype:trojan-activity;sid:84678035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814934/; classtype:trojan-activity;sid:84678034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mark-node.cdmilestone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814933/; classtype:trojan-activity;sid:84678033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814932/; classtype:trojan-activity;sid:84678032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"plan-api.cdmilestone.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814931/; classtype:trojan-activity;sid:84678031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.215.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814930/; classtype:trojan-activity;sid:84678030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.35.78.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814929/; classtype:trojan-activity;sid:84678029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"time-step.cdmilestone.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814928/; classtype:trojan-activity;sid:84678028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trace-gate.bobinaslums.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814927/; classtype:trojan-activity;sid:84678027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"street-svc.bobinaslums.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814926/; classtype:trojan-activity;sid:84678026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"map-vault.bobinaslums.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814925/; classtype:trojan-activity;sid:84678025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.11.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814924/; classtype:trojan-activity;sid:84678024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g2hvszd8/image.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814923/; classtype:trojan-activity;sid:84678023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.34.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814922/; classtype:trojan-activity;sid:84678022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tgpg7gvd/image1.png"; depth:20; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814921/; classtype:trojan-activity;sid:84678021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-node.bobinaslums.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814920/; classtype:trojan-activity;sid:84678020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/44j9qkxj/image.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814919/; classtype:trojan-activity;sid:84678019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newoworkable/newoworkable.txt"; depth:30; endswith; nocase; http.host; content:"crowe-avvens.site"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814918/; classtype:trojan-activity;sid:84678018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sta/mint.txt"; depth:13; endswith; nocase; http.host; content:"www.hna-ksa.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814917/; classtype:trojan-activity;sid:84678017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sta/ikp.txt"; depth:12; endswith; nocase; http.host; content:"www.hna-ksa.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814915/; classtype:trojan-activity;sid:84678015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elementos/mhdcbdc.txt"; depth:22; endswith; nocase; http.host; content:"grupomcperu.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814916/; classtype:trojan-activity;sid:84678016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.233.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814914/; classtype:trojan-activity;sid:84678014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/mtvfode0nzg0otff/adn.txt"; depth:27; endswith; nocase; http.host; content:"od.lk"; depth:5; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814913/; classtype:trojan-activity;sid:84678013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swt3d/dips.ps1"; depth:15; endswith; nocase; http.host; content:"selyoptik.ro"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814912/; classtype:trojan-activity;sid:84678012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"city-api.bobinaslums.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814911/; classtype:trojan-activity;sid:84678011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.13.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814910/; classtype:trojan-activity;sid:84678010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.165.92.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814909/; classtype:trojan-activity;sid:84678009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"area-check.bobinaslums.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814908/; classtype:trojan-activity;sid:84678008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.66.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814907/; classtype:trojan-activity;sid:84678007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.233.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814906/; classtype:trojan-activity;sid:84678006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-gate.literallukom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814905/; classtype:trojan-activity;sid:84678005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.242.128.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814904/; classtype:trojan-activity;sid:84678004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"info-svc.literallukom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814903/; classtype:trojan-activity;sid:84678003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"page-vault.literallukom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814902/; classtype:trojan-activity;sid:84678002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.13.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814901/; classtype:trojan-activity;sid:84678001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"word-node.literallukom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814900/; classtype:trojan-activity;sid:84678000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.13.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814899/; classtype:trojan-activity;sid:84677999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814897/; classtype:trojan-activity;sid:84677997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.220.145.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814898/; classtype:trojan-activity;sid:84677998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"book-api.literallukom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814896/; classtype:trojan-activity;sid:84677996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814895/; classtype:trojan-activity;sid:84677995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"text-read.literallukom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814894/; classtype:trojan-activity;sid:84677994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trust-gate.bankingrugnia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814893/; classtype:trojan-activity;sid:84677993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.144.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814891/; classtype:trojan-activity;sid:84677991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.144.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814892/; classtype:trojan-activity;sid:84677992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pay-svc.bankingrugnia.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814890/; classtype:trojan-activity;sid:84677990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.220.145.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814889/; classtype:trojan-activity;sid:84677989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe-vault.bankingrugnia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814888/; classtype:trojan-activity;sid:84677988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.214.87.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814887/; classtype:trojan-activity;sid:84677987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"bank-node.bankingrugnia.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814886/; classtype:trojan-activity;sid:84677986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"loan-api.bankingrugnia.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814885/; classtype:trojan-activity;sid:84677985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.227.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814884/; classtype:trojan-activity;sid:84677984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cash-flow.bankingrugnia.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814883/; classtype:trojan-activity;sid:84677983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mark-gate.crumpledzev.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814882/; classtype:trojan-activity;sid:84677982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file-svc.crumpledzev.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814881/; classtype:trojan-activity;sid:84677981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.227.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814880/; classtype:trojan-activity;sid:84677980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pack-vault.crumpledzev.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814879/; classtype:trojan-activity;sid:84677979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.215.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814878/; classtype:trojan-activity;sid:84677978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.106.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814877/; classtype:trojan-activity;sid:84677977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-node.crumpledzev.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814876/; classtype:trojan-activity;sid:84677976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgakmfi.txt"; depth:12; endswith; nocase; http.host; content:"aona.s3.cubbit.eu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814875/; classtype:trojan-activity;sid:84677975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_105759.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814874/; classtype:trojan-activity;sid:84677974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_085027.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814873/; classtype:trojan-activity;sid:84677973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_174236.png"; depth:15; endswith; nocase; http.host; content:"nrmlogistics.ro"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814872/; classtype:trojan-activity;sid:84677972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.8.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814871/; classtype:trojan-activity;sid:84677971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"nrmlogistics.ro"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814870/; classtype:trojan-activity;sid:84677970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814869/; classtype:trojan-activity;sid:84677969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/igkjakc.txt"; depth:12; endswith; nocase; http.host; content:"aona.s3.cubbit.eu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814868/; classtype:trojan-activity;sid:84677968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newoworkable/aegbfib.txt"; depth:25; endswith; nocase; http.host; content:"crowe-avvens.site"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814867/; classtype:trojan-activity;sid:84677967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x12dc3zt/image.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814866/; classtype:trojan-activity;sid:84677966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1314242/dips.ps1"; depth:17; endswith; nocase; http.host; content:"innovspora.co.zw"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814865/; classtype:trojan-activity;sid:84677965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wrap-api.crumpledzev.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814864/; classtype:trojan-activity;sid:84677964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mp/rbgrdcf.txt"; depth:15; endswith; nocase; http.host; content:"178.16.53.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814863/; classtype:trojan-activity;sid:84677963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ii5pfcz83atcdgk"; depth:16; endswith; nocase; http.host; content:"hasteb.in"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814862/; classtype:trojan-activity;sid:84677962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fold-sync.crumpledzev.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814861/; classtype:trojan-activity;sid:84677961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.150.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814860/; classtype:trojan-activity;sid:84677960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r0b3tqyb/image-1.png"; depth:21; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814859/; classtype:trojan-activity;sid:84677959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7esw3p.dat"; depth:11; endswith; nocase; http.host; content:"files.catbox.moe"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814858/; classtype:trojan-activity;sid:84677958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"path-hub.desertpract.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814857/; classtype:trojan-activity;sid:84677957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipfs/qmvzggstgzebycqnvndss3fdwp8dixo4uax1exjgmsasvn|3f|download=true|7c|26|7c|filename=7777778.txt"; depth:99; endswith; nocase; http.host; content:"accessible-peach-termite.myfilebase.com"; depth:39; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814856/; classtype:trojan-activity;sid:84677956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.215.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814854/; classtype:trojan-activity;sid:84677954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipfs/qmvzggstgzebycqnvndss3fdwp8dixo4uax1exjgmsasvn|3f|"; depth:56; endswith; nocase; http.host; content:"accessible-peach-termite.myfilebase.com"; depth:39; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814855/; classtype:trojan-activity;sid:84677955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.215.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814853/; classtype:trojan-activity;sid:84677953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.66.32.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814852/; classtype:trojan-activity;sid:84677952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-svc.desertpract.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814851/; classtype:trojan-activity;sid:84677951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.13.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814850/; classtype:trojan-activity;sid:84677950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.150.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814849/; classtype:trojan-activity;sid:84677949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dry-vault.desertpract.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814848/; classtype:trojan-activity;sid:84677948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"map-node.desertpract.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814847/; classtype:trojan-activity;sid:84677947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.215.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814846/; classtype:trojan-activity;sid:84677946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.244.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814845/; classtype:trojan-activity;sid:84677945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"area-api.desertpract.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814844/; classtype:trojan-activity;sid:84677944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.8.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814843/; classtype:trojan-activity;sid:84677943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sand-logic.desertpract.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814842/; classtype:trojan-activity;sid:84677942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.148.204.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814841/; classtype:trojan-activity;sid:84677941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grid-gate.friskynanos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814840/; classtype:trojan-activity;sid:84677940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.13.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814839/; classtype:trojan-activity;sid:84677939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.228.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814838/; classtype:trojan-activity;sid:84677938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"micro-svc.friskynanos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814837/; classtype:trojan-activity;sid:84677937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dkylpyldt/image/upload/v1775485198/rump_clyv7g.jpg"; depth:51; endswith; nocase; http.host; content:"res.cloudinary.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814836/; classtype:trojan-activity;sid:84677936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dkylpyldt/image/upload/v1775485483/origin_kaqiyp.jpg"; depth:53; endswith; nocase; http.host; content:"res.cloudinary.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814835/; classtype:trojan-activity;sid:84677935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/spenglercomics.firebasestorage.app/o/task.txt|3f|alt=media|7c|26|7c|token=f162f5ce-52f7-4407-8cc4-dd96cedd9b0e"; depth:116; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814834/; classtype:trojan-activity;sid:84677934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipfs/qmvcz1lehhbv5v72fzqhkicrafkg9j1erveshxls2qmqcp"; depth:52; endswith; nocase; http.host; content:"accessible-peach-termite.myfilebase.com"; depth:39; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814833/; classtype:trojan-activity;sid:84677933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipfs/qmwhgwhriz1fp5tmv32nuncnkozwxetxqac38xn7duvyxr"; depth:52; endswith; nocase; http.host; content:"accessible-peach-termite.myfilebase.com"; depth:39; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814832/; classtype:trojan-activity;sid:84677932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skifteda.deploy"; depth:16; endswith; nocase; http.host; content:"107.175.246.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814831/; classtype:trojan-activity;sid:84677931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idfwchwvxiwe19.bin"; depth:19; endswith; nocase; http.host; content:"107.175.246.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814830/; classtype:trojan-activity;sid:84677930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.19.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814829/; classtype:trojan-activity;sid:84677929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cell-vault.friskynanos.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814828/; classtype:trojan-activity;sid:84677928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit-node.friskynanos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814827/; classtype:trojan-activity;sid:84677927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"small-api.friskynanos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814826/; classtype:trojan-activity;sid:84677926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.244.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814825/; classtype:trojan-activity;sid:84677925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"nano-tech.friskynanos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814824/; classtype:trojan-activity;sid:84677924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.192.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814823/; classtype:trojan-activity;sid:84677923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.163.183.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814822/; classtype:trojan-activity;sid:84677922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-gate.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814821/; classtype:trojan-activity;sid:84677921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/festusfile.png"; depth:15; endswith; nocase; http.host; content:"172.245.95.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814820/; classtype:trojan-activity;sid:84677920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rump.png"; depth:9; endswith; nocase; http.host; content:"172.245.95.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814819/; classtype:trojan-activity;sid:84677919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trade-svc.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814818/; classtype:trojan-activity;sid:84677918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.19.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814816/; classtype:trojan-activity;sid:84677916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.155.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814817/; classtype:trojan-activity;sid:84677917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"store-vault.ryesears.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814815/; classtype:trojan-activity;sid:84677915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.227.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814814/; classtype:trojan-activity;sid:84677914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"farm-api.ryesears.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814813/; classtype:trojan-activity;sid:84677913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grain-log.ryesears.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814812/; classtype:trojan-activity;sid:84677912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.155.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814811/; classtype:trojan-activity;sid:84677911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.228.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814810/; classtype:trojan-activity;sid:84677910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.163.183.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814809/; classtype:trojan-activity;sid:84677909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soil-hub.bereathfertil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814808/; classtype:trojan-activity;sid:84677908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm5"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814807/; classtype:trojan-activity;sid:84677907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.mpsl"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814803/; classtype:trojan-activity;sid:84677903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz.sh"; depth:9; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814804/; classtype:trojan-activity;sid:84677904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm7"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814805/; classtype:trojan-activity;sid:84677905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.mips"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814806/; classtype:trojan-activity;sid:84677906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm6"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814801/; classtype:trojan-activity;sid:84677901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.x86"; depth:16; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814802/; classtype:trojan-activity;sid:84677902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.ppc"; depth:16; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814793/; classtype:trojan-activity;sid:84677893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arm"; depth:16; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814794/; classtype:trojan-activity;sid:84677894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.x86_64"; depth:19; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814795/; classtype:trojan-activity;sid:84677895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.arc"; depth:16; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814796/; classtype:trojan-activity;sid:84677896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.i686"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814797/; classtype:trojan-activity;sid:84677897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.sh4"; depth:16; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814798/; classtype:trojan-activity;sid:84677898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.m68k"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814799/; classtype:trojan-activity;sid:84677899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.spc"; depth:16; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814800/; classtype:trojan-activity;sid:84677900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-svc.bereathfertil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814792/; classtype:trojan-activity;sid:84677892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scamily.msi"; depth:12; endswith; nocase; http.host; content:"pub-2ac530845a0b40f68c46df8146d4315a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814791/; classtype:trojan-activity;sid:84677891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.226.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814790/; classtype:trojan-activity;sid:84677890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grow-vault.bereathfertil.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814789/; classtype:trojan-activity;sid:84677889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hammz/hammz.i468"; depth:17; endswith; nocase; http.host; content:"206.189.93.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814788/; classtype:trojan-activity;sid:84677888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"38.240.58.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814787/; classtype:trojan-activity;sid:84677887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.221.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814786/; classtype:trojan-activity;sid:84677886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"land-node.bereathfertil.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814785/; classtype:trojan-activity;sid:84677885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crop-api.bereathfertil.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814784/; classtype:trojan-activity;sid:84677884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rlfoxszxho57.bin"; depth:17; endswith; nocase; http.host; content:"107.175.246.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814782/; classtype:trojan-activity;sid:84677882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hist.deploy"; depth:12; endswith; nocase; http.host; content:"107.175.246.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814783/; classtype:trojan-activity;sid:84677883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.125.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814781/; classtype:trojan-activity;sid:84677881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sync-hub.importantserv.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814780/; classtype:trojan-activity;sid:84677880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.237.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814779/; classtype:trojan-activity;sid:84677879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.32.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814778/; classtype:trojan-activity;sid:84677878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"svc-relay.importantserv.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814777/; classtype:trojan-activity;sid:84677877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.97.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814776/; classtype:trojan-activity;sid:84677876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.178.147.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814775/; classtype:trojan-activity;sid:84677875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.55.14.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814773/; classtype:trojan-activity;sid:84677873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.81.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814774/; classtype:trojan-activity;sid:84677874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.9.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814770/; classtype:trojan-activity;sid:84677870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.39.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814771/; classtype:trojan-activity;sid:84677871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.97.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814772/; classtype:trojan-activity;sid:84677872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.32.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814762/; classtype:trojan-activity;sid:84677862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.136.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814763/; classtype:trojan-activity;sid:84677863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.32.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814764/; classtype:trojan-activity;sid:84677864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"121.167.209.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814765/; classtype:trojan-activity;sid:84677865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.6.10.120"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814766/; classtype:trojan-activity;sid:84677866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.96.165.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814767/; classtype:trojan-activity;sid:84677867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.96.165.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814768/; classtype:trojan-activity;sid:84677868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.39.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814769/; classtype:trojan-activity;sid:84677869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.165.125.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814761/; classtype:trojan-activity;sid:84677861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.77.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814760/; classtype:trojan-activity;sid:84677860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-vault.importantserv.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814759/; classtype:trojan-activity;sid:84677859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.227.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814758/; classtype:trojan-activity;sid:84677858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8329928896/7otv2gj.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814757/; classtype:trojan-activity;sid:84677857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"host-node.importantserv.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814756/; classtype:trojan-activity;sid:84677856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-api.importantserv.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814755/; classtype:trojan-activity;sid:84677855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.77.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814754/; classtype:trojan-activity;sid:84677854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.32.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814753/; classtype:trojan-activity;sid:84677853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-gate.importantserv.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814752/; classtype:trojan-activity;sid:84677852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vector-gate.cognifluxion.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814751/; classtype:trojan-activity;sid:84677851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.237.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814750/; classtype:trojan-activity;sid:84677850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/encrypted.hta"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814749/; classtype:trojan-activity;sid:84677849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/windowslogonservice.bat"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814747/; classtype:trojan-activity;sid:84677847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/raw/refs/heads/main/pulsar-client.exe"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814748/; classtype:trojan-activity;sid:84677848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/maybeworking.hta"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814746/; classtype:trojan-activity;sid:84677846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.226.161.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814745/; classtype:trojan-activity;sid:84677845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/raw/refs/heads/main/test/123123.exe"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814744/; classtype:trojan-activity;sid:84677844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/rickowens/refs/heads/main/encrypted.hta"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814742/; classtype:trojan-activity;sid:84677842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/detectionratetesting.hta"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814743/; classtype:trojan-activity;sid:84677843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/rickowens/raw/refs/heads/main/pulsar-client.exe"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814741/; classtype:trojan-activity;sid:84677841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/test/encrypted.hta"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814740/; classtype:trojan-activity;sid:84677840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"think-hub.cognifluxion.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814739/; classtype:trojan-activity;sid:84677839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brain-svc.cognifluxion.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814738/; classtype:trojan-activity;sid:84677838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sense-vault.cognifluxion.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814737/; classtype:trojan-activity;sid:84677837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"75.1.240.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814736/; classtype:trojan-activity;sid:84677836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neural-node.cognifluxion.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814735/; classtype:trojan-activity;sid:84677835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.207.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814734/; classtype:trojan-activity;sid:84677834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flux-api.cognifluxion.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814733/; classtype:trojan-activity;sid:84677833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814732/; classtype:trojan-activity;sid:84677832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814731/; classtype:trojan-activity;sid:84677831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-gate.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814730/; classtype:trojan-activity;sid:84677830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-hub.systemoraengine.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814729/; classtype:trojan-activity;sid:84677829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-svc.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814728/; classtype:trojan-activity;sid:84677828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"75.1.240.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814727/; classtype:trojan-activity;sid:84677827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.52.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814725/; classtype:trojan-activity;sid:84677825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-vault.systemoraengine.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814726/; classtype:trojan-activity;sid:84677826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ak/zpubeynbswoznhk172.bin"; depth:26; endswith; nocase; http.host; content:"104.249.10.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814724/; classtype:trojan-activity;sid:84677824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rule-node.systemoraengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814723/; classtype:trojan-activity;sid:84677823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"boost.newrock.life"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814722/; classtype:trojan-activity;sid:84677822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"quickly.newrock.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814721/; classtype:trojan-activity;sid:84677821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"fast.newrock.life"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814720/; classtype:trojan-activity;sid:84677820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"stone.newrock.life"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814719/; classtype:trojan-activity;sid:84677819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index"; depth:6; endswith; nocase; http.host; content:"79.124.59.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814716/; classtype:trojan-activity;sid:84677816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.96.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814717/; classtype:trojan-activity;sid:84677817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mass"; depth:5; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814718/; classtype:trojan-activity;sid:84677818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.php"; depth:8; endswith; nocase; http.host; content:"go6.my"; depth:6; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814715/; classtype:trojan-activity;sid:84677815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.233.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814714/; classtype:trojan-activity;sid:84677814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.php"; depth:9; endswith; nocase; http.host; content:"go5z.my"; depth:7; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814713/; classtype:trojan-activity;sid:84677813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_050138.png"; depth:15; endswith; nocase; http.host; content:"ojemoneyyy.free.nf"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814712/; classtype:trojan-activity;sid:84677812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task"; depth:5; endswith; nocase; http.host; content:"79.124.59.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814710/; classtype:trojan-activity;sid:84677810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814709/; classtype:trojan-activity;sid:84677809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"engine-api.systemoraengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814708/; classtype:trojan-activity;sid:84677808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oa.wsh"; depth:7; endswith; nocase; http.host; content:"especially-acrobat-rouge-dominant.trycloudflare.com"; depth:51; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814704/; classtype:trojan-activity;sid:84677804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/go.bat"; depth:7; endswith; nocase; http.host; content:"especially-acrobat-rouge-dominant.trycloudflare.com"; depth:51; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814705/; classtype:trojan-activity;sid:84677805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pol.bat"; depth:8; endswith; nocase; http.host; content:"especially-acrobat-rouge-dominant.trycloudflare.com"; depth:51; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814706/; classtype:trojan-activity;sid:84677806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vwo.zip"; depth:8; endswith; nocase; http.host; content:"especially-acrobat-rouge-dominant.trycloudflare.com"; depth:51; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814707/; classtype:trojan-activity;sid:84677807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/toll_group_co%201200.pdf.lnk"; depth:38; endswith; nocase; http.host; content:"especially-acrobat-rouge-dominant.trycloudflare.com"; depth:51; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814703/; classtype:trojan-activity;sid:84677803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/tkrvswcf5jo4s5oosdc4n/bell-inv-4521-ca-.pdf.zip|3f|rlkey=6bne1aom7tnf7me6j88b85bng|7c|26|7c|st=h396xfm6|7c|26|7c|dl=1"; depth:125; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814702/; classtype:trojan-activity;sid:84677802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccv.js"; depth:7; endswith; nocase; http.host; content:"especially-acrobat-rouge-dominant.trycloudflare.com"; depth:51; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814701/; classtype:trojan-activity;sid:84677801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"space-gate.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814700/; classtype:trojan-activity;sid:84677800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"point-hub.theorivector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814699/; classtype:trojan-activity;sid:84677799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.52.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814698/; classtype:trojan-activity;sid:84677798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.94.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814697/; classtype:trojan-activity;sid:84677797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"theory-svc.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814696/; classtype:trojan-activity;sid:84677796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view-vault.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814695/; classtype:trojan-activity;sid:84677795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.104.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814694/; classtype:trojan-activity;sid:84677794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"model-node.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814693/; classtype:trojan-activity;sid:84677793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.233.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814692/; classtype:trojan-activity;sid:84677792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.6.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814691/; classtype:trojan-activity;sid:84677791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.6.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814690/; classtype:trojan-activity;sid:84677790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vector-api.theorivector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814689/; classtype:trojan-activity;sid:84677789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.47.188.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814688/; classtype:trojan-activity;sid:84677788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"gate-secure.inferentrixhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814687/; classtype:trojan-activity;sid:84677787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.181.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814686/; classtype:trojan-activity;sid:84677786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link-hub.inferentrixhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814685/; classtype:trojan-activity;sid:84677785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814684/; classtype:trojan-activity;sid:84677784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.104.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814683/; classtype:trojan-activity;sid:84677783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rank-svc.inferentrixhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814682/; classtype:trojan-activity;sid:84677782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.102.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814681/; classtype:trojan-activity;sid:84677781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.125.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814679/; classtype:trojan-activity;sid:84677779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.203.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814680/; classtype:trojan-activity;sid:84677780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.60.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814678/; classtype:trojan-activity;sid:84677778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub-secure.inferentrixhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814677/; classtype:trojan-activity;sid:84677777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trace-node.inferentrixhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814676/; classtype:trojan-activity;sid:84677776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"infer-api.inferentrixhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814675/; classtype:trojan-activity;sid:84677775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-gate.dialectraforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814674/; classtype:trojan-activity;sid:84677774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"debate-hub.dialectraforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814673/; classtype:trojan-activity;sid:84677773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.204.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814672/; classtype:trojan-activity;sid:84677772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-svc.dialectraforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814671/; classtype:trojan-activity;sid:84677771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thesis-vault.dialectraforge.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814670/; classtype:trojan-activity;sid:84677770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.124.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814669/; classtype:trojan-activity;sid:84677769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"synth-node.dialectraforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814668/; classtype:trojan-activity;sid:84677768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.82.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814667/; classtype:trojan-activity;sid:84677767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"forge-api.dialectraforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814666/; classtype:trojan-activity;sid:84677766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.90.54.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814665/; classtype:trojan-activity;sid:84677765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.156.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814664/; classtype:trojan-activity;sid:84677764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"point-gate.axiomatrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814663/; classtype:trojan-activity;sid:84677763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit-hub.axiomatrixflow.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814662/; classtype:trojan-activity;sid:84677762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.152.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814661/; classtype:trojan-activity;sid:84677761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stream-svc.axiomatrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814660/; classtype:trojan-activity;sid:84677760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shift-node.axiomatrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814659/; classtype:trojan-activity;sid:84677759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.60.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814658/; classtype:trojan-activity;sid:84677758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.208.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814657/; classtype:trojan-activity;sid:84677757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-api.axiomatrixflow.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814656/; classtype:trojan-activity;sid:84677756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.148.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814655/; classtype:trojan-activity;sid:84677755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-flow.axiomatrixflow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814654/; classtype:trojan-activity;sid:84677754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.90.54.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814653/; classtype:trojan-activity;sid:84677753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"96.246.230.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814652/; classtype:trojan-activity;sid:84677752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link-gate.ontocorex.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814651/; classtype:trojan-activity;sid:84677751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.152.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814650/; classtype:trojan-activity;sid:84677750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-hub.ontocorex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814649/; classtype:trojan-activity;sid:84677749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.195.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814648/; classtype:trojan-activity;sid:84677748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814647/; classtype:trojan-activity;sid:84677747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-svc.ontocorex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814646/; classtype:trojan-activity;sid:84677746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cell-vault.ontocorex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814645/; classtype:trojan-activity;sid:84677745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.181.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814644/; classtype:trojan-activity;sid:84677744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.148.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814643/; classtype:trojan-activity;sid:84677743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"entity-node.ontocorex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814642/; classtype:trojan-activity;sid:84677742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.13.63.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814641/; classtype:trojan-activity;sid:84677741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"96.246.230.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814640/; classtype:trojan-activity;sid:84677740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-api.ontocorex.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814639/; classtype:trojan-activity;sid:84677739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.156.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814638/; classtype:trojan-activity;sid:84677738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814637/; classtype:trojan-activity;sid:84677737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"path-gate.epistemevault.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814636/; classtype:trojan-activity;sid:84677736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.195.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814635/; classtype:trojan-activity;sid:84677735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"audit-hub.epistemevault.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814634/; classtype:trojan-activity;sid:84677734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-svc.epistemevault.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814633/; classtype:trojan-activity;sid:84677733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814632/; classtype:trojan-activity;sid:84677732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"secure-node.epistemevault.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814631/; classtype:trojan-activity;sid:84677731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.107.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814630/; classtype:trojan-activity;sid:84677730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"info-api.epistemevault.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814629/; classtype:trojan-activity;sid:84677729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-vault.epistemevault.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814628/; classtype:trojan-activity;sid:84677728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-gate.gnoseonflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814627/; classtype:trojan-activity;sid:84677727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.55.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814626/; classtype:trojan-activity;sid:84677726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flux-svc.gnoseonflux.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814625/; classtype:trojan-activity;sid:84677725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"drift-vault.gnoseonflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814624/; classtype:trojan-activity;sid:84677724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.34.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814623/; classtype:trojan-activity;sid:84677723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shift-node.gnoseonflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814622/; classtype:trojan-activity;sid:84677722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"know-api.gnoseonflux.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814621/; classtype:trojan-activity;sid:84677721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.234.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814620/; classtype:trojan-activity;sid:84677720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow-data.gnoseonflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814619/; classtype:trojan-activity;sid:84677719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"global-gate.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814618/; classtype:trojan-activity;sid:84677718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.34.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814617/; classtype:trojan-activity;sid:84677717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-svc.noetisphere.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814616/; classtype:trojan-activity;sid:84677716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-vault.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814615/; classtype:trojan-activity;sid:84677715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sphere-node.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814614/; classtype:trojan-activity;sid:84677714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thought-api.noetisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814613/; classtype:trojan-activity;sid:84677713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mind-sync.noetisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814612/; classtype:trojan-activity;sid:84677712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.51.149"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814611/; classtype:trojan-activity;sid:84677711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brain-gate.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814610/; classtype:trojan-activity;sid:84677710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vector-svc.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814609/; classtype:trojan-activity;sid:84677709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.232.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814608/; classtype:trojan-activity;sid:84677708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"think-node.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814607/; classtype:trojan-activity;sid:84677707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.173.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814606/; classtype:trojan-activity;sid:84677706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sense-log.cogniversehub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814605/; classtype:trojan-activity;sid:84677705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.237.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814604/; classtype:trojan-activity;sid:84677704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.152.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814603/; classtype:trojan-activity;sid:84677703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.173.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814602/; classtype:trojan-activity;sid:84677702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.236.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814601/; classtype:trojan-activity;sid:84677701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neural-api.cogniversehub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814600/; classtype:trojan-activity;sid:84677700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mind-hub.cogniversehub.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814599/; classtype:trojan-activity;sid:84677699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"path-gate.systematrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814598/; classtype:trojan-activity;sid:84677698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.238.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814597/; classtype:trojan-activity;sid:84677697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file-hub.systematrixflow.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814596/; classtype:trojan-activity;sid:84677696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.232.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814595/; classtype:trojan-activity;sid:84677695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.51.149"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814594/; classtype:trojan-activity;sid:84677694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.119.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814593/; classtype:trojan-activity;sid:84677693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stream-svc.systematrixflow.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814592/; classtype:trojan-activity;sid:84677692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.236.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814591/; classtype:trojan-activity;sid:84677691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.155.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814590/; classtype:trojan-activity;sid:84677690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rank-node.systematrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814589/; classtype:trojan-activity;sid:84677689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.121.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814588/; classtype:trojan-activity;sid:84677688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-api.systematrixflow.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814587/; classtype:trojan-activity;sid:84677687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.238.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814586/; classtype:trojan-activity;sid:84677686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-flow.systematrixflow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814585/; classtype:trojan-activity;sid:84677685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.219.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814584/; classtype:trojan-activity;sid:84677684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.18.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814583/; classtype:trojan-activity;sid:84677683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub-gate.theorexuslayer.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814582/; classtype:trojan-activity;sid:84677682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.101.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814581/; classtype:trojan-activity;sid:84677681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.121.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814580/; classtype:trojan-activity;sid:84677680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view-svc.theorexuslayer.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814579/; classtype:trojan-activity;sid:84677679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"space-node.theorexuslayer.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814578/; classtype:trojan-activity;sid:84677678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.101.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814577/; classtype:trojan-activity;sid:84677677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mpsl"; depth:17; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814576/; classtype:trojan-activity;sid:84677676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.ppc"; depth:16; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814566/; classtype:trojan-activity;sid:84677666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm6"; depth:17; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814567/; classtype:trojan-activity;sid:84677667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.sh4"; depth:16; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814568/; classtype:trojan-activity;sid:84677668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.spc"; depth:16; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814569/; classtype:trojan-activity;sid:84677669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.m68k"; depth:17; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814570/; classtype:trojan-activity;sid:84677670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mips"; depth:17; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814571/; classtype:trojan-activity;sid:84677671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm7"; depth:17; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814572/; classtype:trojan-activity;sid:84677672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm5"; depth:17; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814573/; classtype:trojan-activity;sid:84677673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.x86"; depth:16; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814574/; classtype:trojan-activity;sid:84677674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm"; depth:16; endswith; nocase; http.host; content:"45.145.225.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814575/; classtype:trojan-activity;sid:84677675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"abstract-log.theorexuslayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814565/; classtype:trojan-activity;sid:84677665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.219.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814564/; classtype:trojan-activity;sid:84677664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"model-api.theorexuslayer.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814563/; classtype:trojan-activity;sid:84677663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.18.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814562/; classtype:trojan-activity;sid:84677662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"layer-io.theorexuslayer.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814561/; classtype:trojan-activity;sid:84677661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"point-gate.inferentialisflux.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814560/; classtype:trojan-activity;sid:84677660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-svc.inferentialisflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814559/; classtype:trojan-activity;sid:84677659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flux-node.inferentialisflux.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814558/; classtype:trojan-activity;sid:84677658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trace-log.inferentialisflux.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814557/; classtype:trojan-activity;sid:84677657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.12.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814556/; classtype:trojan-activity;sid:84677656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-api.inferentialisflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814555/; classtype:trojan-activity;sid:84677655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"infer-unit.inferentialisflux.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814554/; classtype:trojan-activity;sid:84677654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.251.18.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814553/; classtype:trojan-activity;sid:84677653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.115.234.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814552/; classtype:trojan-activity;sid:84677652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-gate.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814551/; classtype:trojan-activity;sid:84677651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"debate-hub.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814550/; classtype:trojan-activity;sid:84677650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.147.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814549/; classtype:trojan-activity;sid:84677649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"state-svc.dialectosphere.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814548/; classtype:trojan-activity;sid:84677648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thesis-log.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814547/; classtype:trojan-activity;sid:84677647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.211.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814546/; classtype:trojan-activity;sid:84677646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.20.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814545/; classtype:trojan-activity;sid:84677645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.115.234.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814544/; classtype:trojan-activity;sid:84677644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talk-node.dialectosphere.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814543/; classtype:trojan-activity;sid:84677643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.243.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814542/; classtype:trojan-activity;sid:84677642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sphere-api.dialectosphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814541/; classtype:trojan-activity;sid:84677641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.255.10.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814540/; classtype:trojan-activity;sid:84677640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-hub.axiomorphengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814539/; classtype:trojan-activity;sid:84677639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.243.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814538/; classtype:trojan-activity;sid:84677638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rule-svc.axiomorphengine.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814537/; classtype:trojan-activity;sid:84677637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.20.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814536/; classtype:trojan-activity;sid:84677636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.114.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814535/; classtype:trojan-activity;sid:84677635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.12.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814534/; classtype:trojan-activity;sid:84677634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit-vault.axiomorphengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814533/; classtype:trojan-activity;sid:84677633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/js/scc.msi"; depth:20; endswith; nocase; http.host; content:"mhatuminerals.africa"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814532/; classtype:trojan-activity;sid:84677632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.38.106.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814531/; classtype:trojan-activity;sid:84677631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fixed-node.axiomorphengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814530/; classtype:trojan-activity;sid:84677630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.58.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814529/; classtype:trojan-activity;sid:84677629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.15.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814528/; classtype:trojan-activity;sid:84677628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"law-check.axiomorphengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814527/; classtype:trojan-activity;sid:84677627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"engine-io.axiomorphengine.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814526/; classtype:trojan-activity;sid:84677626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.255.10.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814525/; classtype:trojan-activity;sid:84677625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.15.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814523/; classtype:trojan-activity;sid:84677623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.35.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814524/; classtype:trojan-activity;sid:84677624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"space-gate.ontoversegrid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814522/; classtype:trojan-activity;sid:84677622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.35.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814521/; classtype:trojan-activity;sid:84677621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"verse-svc.ontoversegrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814520/; classtype:trojan-activity;sid:84677620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.114.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814519/; classtype:trojan-activity;sid:84677619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"entity-node.ontoversegrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814518/; classtype:trojan-activity;sid:84677618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.38.106.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814517/; classtype:trojan-activity;sid:84677617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"map-log.ontoversegrid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814516/; classtype:trojan-activity;sid:84677616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.88.242.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814515/; classtype:trojan-activity;sid:84677615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.132.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814513/; classtype:trojan-activity;sid:84677613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.101.213.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814514/; classtype:trojan-activity;sid:84677614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"world-api.ontoversegrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814512/; classtype:trojan-activity;sid:84677612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.124.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814511/; classtype:trojan-activity;sid:84677611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.101.213.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814510/; classtype:trojan-activity;sid:84677610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grid-core.ontoversegrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814509/; classtype:trojan-activity;sid:84677609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.123.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814508/; classtype:trojan-activity;sid:84677608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"drift-gate.epistemiconflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814507/; classtype:trojan-activity;sid:84677607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shift-svc.epistemiconflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814506/; classtype:trojan-activity;sid:84677606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"truth-node.epistemiconflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814505/; classtype:trojan-activity;sid:84677605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.56.88.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814504/; classtype:trojan-activity;sid:84677604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.201.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814502/; classtype:trojan-activity;sid:84677602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.25.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814503/; classtype:trojan-activity;sid:84677603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sync-vault.epistemiconflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814501/; classtype:trojan-activity;sid:84677601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8550280707/zchuqwg.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814500/; classtype:trojan-activity;sid:84677600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mesh-api.epistemiconflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814499/; classtype:trojan-activity;sid:84677599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.58.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814498/; classtype:trojan-activity;sid:84677598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.3.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814497/; classtype:trojan-activity;sid:84677597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.11.175.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814496/; classtype:trojan-activity;sid:84677596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow-data.epistemiconflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814495/; classtype:trojan-activity;sid:84677595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-gate.gnosticvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814494/; classtype:trojan-activity;sid:84677594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.201.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814493/; classtype:trojan-activity;sid:84677593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"path-svc.gnosticvector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814492/; classtype:trojan-activity;sid:84677592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"know-node.gnosticvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814491/; classtype:trojan-activity;sid:84677591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.71.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814490/; classtype:trojan-activity;sid:84677590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vector-hub.gnosticvector.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814489/; classtype:trojan-activity;sid:84677589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.255.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814488/; classtype:trojan-activity;sid:84677588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.38.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814487/; classtype:trojan-activity;sid:84677587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-api.gnosticvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814486/; classtype:trojan-activity;sid:84677586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.38.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814485/; classtype:trojan-activity;sid:84677585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trace-point.gnosticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814484/; classtype:trojan-activity;sid:84677584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.110.15.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814483/; classtype:trojan-activity;sid:84677583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shell-svc.noospherecore.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814482/; classtype:trojan-activity;sid:84677582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-node.noospherecore.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814481/; classtype:trojan-activity;sid:84677581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.135.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814480/; classtype:trojan-activity;sid:84677580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.193.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814479/; classtype:trojan-activity;sid:84677579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.125.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814478/; classtype:trojan-activity;sid:84677578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-vault.noospherecore.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814477/; classtype:trojan-activity;sid:84677577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thought-api.noospherecore.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814476/; classtype:trojan-activity;sid:84677576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.232.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814475/; classtype:trojan-activity;sid:84677575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.110.15.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814474/; classtype:trojan-activity;sid:84677574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"global-io.noospherecore.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814473/; classtype:trojan-activity;sid:84677573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mind-sync.noospherecore.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814472/; classtype:trojan-activity;sid:84677572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.193.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814471/; classtype:trojan-activity;sid:84677571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"magic-hub.assyrfantasy.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814470/; classtype:trojan-activity;sid:84677570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.241.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814469/; classtype:trojan-activity;sid:84677569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.163.34.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814468/; classtype:trojan-activity;sid:84677568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"story-gate.assyrfantasy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814467/; classtype:trojan-activity;sid:84677567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.125.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814466/; classtype:trojan-activity;sid:84677566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tale-svc.assyrfantasy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814465/; classtype:trojan-activity;sid:84677565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.77.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814464/; classtype:trojan-activity;sid:84677564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fair-node.assyrfantasy.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814463/; classtype:trojan-activity;sid:84677563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dream-api.assyrfantasy.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814462/; classtype:trojan-activity;sid:84677562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"myth-logic.assyrfantasy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814461/; classtype:trojan-activity;sid:84677561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.87.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814460/; classtype:trojan-activity;sid:84677560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.189.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814458/; classtype:trojan-activity;sid:84677558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-hub.excellsadarma.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814459/; classtype:trojan-activity;sid:84677559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.73.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814457/; classtype:trojan-activity;sid:84677557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mark-gate.excellsadarma.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814456/; classtype:trojan-activity;sid:84677556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.186.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814455/; classtype:trojan-activity;sid:84677555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"test-svc.excellsadarma.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814454/; classtype:trojan-activity;sid:84677554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.56.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814453/; classtype:trojan-activity;sid:84677553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-node.excellsadarma.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814452/; classtype:trojan-activity;sid:84677552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work200"; depth:8; endswith; nocase; http.host; content:"158.94.210.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814451/; classtype:trojan-activity;sid:84677551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ficiyolov"; depth:10; endswith; nocase; http.host; content:"158.94.210.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814450/; classtype:trojan-activity;sid:84677550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-api.excellsadarma.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814449/; classtype:trojan-activity;sid:84677549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"win-point.excellsadarma.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814448/; classtype:trojan-activity;sid:84677548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"load-hub.apotheosbring.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814447/; classtype:trojan-activity;sid:84677547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.204.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814446/; classtype:trojan-activity;sid:84677546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-gate.apotheosbring.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814445/; classtype:trojan-activity;sid:84677545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromedriver.exe"; depth:17; endswith; nocase; http.host; content:"178.16.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814444/; classtype:trojan-activity;sid:84677544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33333.vbs"; depth:10; endswith; nocase; http.host; content:"178.16.54.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814442/; classtype:trojan-activity;sid:84677542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.225.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814443/; classtype:trojan-activity;sid:84677543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"178.16.54.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814441/; classtype:trojan-activity;sid:84677541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"peak-svc.apotheosbring.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814440/; classtype:trojan-activity;sid:84677540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.204.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814439/; classtype:trojan-activity;sid:84677539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.239.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814438/; classtype:trojan-activity;sid:84677538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shift-node.apotheosbring.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814437/; classtype:trojan-activity;sid:84677537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.31.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814436/; classtype:trojan-activity;sid:84677536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.13.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814435/; classtype:trojan-activity;sid:84677535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"take-api.apotheosbring.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814434/; classtype:trojan-activity;sid:84677534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tasksvc.vbs"; depth:12; endswith; nocase; http.host; content:"178.16.55.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814430/; classtype:trojan-activity;sid:84677530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/procesos.vbs"; depth:13; endswith; nocase; http.host; content:"178.16.55.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814431/; classtype:trojan-activity;sid:84677531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task.vbs"; depth:9; endswith; nocase; http.host; content:"178.16.55.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814432/; classtype:trojan-activity;sid:84677532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systask.vbs"; depth:12; endswith; nocase; http.host; content:"178.16.55.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814433/; classtype:trojan-activity;sid:84677533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.123.44.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814429/; classtype:trojan-activity;sid:84677529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.116.177.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814428/; classtype:trojan-activity;sid:84677528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"top-logic.apotheosbring.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814427/; classtype:trojan-activity;sid:84677527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link-hub.goodtwain.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814426/; classtype:trojan-activity;sid:84677526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.155.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814425/; classtype:trojan-activity;sid:84677525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.239.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814424/; classtype:trojan-activity;sid:84677524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.145.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814423/; classtype:trojan-activity;sid:84677523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.225.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814422/; classtype:trojan-activity;sid:84677522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"match-gate.goodtwain.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814421/; classtype:trojan-activity;sid:84677521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.116.177.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814420/; classtype:trojan-activity;sid:84677520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"item-svc.goodtwain.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814419/; classtype:trojan-activity;sid:84677519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.85.113"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814418/; classtype:trojan-activity;sid:84677518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-node.goodtwain.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814417/; classtype:trojan-activity;sid:84677517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.85.113"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814416/; classtype:trojan-activity;sid:84677516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dual-api.goodtwain.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814415/; classtype:trojan-activity;sid:84677515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"best-pair.goodtwain.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814414/; classtype:trojan-activity;sid:84677514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-vault.monarchold.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814413/; classtype:trojan-activity;sid:84677513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hist-svc.monarchold.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814412/; classtype:trojan-activity;sid:84677512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crown-node.monarchold.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814411/; classtype:trojan-activity;sid:84677511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.218.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814410/; classtype:trojan-activity;sid:84677510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rule-check.monarchold.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814409/; classtype:trojan-activity;sid:84677509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.29.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814408/; classtype:trojan-activity;sid:84677508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"past-api.monarchold.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814407/; classtype:trojan-activity;sid:84677507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"king-logic.monarchold.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814406/; classtype:trojan-activity;sid:84677506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"message-hub.emissarysooth.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814405/; classtype:trojan-activity;sid:84677505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-gate.emissarysooth.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814404/; classtype:trojan-activity;sid:84677504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.29.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814403/; classtype:trojan-activity;sid:84677503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"soft-svc.emissarysooth.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814402/; classtype:trojan-activity;sid:84677502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.218.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814401/; classtype:trojan-activity;sid:84677501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"truth-node.emissarysooth.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814400/; classtype:trojan-activity;sid:84677500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.165.125.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814399/; classtype:trojan-activity;sid:84677499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link-api.emissarysooth.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814398/; classtype:trojan-activity;sid:84677498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"send-relay.emissarysooth.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814397/; classtype:trojan-activity;sid:84677497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_145003.png"; depth:15; endswith; nocase; http.host; content:"ftpemails.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814396/; classtype:trojan-activity;sid:84677496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_091731.png"; depth:15; endswith; nocase; http.host; content:"magina.online"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814395/; classtype:trojan-activity;sid:84677495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_095306.png"; depth:15; endswith; nocase; http.host; content:"vagner.site"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814394/; classtype:trojan-activity;sid:84677494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"port-hub.covercotehour.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814393/; classtype:trojan-activity;sid:84677493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install"; depth:8; endswith; nocase; http.host; content:"iridiacheats.dev"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814392/; classtype:trojan-activity;sid:84677492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.102.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814391/; classtype:trojan-activity;sid:84677491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coat-svc.covercotehour.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814390/; classtype:trojan-activity;sid:84677490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.133.209.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814389/; classtype:trojan-activity;sid:84677489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"safe-node.covercotehour.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814388/; classtype:trojan-activity;sid:84677488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"slot-api.covercotehour.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814387/; classtype:trojan-activity;sid:84677487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/base.zip"; depth:9; endswith; nocase; http.host; content:"google-services.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814386/; classtype:trojan-activity;sid:84677486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.102.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814385/; classtype:trojan-activity;sid:84677485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"time-check.covercotehour.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814384/; classtype:trojan-activity;sid:84677484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wrap-logic.covercotehour.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814383/; classtype:trojan-activity;sid:84677483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.8.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814382/; classtype:trojan-activity;sid:84677482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rest-gate.dialectdozing.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814381/; classtype:trojan-activity;sid:84677481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"speech-svc.dialectdozing.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814380/; classtype:trojan-activity;sid:84677480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//pnpm"; depth:6; endswith; nocase; http.host; content:"prennixo.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814379/; classtype:trojan-activity;sid:84677479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/react"; depth:6; endswith; nocase; http.host; content:"prennixo.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814378/; classtype:trojan-activity;sid:84677478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.133.209.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814377/; classtype:trojan-activity;sid:84677477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.226.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814376/; classtype:trojan-activity;sid:84677476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quiet-node.dialectdozing.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814375/; classtype:trojan-activity;sid:84677475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.134.59.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814374/; classtype:trojan-activity;sid:84677474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"term-log.dialectdozing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814373/; classtype:trojan-activity;sid:84677473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.158.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814372/; classtype:trojan-activity;sid:84677472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"word-api.dialectdozing.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814371/; classtype:trojan-activity;sid:84677471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"talk-sync.dialectdozing.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814370/; classtype:trojan-activity;sid:84677470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.11.64.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814369/; classtype:trojan-activity;sid:84677469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"frame-hub.shapeprimrose.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814368/; classtype:trojan-activity;sid:84677468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.226.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814367/; classtype:trojan-activity;sid:84677467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"solid-svc.shapeprimrose.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814366/; classtype:trojan-activity;sid:84677466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.1.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814365/; classtype:trojan-activity;sid:84677465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mesh-node.shapeprimrose.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814364/; classtype:trojan-activity;sid:84677464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"geo-api.shapeprimrose.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814363/; classtype:trojan-activity;sid:84677463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-point.shapeprimrose.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814362/; classtype:trojan-activity;sid:84677462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.164.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814361/; classtype:trojan-activity;sid:84677461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.80.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814359/; classtype:trojan-activity;sid:84677459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.64.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814360/; classtype:trojan-activity;sid:84677460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"form-check.shapeprimrose.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814358/; classtype:trojan-activity;sid:84677458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sign-gate.iconoguroque.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814357/; classtype:trojan-activity;sid:84677457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.165.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814356/; classtype:trojan-activity;sid:84677456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7655527200/uuumylr.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814355/; classtype:trojan-activity;sid:84677455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"art-svc.iconoguroque.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814354/; classtype:trojan-activity;sid:84677454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.22.235.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814353/; classtype:trojan-activity;sid:84677453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.1.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814352/; classtype:trojan-activity;sid:84677452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"draw-node.iconoguroque.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814351/; classtype:trojan-activity;sid:84677451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.86.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814350/; classtype:trojan-activity;sid:84677450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view-hub.iconoguroque.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814349/; classtype:trojan-activity;sid:84677449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.80.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814348/; classtype:trojan-activity;sid:84677448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"image-api.iconoguroque.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814347/; classtype:trojan-activity;sid:84677447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.127.139.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814346/; classtype:trojan-activity;sid:84677446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.92.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814345/; classtype:trojan-activity;sid:84677445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.64.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814344/; classtype:trojan-activity;sid:84677444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.127.139.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814343/; classtype:trojan-activity;sid:84677443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pixel-trace.iconoguroque.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814342/; classtype:trojan-activity;sid:84677442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.251.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814341/; classtype:trojan-activity;sid:84677441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.22.235.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814340/; classtype:trojan-activity;sid:84677440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.0.149"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814339/; classtype:trojan-activity;sid:84677439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.0.149"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814338/; classtype:trojan-activity;sid:84677438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.92.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814337/; classtype:trojan-activity;sid:84677437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.119.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814336/; classtype:trojan-activity;sid:84677436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.82.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814335/; classtype:trojan-activity;sid:84677435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.251.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814334/; classtype:trojan-activity;sid:84677434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814330/; classtype:trojan-activity;sid:84677430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.237.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814329/; classtype:trojan-activity;sid:84677429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.116.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814328/; classtype:trojan-activity;sid:84677428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.189.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814327/; classtype:trojan-activity;sid:84677427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.191.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814325/; classtype:trojan-activity;sid:84677425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.237.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814326/; classtype:trojan-activity;sid:84677426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.82.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814324/; classtype:trojan-activity;sid:84677424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.81.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814323/; classtype:trojan-activity;sid:84677423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.116.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814322/; classtype:trojan-activity;sid:84677422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.47.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814321/; classtype:trojan-activity;sid:84677421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.189.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814320/; classtype:trojan-activity;sid:84677420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.43.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814319/; classtype:trojan-activity;sid:84677419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.45.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814318/; classtype:trojan-activity;sid:84677418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814317/; classtype:trojan-activity;sid:84677417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"vvind-point.embassyotolaryn.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814312/; classtype:trojan-activity;sid:84677412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"ktnceg.intellectnail.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814313/; classtype:trojan-activity;sid:84677413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"cleaaudit.embassyotolaryn.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814314/; classtype:trojan-activity;sid:84677414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"ser-fluxex.armeniansgrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814315/; classtype:trojan-activity;sid:84677415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"hyper-tru5.armeniansgrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814316/; classtype:trojan-activity;sid:84677416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"top-team.saklatwenty.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814311/; classtype:trojan-activity;sid:84677411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"rest-log.goingsick.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814310/; classtype:trojan-activity;sid:84677410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"round-svc.saklatwenty.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814304/; classtype:trojan-activity;sid:84677404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"cargo-hub.basaltloading.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814305/; classtype:trojan-activity;sid:84677405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"game-api.saklatwenty.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814306/; classtype:trojan-activity;sid:84677406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"score-board.saklatwenty.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814307/; classtype:trojan-activity;sid:84677407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"point-scan.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814308/; classtype:trojan-activity;sid:84677408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"point-api.drillobjection.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814309/; classtype:trojan-activity;sid:84677409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"main-route.leavedistribut.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814296/; classtype:trojan-activity;sid:84677396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"count-log.saklatwenty.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814297/; classtype:trojan-activity;sid:84677397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"heavy-weight.basaltloading.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814298/; classtype:trojan-activity;sid:84677398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"trimeshet.intellectnail.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814299/; classtype:trojan-activity;sid:84677399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"stat-render.analyticaengine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814300/; classtype:trojan-activity;sid:84677400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"break-down.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814301/; classtype:trojan-activity;sid:84677401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"dock-svc.basaltloading.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814302/; classtype:trojan-activity;sid:84677402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"truck-line.basaltloading.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814303/; classtype:trojan-activity;sid:84677403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"match-hub.saklatwenty.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814295/; classtype:trojan-activity;sid:84677395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"bread-wine.eucharistshrink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814294/; classtype:trojan-activity;sid:84677394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/signup-worker.js"; depth:23; endswith; nocase; http.host; content:"ravoqqux.top"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814291/; classtype:trojan-activity;sid:84677391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/032.txt"; depth:8; endswith; nocase; http.host; content:"hsgeowvi.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814292/; classtype:trojan-activity;sid:84677392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"hint-api.inferencestream.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814293/; classtype:trojan-activity;sid:84677393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"motion-svc.dialecticalgrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814289/; classtype:trojan-activity;sid:84677389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"data-split.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814290/; classtype:trojan-activity;sid:84677390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"outer-reach.exaltedinfinate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814287/; classtype:trojan-activity;sid:84677387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"lab-access.bactergreat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814288/; classtype:trojan-activity;sid:84677388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"ideal-node.theoristack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814272/; classtype:trojan-activity;sid:84677372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"step-wise.inferencestream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814273/; classtype:trojan-activity;sid:84677373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"word-map.semanticvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814274/; classtype:trojan-activity;sid:84677374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"waste-node.kokotkasquand.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814275/; classtype:trojan-activity;sid:84677375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"sense-data.cognisphere.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814276/; classtype:trojan-activity;sid:84677376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"wave-point.beckonuncert.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814277/; classtype:trojan-activity;sid:84677377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"surface-api.enameledtack.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814278/; classtype:trojan-activity;sid:84677378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"model-check.theoristack.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814279/; classtype:trojan-activity;sid:84677379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"load-sync.leavedistribut.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814280/; classtype:trojan-activity;sid:84677380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"floor-node.downpredict.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814281/; classtype:trojan-activity;sid:84677381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"trend-api.downpredict.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814282/; classtype:trojan-activity;sid:84677382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"core-logic.axiomatrix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814283/; classtype:trojan-activity;sid:84677383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fal.php"; depth:8; endswith; nocase; http.host; content:"iridiacheats.dev"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814284/; classtype:trojan-activity;sid:84677384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"mega-vault.exaltedinfinate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814285/; classtype:trojan-activity;sid:84677385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"line-secure.systemologyhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814286/; classtype:trojan-activity;sid:84677386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"water-log.midgetplunge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814269/; classtype:trojan-activity;sid:84677369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"hero-svc.boyishglorified.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814270/; classtype:trojan-activity;sid:84677370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"fall-check.downpredict.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814271/; classtype:trojan-activity;sid:84677371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"pure-node.bactergreat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814268/; classtype:trojan-activity;sid:84677368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"order-logic.systemologyhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814267/; classtype:trojan-activity;sid:84677367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"base-audit.drillobjection.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814260/; classtype:trojan-activity;sid:84677360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"lead-trace.inferencestream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814261/; classtype:trojan-activity;sid:84677361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"debate-log.dialecticalgrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814262/; classtype:trojan-activity;sid:84677362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install"; depth:8; endswith; nocase; http.host; content:"iridiacheats.dev"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814263/; classtype:trojan-activity;sid:84677363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gggs.7z"; depth:8; endswith; nocase; http.host; content:"iridiacheats.dev"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814264/; classtype:trojan-activity;sid:84677364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"low-io.downpredict.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814265/; classtype:trojan-activity;sid:84677365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"micro-svc.bactergreat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814266/; classtype:trojan-activity;sid:84677366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"perception-svc.cognisphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814255/; classtype:trojan-activity;sid:84677355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"map-route.fariseietogo.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814256/; classtype:trojan-activity;sid:84677356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"small-step.midgetplunge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814257/; classtype:trojan-activity;sid:84677357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"blast-zone.explosionjunip.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814258/; classtype:trojan-activity;sid:84677358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"frame-api.theoristack.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814259/; classtype:trojan-activity;sid:84677359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"rule-set.axiomatrix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814251/; classtype:trojan-activity;sid:84677351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"stat-portal.downpredict.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814253/; classtype:trojan-activity;sid:84677353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"space-time.theoristack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814254/; classtype:trojan-activity;sid:84677354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"flow-object.ontologicalflux.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814247/; classtype:trojan-activity;sid:84677347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"infer-unit.inferencestream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814248/; classtype:trojan-activity;sid:84677348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"archive-hub.systemologyhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814249/; classtype:trojan-activity;sid:84677349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google/"; depth:58; endswith; nocase; http.host; content:"logic-vault.inferencestream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814250/; classtype:trojan-activity;sid:84677350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.117.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814246/; classtype:trojan-activity;sid:84677346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.45.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814245/; classtype:trojan-activity;sid:84677345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"style-log.selzovestments.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814244/; classtype:trojan-activity;sid:84677344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"item-svc.selzovestments.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814243/; classtype:trojan-activity;sid:84677343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stock-node.selzovestments.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814242/; classtype:trojan-activity;sid:84677342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shop-hub.selzovestments.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814241/; classtype:trojan-activity;sid:84677341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"wear-api.selzovestments.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814240/; classtype:trojan-activity;sid:84677340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.131.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814239/; classtype:trojan-activity;sid:84677339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"coat-check.selzovestments.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814238/; classtype:trojan-activity;sid:84677338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.189.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814237/; classtype:trojan-activity;sid:84677337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814236/; classtype:trojan-activity;sid:84677336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7942715918/rbzabpf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814235/; classtype:trojan-activity;sid:84677335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.81.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814233/; classtype:trojan-activity;sid:84677333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-svc.fastidmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814234/; classtype:trojan-activity;sid:84677334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.53.98.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814232/; classtype:trojan-activity;sid:84677332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.117.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814231/; classtype:trojan-activity;sid:84677331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"quick-io.fastidmatrix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814230/; classtype:trojan-activity;sid:84677330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.32.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814228/; classtype:trojan-activity;sid:84677328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.166.191.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814229/; classtype:trojan-activity;sid:84677329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit-node.fastidmatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814227/; classtype:trojan-activity;sid:84677327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-api.fastidmatrix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814226/; classtype:trojan-activity;sid:84677326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.131.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814225/; classtype:trojan-activity;sid:84677325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.165.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814224/; classtype:trojan-activity;sid:84677324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.189.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814223/; classtype:trojan-activity;sid:84677323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-point.fastidmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814222/; classtype:trojan-activity;sid:84677322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mesh-static.fastidmatrix.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814221/; classtype:trojan-activity;sid:84677321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.149.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814220/; classtype:trojan-activity;sid:84677320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"line-vault.dictatessullen.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814219/; classtype:trojan-activity;sid:84677319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.51.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814218/; classtype:trojan-activity;sid:84677318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7900572318/kaaa3h0.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814217/; classtype:trojan-activity;sid:84677317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.53.98.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814216/; classtype:trojan-activity;sid:84677316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hard-svc.dictatessullen.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814215/; classtype:trojan-activity;sid:84677315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.51.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814214/; classtype:trojan-activity;sid:84677314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mood-log.dictatessullen.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814213/; classtype:trojan-activity;sid:84677313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"dark-node.dictatessullen.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814212/; classtype:trojan-activity;sid:84677312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"text-api.dictatessullen.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814211/; classtype:trojan-activity;sid:84677311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.149.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814210/; classtype:trojan-activity;sid:84677310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.139.33.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814209/; classtype:trojan-activity;sid:84677309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"word-check.dictatessullen.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814208/; classtype:trojan-activity;sid:84677308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"live-svc.ranchitro.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814207/; classtype:trojan-activity;sid:84677307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massload"; depth:9; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814206/; classtype:trojan-activity;sid:84677306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814205/; classtype:trojan-activity;sid:84677305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"ranch-hub.ranchitro.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814204/; classtype:trojan-activity;sid:84677304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814203/; classtype:trojan-activity;sid:84677303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"land-vault.ranchitro.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814202/; classtype:trojan-activity;sid:84677302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.15.119.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814201/; classtype:trojan-activity;sid:84677301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.32.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814200/; classtype:trojan-activity;sid:84677300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"field-node.ranchitro.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814199/; classtype:trojan-activity;sid:84677299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"crop-api.ranchitro.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814198/; classtype:trojan-activity;sid:84677298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814197/; classtype:trojan-activity;sid:84677297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814188/; classtype:trojan-activity;sid:84677288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.spc"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814189/; classtype:trojan-activity;sid:84677289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.arc"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814190/; classtype:trojan-activity;sid:84677290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.arm"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814191/; classtype:trojan-activity;sid:84677291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814192/; classtype:trojan-activity;sid:84677292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814193/; classtype:trojan-activity;sid:84677293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814194/; classtype:trojan-activity;sid:84677294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814195/; classtype:trojan-activity;sid:84677295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814196/; classtype:trojan-activity;sid:84677296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"farm-logic.ranchitro.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814187/; classtype:trojan-activity;sid:84677287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814186/; classtype:trojan-activity;sid:84677286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814182/; classtype:trojan-activity;sid:84677282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814183/; classtype:trojan-activity;sid:84677283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814184/; classtype:trojan-activity;sid:84677284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814185/; classtype:trojan-activity;sid:84677285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-svc.sciencestupids.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814181/; classtype:trojan-activity;sid:84677281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814180/; classtype:trojan-activity;sid:84677280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814173/; classtype:trojan-activity;sid:84677273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814174/; classtype:trojan-activity;sid:84677274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814175/; classtype:trojan-activity;sid:84677275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814176/; classtype:trojan-activity;sid:84677276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814177/; classtype:trojan-activity;sid:84677277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814178/; classtype:trojan-activity;sid:84677278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814179/; classtype:trojan-activity;sid:84677279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814170/; classtype:trojan-activity;sid:84677270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814171/; classtype:trojan-activity;sid:84677271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814172/; classtype:trojan-activity;sid:84677272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814168/; classtype:trojan-activity;sid:84677268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.32.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814169/; classtype:trojan-activity;sid:84677269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814166/; classtype:trojan-activity;sid:84677266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814167/; classtype:trojan-activity;sid:84677267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814160/; classtype:trojan-activity;sid:84677260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814161/; classtype:trojan-activity;sid:84677261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814162/; classtype:trojan-activity;sid:84677262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814163/; classtype:trojan-activity;sid:84677263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814164/; classtype:trojan-activity;sid:84677264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814165/; classtype:trojan-activity;sid:84677265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814159/; classtype:trojan-activity;sid:84677259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-io.sciencestupids.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814158/; classtype:trojan-activity;sid:84677258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8756257131/zcfwbdd.bat"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814157/; classtype:trojan-activity;sid:84677257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fact-vault.sciencestupids.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814156/; classtype:trojan-activity;sid:84677256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"study-node.sciencestupids.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814155/; classtype:trojan-activity;sid:84677255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.169.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814154/; classtype:trojan-activity;sid:84677254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"test-api.sciencestupids.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814153/; classtype:trojan-activity;sid:84677253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"lab-check.sciencestupids.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814152/; classtype:trojan-activity;sid:84677252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.182.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814151/; classtype:trojan-activity;sid:84677251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"open-log.boredistascan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814150/; classtype:trojan-activity;sid:84677250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.193.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814149/; classtype:trojan-activity;sid:84677249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trace-svc.boredistascan.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814148/; classtype:trojan-activity;sid:84677248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8756257131/zcfwbdd.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814147/; classtype:trojan-activity;sid:84677247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.7.211"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814146/; classtype:trojan-activity;sid:84677246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.169.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814145/; classtype:trojan-activity;sid:84677245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.36.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814144/; classtype:trojan-activity;sid:84677244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file-node.boredistascan.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814143/; classtype:trojan-activity;sid:84677243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.112.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814142/; classtype:trojan-activity;sid:84677242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view-hub.boredistascan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814141/; classtype:trojan-activity;sid:84677241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.193.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814140/; classtype:trojan-activity;sid:84677240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.21.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814139/; classtype:trojan-activity;sid:84677239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.95.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814138/; classtype:trojan-activity;sid:84677238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"read-api.boredistascan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814137/; classtype:trojan-activity;sid:84677237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.32.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814136/; classtype:trojan-activity;sid:84677236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.99.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814135/; classtype:trojan-activity;sid:84677235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.112.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814134/; classtype:trojan-activity;sid:84677234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scan-gate.boredistascan.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814133/; classtype:trojan-activity;sid:84677233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.99.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814132/; classtype:trojan-activity;sid:84677232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814131/; classtype:trojan-activity;sid:84677231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fast-log.dynamismjuply.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814130/; classtype:trojan-activity;sid:84677230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.7.211"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814128/; classtype:trojan-activity;sid:84677228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.21.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814129/; classtype:trojan-activity;sid:84677229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"kinetic-io.dynamismjuply.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814127/; classtype:trojan-activity;sid:84677227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.108.38.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814126/; classtype:trojan-activity;sid:84677226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.201.24.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814125/; classtype:trojan-activity;sid:84677225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"drive-node.dynamismjuply.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814124/; classtype:trojan-activity;sid:84677224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.112.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814123/; classtype:trojan-activity;sid:84677223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.95.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814122/; classtype:trojan-activity;sid:84677222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shift-svc.dynamismjuply.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814121/; classtype:trojan-activity;sid:84677221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"power-api.dynamismjuply.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814120/; classtype:trojan-activity;sid:84677220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"force-point.dynamismjuply.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814119/; classtype:trojan-activity;sid:84677219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.235.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814118/; classtype:trojan-activity;sid:84677218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814117/; classtype:trojan-activity;sid:84677217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.47.16.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814116/; classtype:trojan-activity;sid:84677216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.167.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814114/; classtype:trojan-activity;sid:84677214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.119.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814115/; classtype:trojan-activity;sid:84677215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-svc.naminkaprocess.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814113/; classtype:trojan-activity;sid:84677213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"109.108.38.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814112/; classtype:trojan-activity;sid:84677212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.201.24.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814111/; classtype:trojan-activity;sid:84677211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"user-hub.naminkaprocess.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814110/; classtype:trojan-activity;sid:84677210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"task-api.naminkaprocess.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814109/; classtype:trojan-activity;sid:84677209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"run-log.naminkaprocess.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814108/; classtype:trojan-activity;sid:84677208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftpedro62-debug/_s/raw/refs/heads/master/sass/utilities/conhost.exe"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814107/; classtype:trojan-activity;sid:84677207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15online/inicio.jsf"; depth:20; endswith; nocase; http.host; content:"wbanking.coop15abril.fin.ec"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814105/; classtype:trojan-activity;sid:84677205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_142506.png"; depth:15; endswith; nocase; http.host; content:"winstonchurchill.rf.gd"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814106/; classtype:trojan-activity;sid:84677206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6u4qx637/pgwxeibp.msi"; depth:22; endswith; nocase; http.host; content:"94.26.90.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814102/; classtype:trojan-activity;sid:84677202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"goynetfiles.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814103/; classtype:trojan-activity;sid:84677203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftpedro62-debug/_s/raw/refs/heads/master/sass/utilities/randll32.exe"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814104/; classtype:trojan-activity;sid:84677204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_175626.png"; depth:15; endswith; nocase; http.host; content:"winstonchurchill.rf.gd"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814101/; classtype:trojan-activity;sid:84677201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh"; depth:7; endswith; nocase; http.host; content:"ampgg.bossjy.cc.cd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814100/; classtype:trojan-activity;sid:84677200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"work-flow.naminkaprocess.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814098/; classtype:trojan-activity;sid:84677198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.98.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814099/; classtype:trojan-activity;sid:84677199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.167.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814097/; classtype:trojan-activity;sid:84677197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.119.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814096/; classtype:trojan-activity;sid:84677196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-io.naminkaprocess.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814095/; classtype:trojan-activity;sid:84677195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"track-hub.pairingreptile.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814094/; classtype:trojan-activity;sid:84677194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"scale-svc.pairingreptile.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814093/; classtype:trojan-activity;sid:84677193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.144.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814091/; classtype:trojan-activity;sid:84677191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.73.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814092/; classtype:trojan-activity;sid:84677192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.98.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814090/; classtype:trojan-activity;sid:84677190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"egg-vault.pairingreptile.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814089/; classtype:trojan-activity;sid:84677189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cold-api.pairingreptile.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814088/; classtype:trojan-activity;sid:84677188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.235.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814087/; classtype:trojan-activity;sid:84677187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"green-node.pairingreptile.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814086/; classtype:trojan-activity;sid:84677186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.73.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814085/; classtype:trojan-activity;sid:84677185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.70.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814084/; classtype:trojan-activity;sid:84677184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"skin-check.pairingreptile.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814083/; classtype:trojan-activity;sid:84677183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mark-svc.ministobelisk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814082/; classtype:trojan-activity;sid:84677182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.144.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814081/; classtype:trojan-activity;sid:84677181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.103.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814080/; classtype:trojan-activity;sid:84677180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.80.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814079/; classtype:trojan-activity;sid:84677179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"site-vault.ministobelisk.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814078/; classtype:trojan-activity;sid:84677178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.111.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814077/; classtype:trojan-activity;sid:84677177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.18.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814076/; classtype:trojan-activity;sid:84677176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.18.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814075/; classtype:trojan-activity;sid:84677175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.56.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814074/; classtype:trojan-activity;sid:84677174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pillar-node.ministobelisk.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814073/; classtype:trojan-activity;sid:84677173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stone-api.ministobelisk.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814072/; classtype:trojan-activity;sid:84677172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.0.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814071/; classtype:trojan-activity;sid:84677171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.235.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814070/; classtype:trojan-activity;sid:84677170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.245.60.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814068/; classtype:trojan-activity;sid:84677168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.52.205.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814069/; classtype:trojan-activity;sid:84677169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"tower-sync.ministobelisk.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814067/; classtype:trojan-activity;sid:84677167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.204.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814066/; classtype:trojan-activity;sid:84677166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-point.ministobelisk.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814065/; classtype:trojan-activity;sid:84677165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.111.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814064/; classtype:trojan-activity;sid:84677164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814063/; classtype:trojan-activity;sid:84677163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.106.225.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814062/; classtype:trojan-activity;sid:84677162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brain-log.cognitrixvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814061/; classtype:trojan-activity;sid:84677161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.245.60.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814060/; classtype:trojan-activity;sid:84677160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.36.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814059/; classtype:trojan-activity;sid:84677159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vector-svc.cognitrixvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814058/; classtype:trojan-activity;sid:84677158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sense-api.cognitrixvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814057/; classtype:trojan-activity;sid:84677157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neural-io.cognitrixvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814056/; classtype:trojan-activity;sid:84677156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.193.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814055/; classtype:trojan-activity;sid:84677155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"think-node.cognitrixvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814054/; classtype:trojan-activity;sid:84677154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814053/; classtype:trojan-activity;sid:84677153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.252.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814052/; classtype:trojan-activity;sid:84677152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.2.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814050/; classtype:trojan-activity;sid:84677150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.42.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814051/; classtype:trojan-activity;sid:84677151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.106.225.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814049/; classtype:trojan-activity;sid:84677149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-point.cognitrixvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814048/; classtype:trojan-activity;sid:84677148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-route.systemicitylayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814047/; classtype:trojan-activity;sid:84677147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.94.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814046/; classtype:trojan-activity;sid:84677146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-svc.systemicitylayer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814045/; classtype:trojan-activity;sid:84677145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rank-index.systemicitylayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814044/; classtype:trojan-activity;sid:84677144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.243.177.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814043/; classtype:trojan-activity;sid:84677143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.2.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814042/; classtype:trojan-activity;sid:84677142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"archive-hub.systemicitylayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814041/; classtype:trojan-activity;sid:84677141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.193.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814040/; classtype:trojan-activity;sid:84677140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"file-stack.systemicitylayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814039/; classtype:trojan-activity;sid:84677139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.39.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814038/; classtype:trojan-activity;sid:84677138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"layer-check.systemicitylayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814037/; classtype:trojan-activity;sid:84677137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814036/; classtype:trojan-activity;sid:84677136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.163.34.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814035/; classtype:trojan-activity;sid:84677135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.42.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814034/; classtype:trojan-activity;sid:84677134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"theory-log.theoriconhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814033/; classtype:trojan-activity;sid:84677133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.243.177.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814032/; classtype:trojan-activity;sid:84677132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"space-unit.theoriconhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814031/; classtype:trojan-activity;sid:84677131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view-port.theoriconhub.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814030/; classtype:trojan-activity;sid:84677130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"abstract-io.theoriconhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814029/; classtype:trojan-activity;sid:84677129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mpsl"; depth:14; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814027/; classtype:trojan-activity;sid:84677127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm6"; depth:14; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814028/; classtype:trojan-activity;sid:84677128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh4"; depth:13; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814026/; classtype:trojan-activity;sid:84677126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"model-check.theoriconhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814025/; classtype:trojan-activity;sid:84677125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm"; depth:13; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814023/; classtype:trojan-activity;sid:84677123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm5"; depth:14; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814024/; classtype:trojan-activity;sid:84677124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.m68k"; depth:14; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814020/; classtype:trojan-activity;sid:84677120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mips"; depth:14; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814021/; classtype:trojan-activity;sid:84677121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.ppc"; depth:13; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814022/; classtype:trojan-activity;sid:84677122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.spc"; depth:13; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814017/; classtype:trojan-activity;sid:84677117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.x86"; depth:13; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814018/; classtype:trojan-activity;sid:84677118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm7"; depth:14; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814019/; classtype:trojan-activity;sid:84677119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814016/; classtype:trojan-activity;sid:84677116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.252.198.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814015/; classtype:trojan-activity;sid:84677115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub-secure.theoriconhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814014/; classtype:trojan-activity;sid:84677114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.206.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814013/; classtype:trojan-activity;sid:84677113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-vault.inferenciumgrid.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814012/; classtype:trojan-activity;sid:84677112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814011/; classtype:trojan-activity;sid:84677111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-wise.inferenciumgrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814010/; classtype:trojan-activity;sid:84677110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grid-api.inferenciumgrid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814009/; classtype:trojan-activity;sid:84677109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.101.252.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814008/; classtype:trojan-activity;sid:84677108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-mesh.inferenciumgrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814007/; classtype:trojan-activity;sid:84677107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814006/; classtype:trojan-activity;sid:84677106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"trace-node.inferenciumgrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814005/; classtype:trojan-activity;sid:84677105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.108.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814004/; classtype:trojan-activity;sid:84677104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"infer-unit.inferenciumgrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814003/; classtype:trojan-activity;sid:84677103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.49.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814002/; classtype:trojan-activity;sid:84677102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814001/; classtype:trojan-activity;sid:84677101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814000/; classtype:trojan-activity;sid:84677100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-gate.dialectonforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813999/; classtype:trojan-activity;sid:84677099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.108.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813998/; classtype:trojan-activity;sid:84677098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"thesis-log.dialectonforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813997/; classtype:trojan-activity;sid:84677097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.26.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813996/; classtype:trojan-activity;sid:84677096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"debate-hub.dialectonforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813995/; classtype:trojan-activity;sid:84677095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-check.dialectonforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813994/; classtype:trojan-activity;sid:84677094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"synth-io.dialectonforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813993/; classtype:trojan-activity;sid:84677093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"forge-svc.dialectonforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813992/; classtype:trojan-activity;sid:84677092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-node.axiomaticsphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813991/; classtype:trojan-activity;sid:84677091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"unit-vault.axiomaticsphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813990/; classtype:trojan-activity;sid:84677090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-logic.axiomaticsphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813989/; classtype:trojan-activity;sid:84677089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.130.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813988/; classtype:trojan-activity;sid:84677088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fixed-point.axiomaticsphere.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813986/; classtype:trojan-activity;sid:84677086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.88.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813987/; classtype:trojan-activity;sid:84677087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.21.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813985/; classtype:trojan-activity;sid:84677085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.178.109.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813983/; classtype:trojan-activity;sid:84677083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"14.178.109.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813984/; classtype:trojan-activity;sid:84677084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.69.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813981/; classtype:trojan-activity;sid:84677081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.24.141.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813982/; classtype:trojan-activity;sid:84677082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.56.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813977/; classtype:trojan-activity;sid:84677077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.70.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813978/; classtype:trojan-activity;sid:84677078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.168.205.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813979/; classtype:trojan-activity;sid:84677079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.69.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813980/; classtype:trojan-activity;sid:84677080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.120.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813975/; classtype:trojan-activity;sid:84677075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.215.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813976/; classtype:trojan-activity;sid:84677076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.247.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813974/; classtype:trojan-activity;sid:84677074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"law-check.axiomaticsphere.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813973/; classtype:trojan-activity;sid:84677073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sphere-api.axiomaticsphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813972/; classtype:trojan-activity;sid:84677072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.235.130.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813971/; classtype:trojan-activity;sid:84677071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrld"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813970/; classtype:trojan-activity;sid:84677070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xvsd"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813956/; classtype:trojan-activity;sid:84677056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkoq"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813957/; classtype:trojan-activity;sid:84677057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdrn"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813958/; classtype:trojan-activity;sid:84677058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skya"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813959/; classtype:trojan-activity;sid:84677059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsye"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813960/; classtype:trojan-activity;sid:84677060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kall"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813961/; classtype:trojan-activity;sid:84677061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whkh"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813962/; classtype:trojan-activity;sid:84677062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gzrn"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813963/; classtype:trojan-activity;sid:84677063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsfj"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813964/; classtype:trojan-activity;sid:84677064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reiu"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813965/; classtype:trojan-activity;sid:84677065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qbah"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813966/; classtype:trojan-activity;sid:84677066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keww"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813967/; classtype:trojan-activity;sid:84677067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qszx"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813968/; classtype:trojan-activity;sid:84677068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gwvg"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813969/; classtype:trojan-activity;sid:84677069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cjxi"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813955/; classtype:trojan-activity;sid:84677055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"entity-hub.ontofluxion.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813954/; classtype:trojan-activity;sid:84677054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.21.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813953/; classtype:trojan-activity;sid:84677053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"drift-svc.ontofluxion.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813952/; classtype:trojan-activity;sid:84677052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.60.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813951/; classtype:trojan-activity;sid:84677051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"shift-node.ontofluxion.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813950/; classtype:trojan-activity;sid:84677050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813949/; classtype:trojan-activity;sid:84677049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"being-log.ontofluxion.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813948/; classtype:trojan-activity;sid:84677048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsw0"; depth:5; endswith; nocase; http.host; content:"202.155.8.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813947/; classtype:trojan-activity;sid:84677047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"real-io.ontofluxion.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813946/; classtype:trojan-activity;sid:84677046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flux-gate.ontofluxion.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813945/; classtype:trojan-activity;sid:84677045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.76.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813944/; classtype:trojan-activity;sid:84677044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mercy.exe"; depth:10; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813943/; classtype:trojan-activity;sid:84677043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.60.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813942/; classtype:trojan-activity;sid:84677042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"grid-portal.epistematrix.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813941/; classtype:trojan-activity;sid:84677041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.38.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813940/; classtype:trojan-activity;sid:84677040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"data-vault.epistematrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813939/; classtype:trojan-activity;sid:84677039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813938/; classtype:trojan-activity;sid:84677038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.130.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813937/; classtype:trojan-activity;sid:84677037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sync-node.epistematrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813936/; classtype:trojan-activity;sid:84677036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-api.epistematrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813935/; classtype:trojan-activity;sid:84677035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.180.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813934/; classtype:trojan-activity;sid:84677034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.103.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813933/; classtype:trojan-activity;sid:84677033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"cell-logic.epistematrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813932/; classtype:trojan-activity;sid:84677032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.45.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813931/; classtype:trojan-activity;sid:84677031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mesh-point.epistematrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813930/; classtype:trojan-activity;sid:84677030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"truth-svc.gnoseologiccore.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813929/; classtype:trojan-activity;sid:84677029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.170.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813928/; classtype:trojan-activity;sid:84677028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.211.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813927/; classtype:trojan-activity;sid:84677027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"source-hub.gnoseologiccore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813926/; classtype:trojan-activity;sid:84677026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.103.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813925/; classtype:trojan-activity;sid:84677025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.180.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813924/; classtype:trojan-activity;sid:84677024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"core-secure.gnoseologiccore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813923/; classtype:trojan-activity;sid:84677023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.130.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813922/; classtype:trojan-activity;sid:84677022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.170.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813921/; classtype:trojan-activity;sid:84677021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.45.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813920/; classtype:trojan-activity;sid:84677020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"know-logic.gnoseologiccore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813919/; classtype:trojan-activity;sid:84677019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"base-audit.gnoseologiccore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813918/; classtype:trojan-activity;sid:84677018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.145.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813917/; classtype:trojan-activity;sid:84677017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813914/; classtype:trojan-activity;sid:84677014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813915/; classtype:trojan-activity;sid:84677015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"root-vault.gnoseologiccore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813916/; classtype:trojan-activity;sid:84677016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.43.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813913/; classtype:trojan-activity;sid:84677013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.10.209.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813912/; classtype:trojan-activity;sid:84677012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813911/; classtype:trojan-activity;sid:84677011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stream-gate.noeticstream.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813910/; classtype:trojan-activity;sid:84677010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-api.noeticstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813909/; classtype:trojan-activity;sid:84677009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/script.sh"; depth:10; endswith; nocase; http.host; content:"thickentributary.digital"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813908/; classtype:trojan-activity;sid:84677008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sense-node.noeticstream.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813907/; classtype:trojan-activity;sid:84677007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"pure-io.noeticstream.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813906/; classtype:trojan-activity;sid:84677006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vcpg"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813904/; classtype:trojan-activity;sid:84677004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yijf"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3813905/; classtype:trojan-activity;sid:84677005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jxqj"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813893/; classtype:trojan-activity;sid:84676993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsx"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813894/; classtype:trojan-activity;sid:84676994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvah"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813895/; classtype:trojan-activity;sid:84676995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qjsf"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813896/; classtype:trojan-activity;sid:84676996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/csbu"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813897/; classtype:trojan-activity;sid:84676997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vkzf"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813898/; classtype:trojan-activity;sid:84676998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgzj"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813899/; classtype:trojan-activity;sid:84676999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjpa"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813900/; classtype:trojan-activity;sid:84677000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ukrp"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813901/; classtype:trojan-activity;sid:84677001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eutp"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813902/; classtype:trojan-activity;sid:84677002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awmj"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813903/; classtype:trojan-activity;sid:84677003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsdx"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813890/; classtype:trojan-activity;sid:84676990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juix"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813891/; classtype:trojan-activity;sid:84676991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wzqu"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813892/; classtype:trojan-activity;sid:84676992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mind-data.noeticstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813889/; classtype:trojan-activity;sid:84676989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.145.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813888/; classtype:trojan-activity;sid:84676988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"flow-sync.noeticstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813887/; classtype:trojan-activity;sid:84676987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"map-node.theorematicsphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813886/; classtype:trojan-activity;sid:84676986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.209.65.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813885/; classtype:trojan-activity;sid:84676985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"view-gate.theorematicsphere.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813884/; classtype:trojan-activity;sid:84676984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"abstract-io.theorematicsphere.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813883/; classtype:trojan-activity;sid:84676983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"model-svc.theorematicsphere.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813882/; classtype:trojan-activity;sid:84676982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sphere-api.theorematicsphere.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813881/; classtype:trojan-activity;sid:84676981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"space-unit.theorematicsphere.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813880/; classtype:trojan-activity;sid:84676980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"clear-log.rationalisvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813879/; classtype:trojan-activity;sid:84676979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.205.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813878/; classtype:trojan-activity;sid:84676978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"stat-hub.rationalisvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813877/; classtype:trojan-activity;sid:84676977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"calc-api.rationalisvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813876/; classtype:trojan-activity;sid:84676976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"vector-svc.rationalisvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813875/; classtype:trojan-activity;sid:84676975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"think-node.rationalisvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813874/; classtype:trojan-activity;sid:84676974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.22.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813873/; classtype:trojan-activity;sid:84676973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"smart-point.rationalisvector.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813872/; classtype:trojan-activity;sid:84676972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"brain-api.cognifabric.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813871/; classtype:trojan-activity;sid:84676971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"layer-check.cognifabric.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813870/; classtype:trojan-activity;sid:84676970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"fabric-svc.cognifabric.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813869/; classtype:trojan-activity;sid:84676969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"sense-data.cognifabric.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813868/; classtype:trojan-activity;sid:84676968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.22.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813867/; classtype:trojan-activity;sid:84676967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"neural-io.cognifabric.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813866/; classtype:trojan-activity;sid:84676966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"mind-weave.cognifabric.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813865/; classtype:trojan-activity;sid:84676965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.59.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813864/; classtype:trojan-activity;sid:84676964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"link-node.systematrixhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813863/; classtype:trojan-activity;sid:84676963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hub-secure.systematrixhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813862/; classtype:trojan-activity;sid:84676962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.166.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813861/; classtype:trojan-activity;sid:84676961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"rank-log.systematrixhub.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813860/; classtype:trojan-activity;sid:84676960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"matrix-api.systematrixhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813859/; classtype:trojan-activity;sid:84676959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"order-svc.systematrixhub.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813858/; classtype:trojan-activity;sid:84676958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"main-frame.systematrixhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813857/; classtype:trojan-activity;sid:84676957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"logic-vault.inferentiaforge.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813856/; classtype:trojan-activity;sid:84676956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.81.100.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813855/; classtype:trojan-activity;sid:84676955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813854/; classtype:trojan-activity;sid:84676954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"hint-gate.inferentiaforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813853/; classtype:trojan-activity;sid:84676953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.78.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813852/; classtype:trojan-activity;sid:84676952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"step-wise.inferentiaforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813851/; classtype:trojan-activity;sid:84676951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"forge-svc.inferentiaforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813850/; classtype:trojan-activity;sid:84676950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"; depth:82; endswith; nocase; http.host; content:"guess-node.inferentiaforge.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813849/; classtype:trojan-activity;sid:84676949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rondo.aqg.sh|3f|=6a64bdd8"; depth:26; endswith; nocase; http.host; content:"45.92.1.50"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813848/; classtype:trojan-activity;sid:84676948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.81.100.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813847/; classtype:trojan-activity;sid:84676947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rondo.aqg.sh|3f|=``6a64bd80"; depth:28; endswith; nocase; http.host; content:"45.92.1.50"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813846/; classtype:trojan-activity;sid:84676946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7655527200/pocbton.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813845/; classtype:trojan-activity;sid:84676945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"lead-trace.inferentiaforge.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813844/; classtype:trojan-activity;sid:84676944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=egkqhhvkjkjrjzxr"; depth:53; endswith; nocase; http.host; content:"vh47kmg3.nexuspatronage.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813843/; classtype:trojan-activity;sid:84676943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"engine-hub.dialectrixengine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813842/; classtype:trojan-activity;sid:84676942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"process-io.dialectrixengine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813841/; classtype:trojan-activity;sid:84676941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7024015129/0keedmr.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813840/; classtype:trojan-activity;sid:84676940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"state-api.dialectrixengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813839/; classtype:trojan-activity;sid:84676939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"opp-check.dialectrixengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813838/; classtype:trojan-activity;sid:84676938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.248.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813837/; classtype:trojan-activity;sid:84676937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.33.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813836/; classtype:trojan-activity;sid:84676936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logic-unit.dialectrixengine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813835/; classtype:trojan-activity;sid:84676935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"synth-logic.dialectrixengine.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813834/; classtype:trojan-activity;sid:84676934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"norm-node.axiologyflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813833/; classtype:trojan-activity;sid:84676933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"flux-gate.axiologyflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813832/; classtype:trojan-activity;sid:84676932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fish4.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813831/; classtype:trojan-activity;sid:84676931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trend-svc.axiologyflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813830/; classtype:trojan-activity;sid:84676930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.23.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813829/; classtype:trojan-activity;sid:84676929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"drift-log.axiologyflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813827/; classtype:trojan-activity;sid:84676927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.47.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813828/; classtype:trojan-activity;sid:84676928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.139.33.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813826/; classtype:trojan-activity;sid:84676926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"shift-ctrl.axiologyflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813825/; classtype:trojan-activity;sid:84676925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.91.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813824/; classtype:trojan-activity;sid:84676924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"value-point.axiologyflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813823/; classtype:trojan-activity;sid:84676923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.122.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813822/; classtype:trojan-activity;sid:84676922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813821/; classtype:trojan-activity;sid:84676921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.64.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813820/; classtype:trojan-activity;sid:84676920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bio-node.ontogenesiscore.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813819/; classtype:trojan-activity;sid:84676919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsw0"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813818/; classtype:trojan-activity;sid:84676918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813817/; classtype:trojan-activity;sid:84676917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"origin-svc.ontogenesiscore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813816/; classtype:trojan-activity;sid:84676916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.217.47.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813815/; classtype:trojan-activity;sid:84676915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.177.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813814/; classtype:trojan-activity;sid:84676914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rbw0"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813813/; classtype:trojan-activity;sid:84676913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rsw0"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813812/; classtype:trojan-activity;sid:84676912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"growth-hub.ontogenesiscore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813811/; classtype:trojan-activity;sid:84676911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"cell-logic.ontogenesiscore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813810/; classtype:trojan-activity;sid:84676910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.122.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813809/; classtype:trojan-activity;sid:84676909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"life-cycle.ontogenesiscore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813808/; classtype:trojan-activity;sid:84676908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813807/; classtype:trojan-activity;sid:84676907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813806/; classtype:trojan-activity;sid:84676906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"root-source.ontogenesiscore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813805/; classtype:trojan-activity;sid:84676905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.177.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813804/; classtype:trojan-activity;sid:84676904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.116.150.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813803/; classtype:trojan-activity;sid:84676903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"proof-api.epistemegrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813802/; classtype:trojan-activity;sid:84676902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.132.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813800/; classtype:trojan-activity;sid:84676900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813801/; classtype:trojan-activity;sid:84676901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.132.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813799/; classtype:trojan-activity;sid:84676899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"grid-core.epistemegrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813798/; classtype:trojan-activity;sid:84676898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sync-gate.epistemegrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813797/; classtype:trojan-activity;sid:84676897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-vault.epistemegrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813796/; classtype:trojan-activity;sid:84676896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"info-mesh.epistemegrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813795/; classtype:trojan-activity;sid:84676895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.132.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813794/; classtype:trojan-activity;sid:84676894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"truth-map.epistemegrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813793/; classtype:trojan-activity;sid:84676893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.132.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813792/; classtype:trojan-activity;sid:84676892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.117.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813791/; classtype:trojan-activity;sid:84676891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"audit-node.metalogicstream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813790/; classtype:trojan-activity;sid:84676890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stream-io.metalogicstream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813789/; classtype:trojan-activity;sid:84676889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.245.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813788/; classtype:trojan-activity;sid:84676888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rule-engine.metalogicstream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813787/; classtype:trojan-activity;sid:84676887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logic-trace.metalogicstream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813786/; classtype:trojan-activity;sid:84676886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.117.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813784/; classtype:trojan-activity;sid:84676884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.245.239"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813785/; classtype:trojan-activity;sid:84676885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"data-path.metalogicstream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813783/; classtype:trojan-activity;sid:84676883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meta-flow.metalogicstream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813782/; classtype:trojan-activity;sid:84676882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"6qhzzl.estonianscree.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813781/; classtype:trojan-activity;sid:84676881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"livelybridge.estonianscree.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813780/; classtype:trojan-activity;sid:84676880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.153.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813779/; classtype:trojan-activity;sid:84676879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fresh9-sheet.estonianscree.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813778/; classtype:trojan-activity;sid:84676878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"curr3n-drive.estonianscree.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813777/; classtype:trojan-activity;sid:84676877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.153.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813776/; classtype:trojan-activity;sid:84676876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"zentide3ar.estonianscree.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813775/; classtype:trojan-activity;sid:84676875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"arktideos4.estonianscree.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813774/; classtype:trojan-activity;sid:84676874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"eetvfoqv.abyssrevue.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813773/; classtype:trojan-activity;sid:84676873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.215.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813772/; classtype:trojan-activity;sid:84676872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"imageextend.abyssrevue.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813771/; classtype:trojan-activity;sid:84676871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"kel-markis.abyssrevue.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813770/; classtype:trojan-activity;sid:84676870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"danwd.abyssrevue.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813769/; classtype:trojan-activity;sid:84676869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.158.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813768/; classtype:trojan-activity;sid:84676868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"airw5-field.abyssrevue.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813767/; classtype:trojan-activity;sid:84676867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rnl2.abyssrevue.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813766/; classtype:trojan-activity;sid:84676866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.57.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813765/; classtype:trojan-activity;sid:84676865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.208.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813764/; classtype:trojan-activity;sid:84676864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dense-graph.aeromechsadn.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813763/; classtype:trojan-activity;sid:84676863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.215.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813762/; classtype:trojan-activity;sid:84676862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"z3vrw7.aeromechsadn.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813761/; classtype:trojan-activity;sid:84676861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dyntideor8.aeromechsadn.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813760/; classtype:trojan-activity;sid:84676860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"velcoreet8.aeromechsadn.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813759/; classtype:trojan-activity;sid:84676859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ancientmoss.aeromechsadn.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813758/; classtype:trojan-activity;sid:84676858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.57.39"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813757/; classtype:trojan-activity;sid:84676857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.208.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813756/; classtype:trojan-activity;sid:84676856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"outletstead.aeromechsadn.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813755/; classtype:trojan-activity;sid:84676855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"zen-spireor.beacostolid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813754/; classtype:trojan-activity;sid:84676854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.246.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813752/; classtype:trojan-activity;sid:84676852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"observetoken.beacostolid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813753/; classtype:trojan-activity;sid:84676853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hlr407.beacostolid.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813751/; classtype:trojan-activity;sid:84676851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.133.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813750/; classtype:trojan-activity;sid:84676850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.57.39"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813749/; classtype:trojan-activity;sid:84676849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.133.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813748/; classtype:trojan-activity;sid:84676848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.246.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813747/; classtype:trojan-activity;sid:84676847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"nor-nexar.beacostolid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813746/; classtype:trojan-activity;sid:84676846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813745/; classtype:trojan-activity;sid:84676845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.50.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813744/; classtype:trojan-activity;sid:84676844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"geo-4sset.beacostolid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813743/; classtype:trojan-activity;sid:84676843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logisttheor.beacostolid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813742/; classtype:trojan-activity;sid:84676842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"gloss-branch.bolettreatise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813741/; classtype:trojan-activity;sid:84676841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"7fsjtcf.bolettreatise.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813740/; classtype:trojan-activity;sid:84676840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"merfluxal.bolettreatise.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813739/; classtype:trojan-activity;sid:84676839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.50.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813738/; classtype:trojan-activity;sid:84676838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"xubon.bolettreatise.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813737/; classtype:trojan-activity;sid:84676837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.120.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813736/; classtype:trojan-activity;sid:84676836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.241.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813735/; classtype:trojan-activity;sid:84676835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"part1c-spool.bolettreatise.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813734/; classtype:trojan-activity;sid:84676834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813733/; classtype:trojan-activity;sid:84676833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"circuitrans.bolettreatise.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813732/; classtype:trojan-activity;sid:84676832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dark7-dock.exceptionpong.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813731/; classtype:trojan-activity;sid:84676831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"peakship.exceptionpong.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813730/; classtype:trojan-activity;sid:84676830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813729/; classtype:trojan-activity;sid:84676829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"tok3-array.exceptionpong.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813728/; classtype:trojan-activity;sid:84676828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"3cfjxj.exceptionpong.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813727/; classtype:trojan-activity;sid:84676827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813726/; classtype:trojan-activity;sid:84676826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.233.112.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813725/; classtype:trojan-activity;sid:84676825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sernexa6.exceptionpong.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813724/; classtype:trojan-activity;sid:84676824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"forestcraft.exceptionpong.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813723/; classtype:trojan-activity;sid:84676823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813722/; classtype:trojan-activity;sid:84676822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"norlithex2.armeniansgrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813721/; classtype:trojan-activity;sid:84676821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"zuzho.armeniansgrate.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813720/; classtype:trojan-activity;sid:84676820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hyper-tru5.armeniansgrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813719/; classtype:trojan-activity;sid:84676819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ser-fluxex.armeniansgrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813718/; classtype:trojan-activity;sid:84676818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.149.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813717/; classtype:trojan-activity;sid:84676817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"vel-tideen.armeniansgrate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813716/; classtype:trojan-activity;sid:84676816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"jaido.armeniansgrate.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813715/; classtype:trojan-activity;sid:84676815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.51.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813714/; classtype:trojan-activity;sid:84676814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fl7qf.intellectnail.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813713/; classtype:trojan-activity;sid:84676813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.91.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813712/; classtype:trojan-activity;sid:84676812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"51ojrcjj.intellectnail.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813711/; classtype:trojan-activity;sid:84676811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.223.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813710/; classtype:trojan-activity;sid:84676810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.145.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813709/; classtype:trojan-activity;sid:84676809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/77546367/agcd2pp.exe"; depth:27; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813708/; classtype:trojan-activity;sid:84676808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ktnceg.intellectnail.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813707/; classtype:trojan-activity;sid:84676807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.160.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813706/; classtype:trojan-activity;sid:84676806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.250.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813705/; classtype:trojan-activity;sid:84676805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"jfsiqmo.intellectnail.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813704/; classtype:trojan-activity;sid:84676804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trimeshet.intellectnail.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813703/; classtype:trojan-activity;sid:84676803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"layerpine.intellectnail.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813702/; classtype:trojan-activity;sid:84676802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.160.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813701/; classtype:trojan-activity;sid:84676801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"cleaaudit.embassyotolaryn.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813700/; classtype:trojan-activity;sid:84676800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"vvind-point.embassyotolaryn.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813699/; classtype:trojan-activity;sid:84676799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rainfreig.embassyotolaryn.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813698/; classtype:trojan-activity;sid:84676798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.236.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813697/; classtype:trojan-activity;sid:84676797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rmvofu.embassyotolaryn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813696/; classtype:trojan-activity;sid:84676796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"public-line.embassyotolaryn.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813695/; classtype:trojan-activity;sid:84676795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"assashap.embassyotolaryn.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813694/; classtype:trojan-activity;sid:84676794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"zkfw.eskimotsutsik.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813693/; classtype:trojan-activity;sid:84676793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.205.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813692/; classtype:trojan-activity;sid:84676792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"theorysandbox.eskimotsutsik.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813691/; classtype:trojan-activity;sid:84676791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.236.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813690/; classtype:trojan-activity;sid:84676790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.47.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813689/; classtype:trojan-activity;sid:84676789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sheree.eskimotsutsik.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813688/; classtype:trojan-activity;sid:84676788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.51.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813687/; classtype:trojan-activity;sid:84676787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rail-glaci.eskimotsutsik.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813686/; classtype:trojan-activity;sid:84676786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"illurn-plate.eskimotsutsik.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813685/; classtype:trojan-activity;sid:84676785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"jzus3j.eskimotsutsik.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813684/; classtype:trojan-activity;sid:84676784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"zone-static.nicequiet.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813683/; classtype:trojan-activity;sid:84676783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.47.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813682/; classtype:trojan-activity;sid:84676782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"soft-hub.nicequiet.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813681/; classtype:trojan-activity;sid:84676781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1488149515692150997/1491005258346795148/factura.js|3f|ex=69d61e5b|7c|26|7c|is=69d4ccdb|7c|26|7c|hm=7dec44f6517f5de4372dce0831626cd9e6a97158aa944368b01d24808dd99e63|7c|26|7c|"; depth:186; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813680/; classtype:trojan-activity;sid:84676780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1488149515692150997/1491033581819138350/factura.js|3f|ex=69d638bb|7c|26|7c|is=69d4e73b|7c|26|7c|hm=e2ab3959d654d785e20f205d06bb87981464b75be361e1167a1905db5742f0fa|7c|26|7c|"; depth:186; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813679/; classtype:trojan-activity;sid:84676779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mute-gate.nicequiet.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813678/; classtype:trojan-activity;sid:84676778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.44.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813677/; classtype:trojan-activity;sid:84676777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"calm-svc.nicequiet.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813676/; classtype:trojan-activity;sid:84676776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.42.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813675/; classtype:trojan-activity;sid:84676775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"peace-api.nicequiet.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813674/; classtype:trojan-activity;sid:84676774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.42.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813673/; classtype:trojan-activity;sid:84676773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"silent-node.nicequiet.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813672/; classtype:trojan-activity;sid:84676772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.112.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813671/; classtype:trojan-activity;sid:84676771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813670/; classtype:trojan-activity;sid:84676770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rest-log.goingsick.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813669/; classtype:trojan-activity;sid:84676769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.240.38.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813668/; classtype:trojan-activity;sid:84676768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"lab-svc.goingsick.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813667/; classtype:trojan-activity;sid:84676767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"med-node.goingsick.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813666/; classtype:trojan-activity;sid:84676766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nx686"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813663/; classtype:trojan-activity;sid:84676763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nppc440"; depth:13; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813664/; classtype:trojan-activity;sid:84676764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nx486"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813665/; classtype:trojan-activity;sid:84676765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.58.117"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813662/; classtype:trojan-activity;sid:84676762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"doc-portal.goingsick.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813661/; classtype:trojan-activity;sid:84676761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813660/; classtype:trojan-activity;sid:84676760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.58.117"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813659/; classtype:trojan-activity;sid:84676759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.44.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813658/; classtype:trojan-activity;sid:84676758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"care-api.goingsick.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813657/; classtype:trojan-activity;sid:84676757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.176.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813656/; classtype:trojan-activity;sid:84676756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"health-check.goingsick.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813655/; classtype:trojan-activity;sid:84676755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.240.38.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813654/; classtype:trojan-activity;sid:84676754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"45.95.147.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813653/; classtype:trojan-activity;sid:84676753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.112.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813652/; classtype:trojan-activity;sid:84676752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nsh4"; depth:10; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813651/; classtype:trojan-activity;sid:84676751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meta-hub.ashstatistic.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813650/; classtype:trojan-activity;sid:84676750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813649/; classtype:trojan-activity;sid:84676749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i486"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813648/; classtype:trojan-activity;sid:84676748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813647/; classtype:trojan-activity;sid:84676747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/narm7"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813632/; classtype:trojan-activity;sid:84676732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nx86_64"; depth:13; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813633/; classtype:trojan-activity;sid:84676733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813634/; classtype:trojan-activity;sid:84676734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/narm"; depth:10; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813635/; classtype:trojan-activity;sid:84676735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813636/; classtype:trojan-activity;sid:84676736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813637/; classtype:trojan-activity;sid:84676737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813638/; classtype:trojan-activity;sid:84676738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813639/; classtype:trojan-activity;sid:84676739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813640/; classtype:trojan-activity;sid:84676740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/narm6"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813641/; classtype:trojan-activity;sid:84676741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813642/; classtype:trojan-activity;sid:84676742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nmpsl"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813643/; classtype:trojan-activity;sid:84676743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nx86"; depth:10; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813644/; classtype:trojan-activity;sid:84676744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813645/; classtype:trojan-activity;sid:84676745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813646/; classtype:trojan-activity;sid:84676746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813626/; classtype:trojan-activity;sid:84676726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nm68k"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813627/; classtype:trojan-activity;sid:84676727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813628/; classtype:trojan-activity;sid:84676728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nmips"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813629/; classtype:trojan-activity;sid:84676729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/narm5"; depth:11; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813630/; classtype:trojan-activity;sid:84676730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nppc"; depth:10; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813631/; classtype:trojan-activity;sid:84676731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x64"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813622/; classtype:trojan-activity;sid:84676722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813623/; classtype:trojan-activity;sid:84676723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813624/; classtype:trojan-activity;sid:84676724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.x86"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813625/; classtype:trojan-activity;sid:84676725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.m68k"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813611/; classtype:trojan-activity;sid:84676711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm7"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813612/; classtype:trojan-activity;sid:84676712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm5"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813613/; classtype:trojan-activity;sid:84676713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.i686"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813614/; classtype:trojan-activity;sid:84676714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mpsl"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813615/; classtype:trojan-activity;sid:84676715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nspc"; depth:10; endswith; nocase; http.host; content:"94.156.152.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813616/; classtype:trojan-activity;sid:84676716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm4"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813617/; classtype:trojan-activity;sid:84676717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.mips"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813618/; classtype:trojan-activity;sid:84676718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.spc"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813619/; classtype:trojan-activity;sid:84676719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i468"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813620/; classtype:trojan-activity;sid:84676720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.arm6"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813621/; classtype:trojan-activity;sid:84676721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.sh4"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813610/; classtype:trojan-activity;sid:84676710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.dbg"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813608/; classtype:trojan-activity;sid:84676708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyre.apk"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813609/; classtype:trojan-activity;sid:84676709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.149.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813607/; classtype:trojan-activity;sid:84676707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sum-svc.ashstatistic.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813606/; classtype:trojan-activity;sid:84676706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.176.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813605/; classtype:trojan-activity;sid:84676705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"plot-node.ashstatistic.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813604/; classtype:trojan-activity;sid:84676704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.228.61.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813603/; classtype:trojan-activity;sid:84676703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k.php"; depth:6; endswith; nocase; http.host; content:"45.95.147.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813602/; classtype:trojan-activity;sid:84676702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/who.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813601/; classtype:trojan-activity;sid:84676701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.44.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813600/; classtype:trojan-activity;sid:84676700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trend-log.ashstatistic.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813599/; classtype:trojan-activity;sid:84676699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"data-view.ashstatistic.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813598/; classtype:trojan-activity;sid:84676698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"chart-api.ashstatistic.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813597/; classtype:trojan-activity;sid:84676697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"160.119.69.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813596/; classtype:trojan-activity;sid:84676696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.180.160.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813595/; classtype:trojan-activity;sid:84676695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.149.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813594/; classtype:trojan-activity;sid:84676694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dream-hub.blindersyawn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813593/; classtype:trojan-activity;sid:84676693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.32.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813592/; classtype:trojan-activity;sid:84676692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sleep-node.blindersyawn.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813591/; classtype:trojan-activity;sid:84676691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"silent-svc.blindersyawn.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813590/; classtype:trojan-activity;sid:84676690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rest-api.blindersyawn.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813589/; classtype:trojan-activity;sid:84676689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dark-mode.blindersyawn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813588/; classtype:trojan-activity;sid:84676688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.177.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813587/; classtype:trojan-activity;sid:84676687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"eye-cover.blindersyawn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813586/; classtype:trojan-activity;sid:84676686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_111454.png"; depth:15; endswith; nocase; http.host; content:"magina.online"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813583/; classtype:trojan-activity;sid:84676683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_092557.png"; depth:15; endswith; nocase; http.host; content:"estirarsobrelivro.online"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813584/; classtype:trojan-activity;sid:84676684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_093921.png"; depth:15; endswith; nocase; http.host; content:"estirarsobrelivro.online"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813585/; classtype:trojan-activity;sid:84676685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_102519.png"; depth:15; endswith; nocase; http.host; content:"voltamos.site"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813579/; classtype:trojan-activity;sid:84676679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_084028.png"; depth:15; endswith; nocase; http.host; content:"voltamos.site"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813580/; classtype:trojan-activity;sid:84676680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_095306.png"; depth:15; endswith; nocase; http.host; content:"vagner.site"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813581/; classtype:trojan-activity;sid:84676681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_105610.png"; depth:15; endswith; nocase; http.host; content:"voltamos.site"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813582/; classtype:trojan-activity;sid:84676682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phukli.docx"; depth:12; endswith; nocase; http.host; content:"marchcap28.blogspot.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813576/; classtype:trojan-activity;sid:84676676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_067d5a752c594e7184b856b08dc34069.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813577/; classtype:trojan-activity;sid:84676677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feeds/4350113143311731351/posts/default|3f|alt=atom"; depth:52; endswith; nocase; http.host; content:"www.blogger.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813578/; classtype:trojan-activity;sid:84676678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml|3f|m=1"; depth:16; endswith; nocase; http.host; content:"marchcap28.blogspot.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813573/; classtype:trojan-activity;sid:84676673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_40213e6629914369be3e0bff1ca5bc6d.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813574/; classtype:trojan-activity;sid:84676674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lipawaka.otd"; depth:13; endswith; nocase; http.host; content:"17marchdoomerg.blogspot.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813575/; classtype:trojan-activity;sid:84676675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_111308.png"; depth:15; endswith; nocase; http.host; content:"gadomamada.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813569/; classtype:trojan-activity;sid:84676669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_220302.png"; depth:15; endswith; nocase; http.host; content:"gadomamada.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813570/; classtype:trojan-activity;sid:84676670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_067d5a752c594e7184b856b08dc34069.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813571/; classtype:trojan-activity;sid:84676671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_40213e6629914369be3e0bff1ca5bc6d.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813572/; classtype:trojan-activity;sid:84676672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"144.225.93.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813567/; classtype:trojan-activity;sid:84676667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh"; depth:12; endswith; nocase; http.host; content:"163.61.39.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813568/; classtype:trojan-activity;sid:84676668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"marchcap28.blogspot.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813566/; classtype:trojan-activity;sid:84676666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_110303.png"; depth:15; endswith; nocase; http.host; content:"documents.lat"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813563/; classtype:trojan-activity;sid:84676663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_124340.png"; depth:15; endswith; nocase; http.host; content:"estudarebomai.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813564/; classtype:trojan-activity;sid:84676664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phukli.docx|3f|m=1"; depth:19; endswith; nocase; http.host; content:"marchcap28.blogspot.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813565/; classtype:trojan-activity;sid:84676665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.177.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813562/; classtype:trojan-activity;sid:84676662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"port-gate.basaltloading.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813561/; classtype:trojan-activity;sid:84676661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/debug"; depth:19; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813560/; classtype:trojan-activity;sid:84676660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mass-logic.basaltloading.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813559/; classtype:trojan-activity;sid:84676659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.158.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813558/; classtype:trojan-activity;sid:84676658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dock-svc.basaltloading.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813557/; classtype:trojan-activity;sid:84676657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.202.8.1"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813556/; classtype:trojan-activity;sid:84676656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.36.117.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813555/; classtype:trojan-activity;sid:84676655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.59.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813554/; classtype:trojan-activity;sid:84676654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"cargo-hub.basaltloading.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813553/; classtype:trojan-activity;sid:84676653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.88.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813552/; classtype:trojan-activity;sid:84676652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.59.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813551/; classtype:trojan-activity;sid:84676651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"truck-line.basaltloading.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813550/; classtype:trojan-activity;sid:84676650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.226.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813549/; classtype:trojan-activity;sid:84676649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.33.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813548/; classtype:trojan-activity;sid:84676648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"heavy-weight.basaltloading.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813547/; classtype:trojan-activity;sid:84676647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm6"; depth:13; endswith; nocase; http.host; content:"93.123.109.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813546/; classtype:trojan-activity;sid:84676646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm7"; depth:13; endswith; nocase; http.host; content:"93.123.109.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813542/; classtype:trojan-activity;sid:84676642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mips"; depth:13; endswith; nocase; http.host; content:"93.123.109.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813543/; classtype:trojan-activity;sid:84676643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm"; depth:12; endswith; nocase; http.host; content:"93.123.109.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813544/; classtype:trojan-activity;sid:84676644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mpsl"; depth:13; endswith; nocase; http.host; content:"93.123.109.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813545/; classtype:trojan-activity;sid:84676645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm5"; depth:13; endswith; nocase; http.host; content:"93.123.109.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813541/; classtype:trojan-activity;sid:84676641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"match-hub.saklatwenty.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813540/; classtype:trojan-activity;sid:84676640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"14.202.8.1"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813539/; classtype:trojan-activity;sid:84676639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cat.sh"; depth:12; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813538/; classtype:trojan-activity;sid:84676638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813526/; classtype:trojan-activity;sid:84676626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813527/; classtype:trojan-activity;sid:84676627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813528/; classtype:trojan-activity;sid:84676628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813529/; classtype:trojan-activity;sid:84676629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813530/; classtype:trojan-activity;sid:84676630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813531/; classtype:trojan-activity;sid:84676631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813532/; classtype:trojan-activity;sid:84676632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813533/; classtype:trojan-activity;sid:84676633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813534/; classtype:trojan-activity;sid:84676634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813535/; classtype:trojan-activity;sid:84676635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813536/; classtype:trojan-activity;sid:84676636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813537/; classtype:trojan-activity;sid:84676637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"top-team.saklatwenty.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813525/; classtype:trojan-activity;sid:84676625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.195.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813524/; classtype:trojan-activity;sid:84676624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.245.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813523/; classtype:trojan-activity;sid:84676623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"round-svc.saklatwenty.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813522/; classtype:trojan-activity;sid:84676622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.33.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813521/; classtype:trojan-activity;sid:84676621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813519/; classtype:trojan-activity;sid:84676619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813520/; classtype:trojan-activity;sid:84676620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813508/; classtype:trojan-activity;sid:84676608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813509/; classtype:trojan-activity;sid:84676609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813510/; classtype:trojan-activity;sid:84676610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813511/; classtype:trojan-activity;sid:84676611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813512/; classtype:trojan-activity;sid:84676612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813513/; classtype:trojan-activity;sid:84676613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813514/; classtype:trojan-activity;sid:84676614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813515/; classtype:trojan-activity;sid:84676615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813516/; classtype:trojan-activity;sid:84676616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813517/; classtype:trojan-activity;sid:84676617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813518/; classtype:trojan-activity;sid:84676618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813507/; classtype:trojan-activity;sid:84676607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"game-api.saklatwenty.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813506/; classtype:trojan-activity;sid:84676606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.21.1.170"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813505/; classtype:trojan-activity;sid:84676605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"count-log.saklatwenty.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813504/; classtype:trojan-activity;sid:84676604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.167.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813503/; classtype:trojan-activity;sid:84676603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"score-board.saklatwenty.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813502/; classtype:trojan-activity;sid:84676602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.195.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813501/; classtype:trojan-activity;sid:84676601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"main-route.leavedistribut.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813500/; classtype:trojan-activity;sid:84676600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813497/; classtype:trojan-activity;sid:84676597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813498/; classtype:trojan-activity;sid:84676598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813499/; classtype:trojan-activity;sid:84676599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813489/; classtype:trojan-activity;sid:84676589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813490/; classtype:trojan-activity;sid:84676590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813491/; classtype:trojan-activity;sid:84676591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813492/; classtype:trojan-activity;sid:84676592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813493/; classtype:trojan-activity;sid:84676593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813494/; classtype:trojan-activity;sid:84676594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813495/; classtype:trojan-activity;sid:84676595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813496/; classtype:trojan-activity;sid:84676596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"branch-node.leavedistribut.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813488/; classtype:trojan-activity;sid:84676588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.145.125.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813487/; classtype:trojan-activity;sid:84676587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.21.1.170"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813486/; classtype:trojan-activity;sid:84676586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"send-relay.leavedistribut.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813485/; classtype:trojan-activity;sid:84676585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.226.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813484/; classtype:trojan-activity;sid:84676584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pack-svc.leavedistribut.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813483/; classtype:trojan-activity;sid:84676583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"load-sync.leavedistribut.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813482/; classtype:trojan-activity;sid:84676582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.54.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813481/; classtype:trojan-activity;sid:84676581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"share-point.leavedistribut.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813480/; classtype:trojan-activity;sid:84676580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.55.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813479/; classtype:trojan-activity;sid:84676579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"broad-cast.exaltedinfinate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813478/; classtype:trojan-activity;sid:84676578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"alpha-hub.exaltedinfinate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813477/; classtype:trojan-activity;sid:84676577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.64.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813476/; classtype:trojan-activity;sid:84676576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.54.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813475/; classtype:trojan-activity;sid:84676575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"end-point.exaltedinfinate.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813474/; classtype:trojan-activity;sid:84676574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mega-vault.exaltedinfinate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813473/; classtype:trojan-activity;sid:84676573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"outer-reach.exaltedinfinate.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813472/; classtype:trojan-activity;sid:84676572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.55.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813471/; classtype:trojan-activity;sid:84676571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.168.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813470/; classtype:trojan-activity;sid:84676570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"limit-less.exaltedinfinate.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813469/; classtype:trojan-activity;sid:84676569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.70.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813468/; classtype:trojan-activity;sid:84676568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"prime-logic.boyishglorified.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813467/; classtype:trojan-activity;sid:84676567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.32.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813466/; classtype:trojan-activity;sid:84676566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hero-svc.boyishglorified.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813465/; classtype:trojan-activity;sid:84676565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"star-track.boyishglorified.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813464/; classtype:trojan-activity;sid:84676564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.44.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813463/; classtype:trojan-activity;sid:84676563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.72.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813462/; classtype:trojan-activity;sid:84676562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bright-node.boyishglorified.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813461/; classtype:trojan-activity;sid:84676561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.221.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813460/; classtype:trojan-activity;sid:84676560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.37.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813459/; classtype:trojan-activity;sid:84676559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.229.166.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813458/; classtype:trojan-activity;sid:84676558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fame-api.boyishglorified.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813457/; classtype:trojan-activity;sid:84676557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"young-style.boyishglorified.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813456/; classtype:trojan-activity;sid:84676556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.135.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813455/; classtype:trojan-activity;sid:84676555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.119.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813454/; classtype:trojan-activity;sid:84676554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"core-point.midgetplunge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813453/; classtype:trojan-activity;sid:84676553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.235.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813452/; classtype:trojan-activity;sid:84676552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.131.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813451/; classtype:trojan-activity;sid:84676551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.70.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813450/; classtype:trojan-activity;sid:84676550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.214.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813449/; classtype:trojan-activity;sid:84676549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"water-log.midgetplunge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813448/; classtype:trojan-activity;sid:84676548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.4.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813447/; classtype:trojan-activity;sid:84676547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.72.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813446/; classtype:trojan-activity;sid:84676546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.37.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813445/; classtype:trojan-activity;sid:84676545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pool-access.midgetplunge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813444/; classtype:trojan-activity;sid:84676544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.178.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813443/; classtype:trojan-activity;sid:84676543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.105.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813442/; classtype:trojan-activity;sid:84676542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7655527200/yy6jfaz.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813441/; classtype:trojan-activity;sid:84676541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"jump-gate.midgetplunge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813440/; classtype:trojan-activity;sid:84676540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.229.166.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813439/; classtype:trojan-activity;sid:84676539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.221.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813438/; classtype:trojan-activity;sid:84676538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"deep-dive.midgetplunge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813437/; classtype:trojan-activity;sid:84676537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.214.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813436/; classtype:trojan-activity;sid:84676536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"small-step.midgetplunge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813435/; classtype:trojan-activity;sid:84676535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.131.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813434/; classtype:trojan-activity;sid:84676534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813433/; classtype:trojan-activity;sid:84676533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"decision-svc.ratiocore.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813432/; classtype:trojan-activity;sid:84676532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.178.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813431/; classtype:trojan-activity;sid:84676531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"calc-logic.ratiocore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813430/; classtype:trojan-activity;sid:84676530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813429/; classtype:trojan-activity;sid:84676529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"cloth-net.technofabric.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813428/; classtype:trojan-activity;sid:84676528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"cgnnhw.catalystventure.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813414/; classtype:trojan-activity;sid:84676514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"hash-store.cryptolayer.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813415/; classtype:trojan-activity;sid:84676515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"bit-stream.logicstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813416/; classtype:trojan-activity;sid:84676516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"code-gate.logicstream.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813417/; classtype:trojan-activity;sid:84676517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"main-frame.logicstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813418/; classtype:trojan-activity;sid:84676518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"weave-sync.technofabric.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813419/; classtype:trojan-activity;sid:84676519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"c0lo-scope.vectorharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813420/; classtype:trojan-activity;sid:84676520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"trivenen2.catalystventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813421/; classtype:trojan-activity;sid:84676521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"packet-flow.logicstream.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813422/; classtype:trojan-activity;sid:84676522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"rule-engine.logicstream.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813423/; classtype:trojan-activity;sid:84676523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"step-check.logicstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813424/; classtype:trojan-activity;sid:84676524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"ultra-r0ug.vectorharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813425/; classtype:trojan-activity;sid:84676525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"anon-auth.cryptolayer.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813426/; classtype:trojan-activity;sid:84676526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"secure-key.cryptolayer.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813427/; classtype:trojan-activity;sid:84676527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deploy_mirai.sh"; depth:16; endswith; nocase; http.host; content:"fdsafa.best"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813413/; classtype:trojan-activity;sid:84676513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/rateconfirmation.exe"; depth:26; endswith; nocase; http.host; content:"onlinetenderconfirmation.vip"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813412/; classtype:trojan-activity;sid:84676512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"velflux0or.tockentrue.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813409/; classtype:trojan-activity;sid:84676509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/rateconfirmation.exe"; depth:26; endswith; nocase; http.host; content:"onlinetenderconfirmation.vip"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813410/; classtype:trojan-activity;sid:84676510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"optic5-dock.paragonbloomera.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813411/; classtype:trojan-activity;sid:84676511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"cfp1laq8.productter.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813408/; classtype:trojan-activity;sid:84676508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.m68k"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813398/; classtype:trojan-activity;sid:84676498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mips"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813399/; classtype:trojan-activity;sid:84676499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm7"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813400/; classtype:trojan-activity;sid:84676500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i686"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813401/; classtype:trojan-activity;sid:84676501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arc"; depth:23; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813402/; classtype:trojan-activity;sid:84676502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"dockswitch.matchexact.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813403/; classtype:trojan-activity;sid:84676503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcicapi.bin"; depth:12; endswith; nocase; http.host; content:"spirit.ashgrove.icu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813404/; classtype:trojan-activity;sid:84676504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm5"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813405/; classtype:trojan-activity;sid:84676505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"clear-head.ratiocore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813406/; classtype:trojan-activity;sid:84676506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"arkline9ar.quantumharbinger.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813407/; classtype:trojan-activity;sid:84676507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"2woz.quantumharbinger.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813389/; classtype:trojan-activity;sid:84676489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.sh4"; depth:23; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813390/; classtype:trojan-activity;sid:84676490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm6"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813391/; classtype:trojan-activity;sid:84676491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.ppc"; depth:23; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813392/; classtype:trojan-activity;sid:84676492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86"; depth:23; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813393/; classtype:trojan-activity;sid:84676493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"duskgrand.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813394/; classtype:trojan-activity;sid:84676494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"daemondeli.chromeflack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813395/; classtype:trojan-activity;sid:84676495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm"; depth:23; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813396/; classtype:trojan-activity;sid:84676496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"pol43-plate.nexuspatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813397/; classtype:trojan-activity;sid:84676497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813387/; classtype:trojan-activity;sid:84676487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mpsl"; depth:24; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813388/; classtype:trojan-activity;sid:84676488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"sun-line.cloudfloot.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813384/; classtype:trojan-activity;sid:84676484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"oi52ewc.dockhype.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813385/; classtype:trojan-activity;sid:84676485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/rateconfirmation.exe"; depth:26; endswith; nocase; http.host; content:"193.111.117.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813386/; classtype:trojan-activity;sid:84676486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"c0upon1-sheet.latticepatronage.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813382/; classtype:trojan-activity;sid:84676482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google/"; depth:21; endswith; nocase; http.host; content:"dyn-coreal.hostyard.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813383/; classtype:trojan-activity;sid:84676483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/mirai.mips"; depth:16; endswith; nocase; http.host; content:"fdsafa.best"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813380/; classtype:trojan-activity;sid:84676480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/mirai.x86"; depth:15; endswith; nocase; http.host; content:"fdsafa.best"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813381/; classtype:trojan-activity;sid:84676481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"tree.immortalday.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813378/; classtype:trojan-activity;sid:84676478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86_64"; depth:26; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813376/; classtype:trojan-activity;sid:84676476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.spc"; depth:23; endswith; nocase; http.host; content:"154.53.37.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813377/; classtype:trojan-activity;sid:84676477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mao_http.sh"; depth:12; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813375/; classtype:trojan-activity;sid:84676475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"think-tank.ratiocore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813374/; classtype:trojan-activity;sid:84676474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"smart-node.ratiocore.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813372/; classtype:trojan-activity;sid:84676472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.83.183"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813373/; classtype:trojan-activity;sid:84676473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.59.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813371/; classtype:trojan-activity;sid:84676471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ratio-point.ratiocore.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813370/; classtype:trojan-activity;sid:84676470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.4.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813369/; classtype:trojan-activity;sid:84676469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.82.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813368/; classtype:trojan-activity;sid:84676468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trace-result.analyticaengine.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813367/; classtype:trojan-activity;sid:84676467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meta-track.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813366/; classtype:trojan-activity;sid:84676466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.89.121.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813365/; classtype:trojan-activity;sid:84676465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"data-split.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813364/; classtype:trojan-activity;sid:84676464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"point-scan.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813363/; classtype:trojan-activity;sid:84676463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stat-render.analyticaengine.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813362/; classtype:trojan-activity;sid:84676462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.113.129.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813361/; classtype:trojan-activity;sid:84676461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.166.39.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813360/; classtype:trojan-activity;sid:84676460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.59.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813359/; classtype:trojan-activity;sid:84676459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.133.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813358/; classtype:trojan-activity;sid:84676458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.178.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813356/; classtype:trojan-activity;sid:84676456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.7.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813357/; classtype:trojan-activity;sid:84676457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.183.196.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813354/; classtype:trojan-activity;sid:84676454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.183.196.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813355/; classtype:trojan-activity;sid:84676455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.145.125.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813352/; classtype:trojan-activity;sid:84676452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.54.35.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813353/; classtype:trojan-activity;sid:84676453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.38.224"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813350/; classtype:trojan-activity;sid:84676450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"158.255.83.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813351/; classtype:trojan-activity;sid:84676451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.17.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813349/; classtype:trojan-activity;sid:84676449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"break-down.analyticaengine.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813348/; classtype:trojan-activity;sid:84676448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813347/; classtype:trojan-activity;sid:84676447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"perception-svc.cognisphere.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813346/; classtype:trojan-activity;sid:84676446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.23.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813345/; classtype:trojan-activity;sid:84676445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.119.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813344/; classtype:trojan-activity;sid:84676444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.124.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813343/; classtype:trojan-activity;sid:84676443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sense-data.cognisphere.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813342/; classtype:trojan-activity;sid:84676442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mind-web.cognisphere.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813341/; classtype:trojan-activity;sid:84676441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813340/; classtype:trojan-activity;sid:84676440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.17.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813338/; classtype:trojan-activity;sid:84676438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"neural-link.cognisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813339/; classtype:trojan-activity;sid:84676439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813337/; classtype:trojan-activity;sid:84676437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thought-api.cognisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813336/; classtype:trojan-activity;sid:84676436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.169.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813335/; classtype:trojan-activity;sid:84676435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"brain-weave.cognisphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813334/; classtype:trojan-activity;sid:84676434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"86.249.132.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813333/; classtype:trojan-activity;sid:84676433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.191.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813332/; classtype:trojan-activity;sid:84676432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.119.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813331/; classtype:trojan-activity;sid:84676431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"line-secure.systemologyhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813330/; classtype:trojan-activity;sid:84676430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"archive-hub.systemologyhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813329/; classtype:trojan-activity;sid:84676429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813328/; classtype:trojan-activity;sid:84676428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"file-stack.systemologyhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813327/; classtype:trojan-activity;sid:84676427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rank-index.systemologyhub.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813326/; classtype:trojan-activity;sid:84676426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"step-monitor.systemologyhub.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813325/; classtype:trojan-activity;sid:84676425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.132.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813324/; classtype:trojan-activity;sid:84676424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"order-logic.systemologyhub.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813323/; classtype:trojan-activity;sid:84676423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"frame-api.theoristack.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813322/; classtype:trojan-activity;sid:84676422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.50.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813321/; classtype:trojan-activity;sid:84676421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.178.190.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813320/; classtype:trojan-activity;sid:84676420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"space-time.theoristack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813319/; classtype:trojan-activity;sid:84676419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.132.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813318/; classtype:trojan-activity;sid:84676418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ideal-node.theoristack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813317/; classtype:trojan-activity;sid:84676417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"map-project.theoristack.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813316/; classtype:trojan-activity;sid:84676416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.50.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813315/; classtype:trojan-activity;sid:84676415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.23.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813314/; classtype:trojan-activity;sid:84676414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"model-check.theoristack.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813313/; classtype:trojan-activity;sid:84676413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.178.190.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813312/; classtype:trojan-activity;sid:84676412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"abstract-io.theoristack.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813311/; classtype:trojan-activity;sid:84676411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.192.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813310/; classtype:trojan-activity;sid:84676410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"step-wise.inferencestream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813309/; classtype:trojan-activity;sid:84676409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"guess-node.inferencestream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813308/; classtype:trojan-activity;sid:84676408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hint-api.inferencestream.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813307/; classtype:trojan-activity;sid:84676407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.254.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813306/; classtype:trojan-activity;sid:84676406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logic-vault.inferencestream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813305/; classtype:trojan-activity;sid:84676405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.28.230.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813304/; classtype:trojan-activity;sid:84676404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"lead-trace.inferencestream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813303/; classtype:trojan-activity;sid:84676403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.59.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813302/; classtype:trojan-activity;sid:84676402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"infer-unit.inferencestream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813301/; classtype:trojan-activity;sid:84676401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.247.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813300/; classtype:trojan-activity;sid:84676400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"motion-svc.dialecticalgrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813299/; classtype:trojan-activity;sid:84676399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.119.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813297/; classtype:trojan-activity;sid:84676397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.213.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813298/; classtype:trojan-activity;sid:84676398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"shift-point.dialecticalgrid.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813296/; classtype:trojan-activity;sid:84676396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5714214406/asomvya.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813295/; classtype:trojan-activity;sid:84676395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.28.230.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813294/; classtype:trojan-activity;sid:84676394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.254.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813291/; classtype:trojan-activity;sid:84676391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813292/; classtype:trojan-activity;sid:84676392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.187.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813293/; classtype:trojan-activity;sid:84676393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"debate-log.dialecticalgrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813290/; classtype:trojan-activity;sid:84676390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.166.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813289/; classtype:trojan-activity;sid:84676389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"synth-portal.dialecticalgrid.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813288/; classtype:trojan-activity;sid:84676388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"anti-node.dialecticalgrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813287/; classtype:trojan-activity;sid:84676387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.119.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813286/; classtype:trojan-activity;sid:84676386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thesis-sync.dialecticalgrid.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813285/; classtype:trojan-activity;sid:84676385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"law-check.axiomatrix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813284/; classtype:trojan-activity;sid:84676384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-matrix.axiomatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813283/; classtype:trojan-activity;sid:84676383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fixed-point.axiomatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813282/; classtype:trojan-activity;sid:84676382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mesh-static.axiomatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813281/; classtype:trojan-activity;sid:84676381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"core-logic.axiomatrix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813280/; classtype:trojan-activity;sid:84676380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.254.96.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813279/; classtype:trojan-activity;sid:84676379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813278/; classtype:trojan-activity;sid:84676378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rule-set.axiomatrix.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813277/; classtype:trojan-activity;sid:84676377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.156.176.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813276/; classtype:trojan-activity;sid:84676376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"exist-api.ontologicalflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813275/; classtype:trojan-activity;sid:84676375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.152.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813274/; classtype:trojan-activity;sid:84676374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.139.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813273/; classtype:trojan-activity;sid:84676373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"source-data.ontologicalflux.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813272/; classtype:trojan-activity;sid:84676372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"real-time-io.ontologicalflux.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813271/; classtype:trojan-activity;sid:84676371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.152.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813270/; classtype:trojan-activity;sid:84676370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"being-node.ontologicalflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813269/; classtype:trojan-activity;sid:84676369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813268/; classtype:trojan-activity;sid:84676368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"flow-object.ontologicalflux.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813267/; classtype:trojan-activity;sid:84676367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.156.176.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813266/; classtype:trojan-activity;sid:84676366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"entity-map.ontologicalflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813265/; classtype:trojan-activity;sid:84676365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"study-sync.epistemologycore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813264/; classtype:trojan-activity;sid:84676364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mind-vault.epistemologycore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813263/; classtype:trojan-activity;sid:84676363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.88.104"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813262/; classtype:trojan-activity;sid:84676362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.140.191.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813261/; classtype:trojan-activity;sid:84676361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.81.38.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813260/; classtype:trojan-activity;sid:84676360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.84.216"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813259/; classtype:trojan-activity;sid:84676359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"proof-engine.epistemologycore.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813258/; classtype:trojan-activity;sid:84676358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.143.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813257/; classtype:trojan-activity;sid:84676357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813256/; classtype:trojan-activity;sid:84676356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.195.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813255/; classtype:trojan-activity;sid:84676355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-theory.epistemologycore.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813254/; classtype:trojan-activity;sid:84676354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logic-audit.epistemologycore.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813253/; classtype:trojan-activity;sid:84676353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"truth-verify.epistemologycore.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813252/; classtype:trojan-activity;sid:84676352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"gate-svc.fariseietogo.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813251/; classtype:trojan-activity;sid:84676351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.84.216"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813250/; classtype:trojan-activity;sid:84676350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"local-api.fariseietogo.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813249/; classtype:trojan-activity;sid:84676349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"path-logic.fariseietogo.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813248/; classtype:trojan-activity;sid:84676348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.143.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813247/; classtype:trojan-activity;sid:84676347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"point-site.fariseietogo.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813246/; classtype:trojan-activity;sid:84676346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"travel-hub.fariseietogo.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813245/; classtype:trojan-activity;sid:84676345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.255.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813244/; classtype:trojan-activity;sid:84676344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"map-route.fariseietogo.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813243/; classtype:trojan-activity;sid:84676343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"future-log.downpredict.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813242/; classtype:trojan-activity;sid:84676342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.182.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813241/; classtype:trojan-activity;sid:84676341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"low-io.downpredict.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813240/; classtype:trojan-activity;sid:84676340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.21.22.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813239/; classtype:trojan-activity;sid:84676339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"floor-node.downpredict.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813238/; classtype:trojan-activity;sid:84676338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkk.arm7"; depth:9; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813237/; classtype:trojan-activity;sid:84676337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stat-portal.downpredict.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813236/; classtype:trojan-activity;sid:84676336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.180.244.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813235/; classtype:trojan-activity;sid:84676335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trend-api.downpredict.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813234/; classtype:trojan-activity;sid:84676334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.255.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813233/; classtype:trojan-activity;sid:84676333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fall-check.downpredict.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813232/; classtype:trojan-activity;sid:84676332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.182.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813231/; classtype:trojan-activity;sid:84676331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"micro-svc.bactergreat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813230/; classtype:trojan-activity;sid:84676330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"lab-access.bactergreat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813229/; classtype:trojan-activity;sid:84676329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pure-node.bactergreat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813228/; classtype:trojan-activity;sid:84676328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.84.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813226/; classtype:trojan-activity;sid:84676326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.21.22.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813227/; classtype:trojan-activity;sid:84676327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.125.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813225/; classtype:trojan-activity;sid:84676325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.250.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813224/; classtype:trojan-activity;sid:84676324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.39.19.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813223/; classtype:trojan-activity;sid:84676323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"growth-hub.bactergreat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813222/; classtype:trojan-activity;sid:84676322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.195.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813221/; classtype:trojan-activity;sid:84676321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.197.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813220/; classtype:trojan-activity;sid:84676320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"cell-logic.bactergreat.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813219/; classtype:trojan-activity;sid:84676319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bio-trace.bactergreat.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813218/; classtype:trojan-activity;sid:84676318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.125.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813217/; classtype:trojan-activity;sid:84676317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"point-api.drillobjection.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813216/; classtype:trojan-activity;sid:84676316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.92.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813215/; classtype:trojan-activity;sid:84676315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stop-logic.drillobjection.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813214/; classtype:trojan-activity;sid:84676314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.250.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813213/; classtype:trojan-activity;sid:84676313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.93.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813212/; classtype:trojan-activity;sid:84676312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.39.19.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813211/; classtype:trojan-activity;sid:84676311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.180.244.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813210/; classtype:trojan-activity;sid:84676310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"test-engine.drillobjection.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813209/; classtype:trojan-activity;sid:84676309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.84.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813208/; classtype:trojan-activity;sid:84676308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.123.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813207/; classtype:trojan-activity;sid:84676307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hard-check.drillobjection.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813206/; classtype:trojan-activity;sid:84676306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.195.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813205/; classtype:trojan-activity;sid:84676305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-audit.drillobjection.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813204/; classtype:trojan-activity;sid:84676304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.92.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813203/; classtype:trojan-activity;sid:84676303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rule-block.drillobjection.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813202/; classtype:trojan-activity;sid:84676302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"open-end.beckonuncert.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813201/; classtype:trojan-activity;sid:84676301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.37.20"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813200/; classtype:trojan-activity;sid:84676300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"guess-api.beckonuncert.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813199/; classtype:trojan-activity;sid:84676299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hint-node.beckonuncert.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813198/; classtype:trojan-activity;sid:84676298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.225.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813197/; classtype:trojan-activity;sid:84676297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"call-sign.beckonuncert.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813196/; classtype:trojan-activity;sid:84676296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.118.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813195/; classtype:trojan-activity;sid:84676295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.92.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813194/; classtype:trojan-activity;sid:84676294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"risk-check.beckonuncert.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813193/; classtype:trojan-activity;sid:84676293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.118.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813192/; classtype:trojan-activity;sid:84676292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"wave-point.beckonuncert.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813191/; classtype:trojan-activity;sid:84676291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.37.20"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813190/; classtype:trojan-activity;sid:84676290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"user-pool.kokotkasquand.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813189/; classtype:trojan-activity;sid:84676289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.170.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813187/; classtype:trojan-activity;sid:84676287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.225.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813188/; classtype:trojan-activity;sid:84676288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"limit-gate.kokotkasquand.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813186/; classtype:trojan-activity;sid:84676286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"track-hub.kokotkasquand.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813185/; classtype:trojan-activity;sid:84676285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.118.245.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813183/; classtype:trojan-activity;sid:84676283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.8.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813184/; classtype:trojan-activity;sid:84676284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"spend-api.kokotkasquand.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813182/; classtype:trojan-activity;sid:84676282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"loss-monitor.kokotkasquand.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813181/; classtype:trojan-activity;sid:84676281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"waste-node.kokotkasquand.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813180/; classtype:trojan-activity;sid:84676280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"boom-logic.explosionjunip.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813179/; classtype:trojan-activity;sid:84676279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"plant-api.explosionjunip.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813178/; classtype:trojan-activity;sid:84676278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.148.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813177/; classtype:trojan-activity;sid:84676277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"green-core.explosionjunip.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813176/; classtype:trojan-activity;sid:84676276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.151.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813174/; classtype:trojan-activity;sid:84676274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.151.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813175/; classtype:trojan-activity;sid:84676275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"wood-trace.explosionjunip.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813173/; classtype:trojan-activity;sid:84676273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fire-wall.explosionjunip.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813172/; classtype:trojan-activity;sid:84676272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.49.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813171/; classtype:trojan-activity;sid:84676271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.74.18"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813170/; classtype:trojan-activity;sid:84676270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"blast-zone.explosionjunip.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813169/; classtype:trojan-activity;sid:84676269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.148.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813168/; classtype:trojan-activity;sid:84676268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"data-form.howaskfor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813167/; classtype:trojan-activity;sid:84676267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.30.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813166/; classtype:trojan-activity;sid:84676266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.104.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813165/; classtype:trojan-activity;sid:84676265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"client-gate.howaskfor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813164/; classtype:trojan-activity;sid:84676264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"search-svc.howaskfor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813163/; classtype:trojan-activity;sid:84676263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8301037712/oddofh9.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813162/; classtype:trojan-activity;sid:84676262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.247.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813161/; classtype:trojan-activity;sid:84676261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"help-desk.howaskfor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813160/; classtype:trojan-activity;sid:84676260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.49.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813159/; classtype:trojan-activity;sid:84676259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"request-io.howaskfor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813158/; classtype:trojan-activity;sid:84676258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"query-hub.howaskfor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813157/; classtype:trojan-activity;sid:84676257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fix-node.enameledtack.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813156/; classtype:trojan-activity;sid:84676256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"coat-logic.enameledtack.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813155/; classtype:trojan-activity;sid:84676255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.123.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813154/; classtype:trojan-activity;sid:84676254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.247.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813153/; classtype:trojan-activity;sid:84676253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7359455182/et5cbkq.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813152/; classtype:trojan-activity;sid:84676252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"surface-api.enameledtack.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813151/; classtype:trojan-activity;sid:84676251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pin-storage.enameledtack.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813150/; classtype:trojan-activity;sid:84676250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.224.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813149/; classtype:trojan-activity;sid:84676249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hard-point.enameledtack.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813148/; classtype:trojan-activity;sid:84676248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"gloss-check.enameledtack.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813147/; classtype:trojan-activity;sid:84676247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.142.255"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813146/; classtype:trojan-activity;sid:84676246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"relay-svc.exhortshelk.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813145/; classtype:trojan-activity;sid:84676245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7362035837/arefdta.msi"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813144/; classtype:trojan-activity;sid:84676244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.176.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813143/; classtype:trojan-activity;sid:84676243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.255.55.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813142/; classtype:trojan-activity;sid:84676242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sync-logic.exhortshelk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813141/; classtype:trojan-activity;sid:84676241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"alert-node.exhortshelk.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813140/; classtype:trojan-activity;sid:84676240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"push-notify.exhortshelk.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813139/; classtype:trojan-activity;sid:84676239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"voice-api.exhortshelk.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813138/; classtype:trojan-activity;sid:84676238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.142.255"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813137/; classtype:trojan-activity;sid:84676237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7362035837/arefdta.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813136/; classtype:trojan-activity;sid:84676236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"call-center.exhortshelk.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813135/; classtype:trojan-activity;sid:84676235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.176.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813134/; classtype:trojan-activity;sid:84676234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"master-index.conceptmatrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813133/; classtype:trojan-activity;sid:84676233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.23.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813132/; classtype:trojan-activity;sid:84676232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sketch-node.conceptmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813131/; classtype:trojan-activity;sid:84676231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"view-port.conceptmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813130/; classtype:trojan-activity;sid:84676230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"cloud-draft.conceptmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813129/; classtype:trojan-activity;sid:84676229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"root-source.conceptmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813128/; classtype:trojan-activity;sid:84676228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"entity-hub.conceptmatrix.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813127/; classtype:trojan-activity;sid:84676227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.215.22.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813126/; classtype:trojan-activity;sid:84676226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ghost-api.abstractlogic.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813125/; classtype:trojan-activity;sid:84676225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"theory-svc.abstractlogic.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813124/; classtype:trojan-activity;sid:84676224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pure-node.abstractlogic.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813123/; classtype:trojan-activity;sid:84676223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.50.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813122/; classtype:trojan-activity;sid:84676222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"blank-space.abstractlogic.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813121/; classtype:trojan-activity;sid:84676221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4.31507mq.zip"; depth:14; endswith; nocase; http.host; content:"pub-3f298b361d774ae0a68be902f3ed9d89.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813118/; classtype:trojan-activity;sid:84676218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.233.117.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813112/; classtype:trojan-activity;sid:84676212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"model-check.abstractlogic.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813111/; classtype:trojan-activity;sid:84676211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813110/; classtype:trojan-activity;sid:84676210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"idea-vault.abstractlogic.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813109/; classtype:trojan-activity;sid:84676209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813105/; classtype:trojan-activity;sid:84676205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813106/; classtype:trojan-activity;sid:84676206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813107/; classtype:trojan-activity;sid:84676207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813108/; classtype:trojan-activity;sid:84676208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813103/; classtype:trojan-activity;sid:84676203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"85.11.167.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813104/; classtype:trojan-activity;sid:84676204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"load-api.structuralcore.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813102/; classtype:trojan-activity;sid:84676202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stress-node.structuralcore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813101/; classtype:trojan-activity;sid:84676201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.203.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813100/; classtype:trojan-activity;sid:84676200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-support.structuralcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813099/; classtype:trojan-activity;sid:84676199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"solid-store.structuralcore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813098/; classtype:trojan-activity;sid:84676198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.171.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813097/; classtype:trojan-activity;sid:84676197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"beam-logic.structuralcore.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813096/; classtype:trojan-activity;sid:84676196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"frame-build.structuralcore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813095/; classtype:trojan-activity;sid:84676195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meta-point.semanticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813094/; classtype:trojan-activity;sid:84676194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.2.196.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813093/; classtype:trojan-activity;sid:84676193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.171.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813092/; classtype:trojan-activity;sid:84676192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.122.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813091/; classtype:trojan-activity;sid:84676191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"link-trace.semanticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813090/; classtype:trojan-activity;sid:84676190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"tag-portal.semanticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813089/; classtype:trojan-activity;sid:84676189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.28.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813088/; classtype:trojan-activity;sid:84676188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meaning-svc.semanticvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813087/; classtype:trojan-activity;sid:84676187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"term-index.semanticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813086/; classtype:trojan-activity;sid:84676186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.129.91.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813085/; classtype:trojan-activity;sid:84676185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"word-map.semanticvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813084/; classtype:trojan-activity;sid:84676184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"vision-node.cognitivematrix.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813068/; classtype:trojan-activity;sid:84676168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get%20files/client"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813069/; classtype:trojan-activity;sid:84676169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.sh4"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813070/; classtype:trojan-activity;sid:84676170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.arm5"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813071/; classtype:trojan-activity;sid:84676171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.apk"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813072/; classtype:trojan-activity;sid:84676172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.i686"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813073/; classtype:trojan-activity;sid:84676173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.x64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813074/; classtype:trojan-activity;sid:84676174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.arm4"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813075/; classtype:trojan-activity;sid:84676175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.x86"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813076/; classtype:trojan-activity;sid:84676176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.arm6"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813077/; classtype:trojan-activity;sid:84676177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.i486"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813078/; classtype:trojan-activity;sid:84676178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.mips"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813079/; classtype:trojan-activity;sid:84676179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.spc"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813080/; classtype:trojan-activity;sid:84676180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.m68k"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813081/; classtype:trojan-activity;sid:84676181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.arm7"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813082/; classtype:trojan-activity;sid:84676182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.dbg"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813083/; classtype:trojan-activity;sid:84676183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/zyre.mpsl"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813067/; classtype:trojan-activity;sid:84676167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813066/; classtype:trojan-activity;sid:84676166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.2.196.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813065/; classtype:trojan-activity;sid:84676165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"brain-api.cognitivematrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813064/; classtype:trojan-activity;sid:84676164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sense-gate.cognitivematrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813063/; classtype:trojan-activity;sid:84676163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.36.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813062/; classtype:trojan-activity;sid:84676162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"neural-io.cognitivematrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813061/; classtype:trojan-activity;sid:84676161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813060/; classtype:trojan-activity;sid:84676160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.129.91.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813059/; classtype:trojan-activity;sid:84676159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thought-hub.cognitivematrix.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813058/; classtype:trojan-activity;sid:84676158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.39.122.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813057/; classtype:trojan-activity;sid:84676157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mind-stack.cognitivematrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813056/; classtype:trojan-activity;sid:84676156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.130.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813055/; classtype:trojan-activity;sid:84676155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"core-net.logicalfabric.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813054/; classtype:trojan-activity;sid:84676154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stitch-api.logicalfabric.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813053/; classtype:trojan-activity;sid:84676153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thread-svc.logicalfabric.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813052/; classtype:trojan-activity;sid:84676152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.36.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813051/; classtype:trojan-activity;sid:84676151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.53.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813050/; classtype:trojan-activity;sid:84676150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mesh-router.logicalfabric.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813049/; classtype:trojan-activity;sid:84676149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.52.205.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813048/; classtype:trojan-activity;sid:84676148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"177.39.122.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813047/; classtype:trojan-activity;sid:84676147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"gate-secure.logicalfabric.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813046/; classtype:trojan-activity;sid:84676146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.120.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813045/; classtype:trojan-activity;sid:84676145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.164.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813044/; classtype:trojan-activity;sid:84676144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bit-weave.logicalfabric.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813043/; classtype:trojan-activity;sid:84676143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.122.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813042/; classtype:trojan-activity;sid:84676142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"point-drift.inductiveflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813041/; classtype:trojan-activity;sid:84676141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.44.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813040/; classtype:trojan-activity;sid:84676140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"flux-scan.inductiveflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813039/; classtype:trojan-activity;sid:84676139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"likely-hood.inductiveflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813038/; classtype:trojan-activity;sid:84676138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trend-sensor.inductiveflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813037/; classtype:trojan-activity;sid:84676137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.53.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813036/; classtype:trojan-activity;sid:84676136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.0.51"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813035/; classtype:trojan-activity;sid:84676135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.68.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813034/; classtype:trojan-activity;sid:84676134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"data-guess.inductiveflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813033/; classtype:trojan-activity;sid:84676133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/rduiqsxg66"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813031/; classtype:trojan-activity;sid:84676131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/547e510g2m"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813032/; classtype:trojan-activity;sid:84676132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pattern-dev.inductiveflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813030/; classtype:trojan-activity;sid:84676130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/zlr01030u5"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813027/; classtype:trojan-activity;sid:84676127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/rh1ele5p8l"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813028/; classtype:trojan-activity;sid:84676128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/3yahbbprg4"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813029/; classtype:trojan-activity;sid:84676129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/rt6l46cwdn"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813024/; classtype:trojan-activity;sid:84676124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/5u6pbsspr6"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813025/; classtype:trojan-activity;sid:84676125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/aygbsqq0c4"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813026/; classtype:trojan-activity;sid:84676126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/ln8cw1ox1f"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813021/; classtype:trojan-activity;sid:84676121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/3vrtjbxplo"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813022/; classtype:trojan-activity;sid:84676122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/rigdtn0fpm"; depth:32; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813023/; classtype:trojan-activity;sid:84676123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/ne4769eap2uv/xurc7j.sh"; depth:31; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813020/; classtype:trojan-activity;sid:84676120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"unit-logic.deductivegrid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813019/; classtype:trojan-activity;sid:84676119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.44.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813018/; classtype:trojan-activity;sid:84676118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.231.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813017/; classtype:trojan-activity;sid:84676117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-extract.deductivegrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813016/; classtype:trojan-activity;sid:84676116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.0.51"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813015/; classtype:trojan-activity;sid:84676115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"law-verify.deductivegrid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813014/; classtype:trojan-activity;sid:84676114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.230.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813013/; classtype:trojan-activity;sid:84676113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"proof-static.deductivegrid.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813012/; classtype:trojan-activity;sid:84676112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"result-node.deductivegrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813011/; classtype:trojan-activity;sid:84676111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"top-down-io.deductivegrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813010/; classtype:trojan-activity;sid:84676110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.46.83.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813008/; classtype:trojan-activity;sid:84676108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813009/; classtype:trojan-activity;sid:84676109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"axis-portal.formalisticcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813007/; classtype:trojan-activity;sid:84676107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.46.83.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813006/; classtype:trojan-activity;sid:84676106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"norm-engine.formalisticcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813005/; classtype:trojan-activity;sid:84676105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.230.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813004/; classtype:trojan-activity;sid:84676104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.25.95"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813003/; classtype:trojan-activity;sid:84676103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"check-point.formalisticcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813002/; classtype:trojan-activity;sid:84676102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"proof-vault.formalisticcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813001/; classtype:trojan-activity;sid:84676101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-syntax.formalisticcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3813000/; classtype:trojan-activity;sid:84676100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.92.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812999/; classtype:trojan-activity;sid:84676099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"strict-code.formalisticcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812998/; classtype:trojan-activity;sid:84676098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.231.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812997/; classtype:trojan-activity;sid:84676097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"seq-manager.methodicstream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812996/; classtype:trojan-activity;sid:84676096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.231.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812995/; classtype:trojan-activity;sid:84676095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.76.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812994/; classtype:trojan-activity;sid:84676094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rule-monitor.methodicstream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812993/; classtype:trojan-activity;sid:84676093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|t=massspamming|7c|26|7c|c=massspamming|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:195; endswith; nocase; http.host; content:"5.101.82.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812992/; classtype:trojan-activity;sid:84676092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"path-logic.methodicstream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812991/; classtype:trojan-activity;sid:84676091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.17.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812990/; classtype:trojan-activity;sid:84676090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ffa.txt"; depth:8; endswith; nocase; http.host; content:"167.148.195.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812989/; classtype:trojan-activity;sid:84676089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"one.immortalday.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812988/; classtype:trojan-activity;sid:84676088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i88.txt"; depth:8; endswith; nocase; http.host; content:"176.65.144.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812986/; classtype:trojan-activity;sid:84676086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pjmg3bxj/image.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812987/; classtype:trojan-activity;sid:84676087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydzxhtfs/image.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812985/; classtype:trojan-activity;sid:84676085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/032.txt"; depth:8; endswith; nocase; http.host; content:"77.91.97.92"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812984/; classtype:trojan-activity;sid:84676084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trace-audit.methodicstream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812983/; classtype:trojan-activity;sid:84676083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"flow-order.methodicstream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812982/; classtype:trojan-activity;sid:84676082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"step-sync.methodicstream.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812981/; classtype:trojan-activity;sid:84676081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.61.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812980/; classtype:trojan-activity;sid:84676080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.125.7.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812978/; classtype:trojan-activity;sid:84676078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"trace-result.analyticvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812979/; classtype:trojan-activity;sid:84676079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meta-track.analyticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812977/; classtype:trojan-activity;sid:84676077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.17.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812976/; classtype:trojan-activity;sid:84676076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"data-split.analyticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812975/; classtype:trojan-activity;sid:84676075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7362035837/lalmhoj.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812974/; classtype:trojan-activity;sid:84676074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"point-scan.analyticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812973/; classtype:trojan-activity;sid:84676073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.19.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812972/; classtype:trojan-activity;sid:84676072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.125.7.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812971/; classtype:trojan-activity;sid:84676071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stat-render.analyticvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812970/; classtype:trojan-activity;sid:84676070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.61.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812969/; classtype:trojan-activity;sid:84676069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"break-down.analyticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812968/; classtype:trojan-activity;sid:84676068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"67.20.225.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812967/; classtype:trojan-activity;sid:84676067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"decision-svc.rationalmatrix.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812966/; classtype:trojan-activity;sid:84676066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"calc-logic.rationalmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812965/; classtype:trojan-activity;sid:84676065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"clear-head.rationalmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812964/; classtype:trojan-activity;sid:84676064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.19.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812963/; classtype:trojan-activity;sid:84676063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"think-tank.rationalmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812962/; classtype:trojan-activity;sid:84676062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"smart-node.rationalmatrix.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812961/; classtype:trojan-activity;sid:84676061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.207.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812960/; classtype:trojan-activity;sid:84676060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.228.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812959/; classtype:trojan-activity;sid:84676059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ratio-point.rationalmatrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812958/; classtype:trojan-activity;sid:84676058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.188.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812957/; classtype:trojan-activity;sid:84676057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.92.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812956/; classtype:trojan-activity;sid:84676056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"perception-svc.cognitivefabric.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812955/; classtype:trojan-activity;sid:84676055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812954/; classtype:trojan-activity;sid:84676054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.76.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812953/; classtype:trojan-activity;sid:84676053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.110.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812952/; classtype:trojan-activity;sid:84676052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sense-data.cognitivefabric.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812951/; classtype:trojan-activity;sid:84676051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mind-web.cognitivefabric.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812950/; classtype:trojan-activity;sid:84676050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"neural-link.cognitivefabric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812949/; classtype:trojan-activity;sid:84676049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.76.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812948/; classtype:trojan-activity;sid:84676048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thought-api.cognitivefabric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812947/; classtype:trojan-activity;sid:84676047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.172.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812946/; classtype:trojan-activity;sid:84676046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"brain-weave.cognitivefabric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812945/; classtype:trojan-activity;sid:84676045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"line-secure.systematiclayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812944/; classtype:trojan-activity;sid:84676044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.219.44.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812943/; classtype:trojan-activity;sid:84676043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"archive-hub.systematiclayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812942/; classtype:trojan-activity;sid:84676042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.231.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812941/; classtype:trojan-activity;sid:84676041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.219.44.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812940/; classtype:trojan-activity;sid:84676040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.156.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812939/; classtype:trojan-activity;sid:84676039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"file-stack.systematiclayer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812938/; classtype:trojan-activity;sid:84676038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rank-index.systematiclayer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812937/; classtype:trojan-activity;sid:84676037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8301037712/w2hgvst.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812936/; classtype:trojan-activity;sid:84676036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"step-monitor.systematiclayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812935/; classtype:trojan-activity;sid:84676035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.144.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812934/; classtype:trojan-activity;sid:84676034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.49.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812933/; classtype:trojan-activity;sid:84676033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/diagetlupdate_installer.exe"; depth:37; endswith; nocase; http.host; content:"www.globalchat.site"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812932/; classtype:trojan-activity;sid:84676032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.156.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812931/; classtype:trojan-activity;sid:84676031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"order-logic.systematiclayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812930/; classtype:trojan-activity;sid:84676030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812929/; classtype:trojan-activity;sid:84676029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812928/; classtype:trojan-activity;sid:84676028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"frame-api.theoreticvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812927/; classtype:trojan-activity;sid:84676027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812926/; classtype:trojan-activity;sid:84676026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"space-time.theoreticvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812925/; classtype:trojan-activity;sid:84676025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.144.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812924/; classtype:trojan-activity;sid:84676024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.78.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812923/; classtype:trojan-activity;sid:84676023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"ideal-node.theoreticvector.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812922/; classtype:trojan-activity;sid:84676022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"map-project.theoreticvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812921/; classtype:trojan-activity;sid:84676021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.172.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812920/; classtype:trojan-activity;sid:84676020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.135.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812919/; classtype:trojan-activity;sid:84676019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"model-check.theoreticvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812918/; classtype:trojan-activity;sid:84676018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.146.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812917/; classtype:trojan-activity;sid:84676017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.93.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812916/; classtype:trojan-activity;sid:84676016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.163.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812915/; classtype:trojan-activity;sid:84676015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.121.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812914/; classtype:trojan-activity;sid:84676014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"abstract-io.theoreticvector.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812913/; classtype:trojan-activity;sid:84676013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812912/; classtype:trojan-activity;sid:84676012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.121.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812911/; classtype:trojan-activity;sid:84676011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812910/; classtype:trojan-activity;sid:84676010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.190.185.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812909/; classtype:trojan-activity;sid:84676009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.80.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812908/; classtype:trojan-activity;sid:84676008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"step-wise.inferentialcore.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812907/; classtype:trojan-activity;sid:84676007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.163.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812906/; classtype:trojan-activity;sid:84676006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"guess-node.inferentialcore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812905/; classtype:trojan-activity;sid:84676005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.127.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812904/; classtype:trojan-activity;sid:84676004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.93.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812902/; classtype:trojan-activity;sid:84676002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.180.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812903/; classtype:trojan-activity;sid:84676003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.145.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812901/; classtype:trojan-activity;sid:84676001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hint-api.inferentialcore.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812900/; classtype:trojan-activity;sid:84676000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812899/; classtype:trojan-activity;sid:84675999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logic-vault.inferentialcore.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812898/; classtype:trojan-activity;sid:84675998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.245.107.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812897/; classtype:trojan-activity;sid:84675997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"lead-trace.inferentialcore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812896/; classtype:trojan-activity;sid:84675996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.223.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812895/; classtype:trojan-activity;sid:84675995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.0.146"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812894/; classtype:trojan-activity;sid:84675994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"infer-unit.inferentialcore.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812893/; classtype:trojan-activity;sid:84675993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.190.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812892/; classtype:trojan-activity;sid:84675992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"motion-svc.dialecticflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812891/; classtype:trojan-activity;sid:84675991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.65.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812890/; classtype:trojan-activity;sid:84675990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.119.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812889/; classtype:trojan-activity;sid:84675989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.190.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812888/; classtype:trojan-activity;sid:84675988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"shift-point.dialecticflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812887/; classtype:trojan-activity;sid:84675987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.223.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812886/; classtype:trojan-activity;sid:84675986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"debate-log.dialecticflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812885/; classtype:trojan-activity;sid:84675985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.159.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812884/; classtype:trojan-activity;sid:84675984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.24.7.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812883/; classtype:trojan-activity;sid:84675983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.190.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812882/; classtype:trojan-activity;sid:84675982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"synth-portal.dialecticflux.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812881/; classtype:trojan-activity;sid:84675981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.155.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812880/; classtype:trojan-activity;sid:84675980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"anti-node.dialecticflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812879/; classtype:trojan-activity;sid:84675979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.190.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812878/; classtype:trojan-activity;sid:84675978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.96.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812877/; classtype:trojan-activity;sid:84675977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.3.19.69"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812876/; classtype:trojan-activity;sid:84675976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.205.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812875/; classtype:trojan-activity;sid:84675975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thesis-sync.dialecticflux.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812874/; classtype:trojan-activity;sid:84675974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.159.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812873/; classtype:trojan-activity;sid:84675973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.149.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812872/; classtype:trojan-activity;sid:84675972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aa/raw/refs/heads/main/hey.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812871/; classtype:trojan-activity;sid:84675971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/99/raw/refs/heads/main/violet.exe"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812870/; classtype:trojan-activity;sid:84675970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aaaa/raw/refs/heads/main/hey.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812869/; classtype:trojan-activity;sid:84675969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/violet/raw/refs/heads/main/violet.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812867/; classtype:trojan-activity;sid:84675967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/app/raw/refs/heads/main/violet.exe"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812868/; classtype:trojan-activity;sid:84675968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.125.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812866/; classtype:trojan-activity;sid:84675966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down.php/4e950740bf977e9c89d48cd323c3c0b2.bat"; depth:46; endswith; nocase; http.host; content:"cccimg.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812865/; classtype:trojan-activity;sid:84675965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"law-check.axiomaticgrid.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812864/; classtype:trojan-activity;sid:84675964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aaa/refs/heads/main/he.exe"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812862/; classtype:trojan-activity;sid:84675962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aaa/raw/refs/heads/main/he.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812863/; classtype:trojan-activity;sid:84675963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.67.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812861/; classtype:trojan-activity;sid:84675961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.245.107.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812860/; classtype:trojan-activity;sid:84675960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ability_3759.42.6_install.exe"; depth:30; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812858/; classtype:trojan-activity;sid:84675958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xy.exe"; depth:7; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812857/; classtype:trojan-activity;sid:84675957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-matrix.axiomaticgrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812856/; classtype:trojan-activity;sid:84675956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fixed-point.axiomaticgrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812855/; classtype:trojan-activity;sid:84675955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"msgrouppolicy.vg"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812854/; classtype:trojan-activity;sid:84675954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.64.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812853/; classtype:trojan-activity;sid:84675953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.149.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812852/; classtype:trojan-activity;sid:84675952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mesh-static.axiomaticgrid.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812851/; classtype:trojan-activity;sid:84675951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.mipsel"; depth:12; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812848/; classtype:trojan-activity;sid:84675948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812849/; classtype:trojan-activity;sid:84675949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812850/; classtype:trojan-activity;sid:84675950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812843/; classtype:trojan-activity;sid:84675943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.armv4l"; depth:12; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812844/; classtype:trojan-activity;sid:84675944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.sh4"; depth:9; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812845/; classtype:trojan-activity;sid:84675945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812846/; classtype:trojan-activity;sid:84675946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812847/; classtype:trojan-activity;sid:84675947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812820/; classtype:trojan-activity;sid:84675920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812821/; classtype:trojan-activity;sid:84675921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.armv7l"; depth:12; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812822/; classtype:trojan-activity;sid:84675922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812823/; classtype:trojan-activity;sid:84675923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.mips"; depth:10; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812824/; classtype:trojan-activity;sid:84675924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.x86"; depth:9; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812825/; classtype:trojan-activity;sid:84675925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.armv6l"; depth:12; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812826/; classtype:trojan-activity;sid:84675926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812827/; classtype:trojan-activity;sid:84675927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.sparc"; depth:11; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812828/; classtype:trojan-activity;sid:84675928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.125.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812829/; classtype:trojan-activity;sid:84675929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.armv5l"; depth:12; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812830/; classtype:trojan-activity;sid:84675930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812831/; classtype:trojan-activity;sid:84675931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812832/; classtype:trojan-activity;sid:84675932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812833/; classtype:trojan-activity;sid:84675933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812834/; classtype:trojan-activity;sid:84675934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812835/; classtype:trojan-activity;sid:84675935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812836/; classtype:trojan-activity;sid:84675936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812837/; classtype:trojan-activity;sid:84675937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812838/; classtype:trojan-activity;sid:84675938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812839/; classtype:trojan-activity;sid:84675939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.m68k"; depth:10; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812840/; classtype:trojan-activity;sid:84675940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812841/; classtype:trojan-activity;sid:84675941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812842/; classtype:trojan-activity;sid:84675942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812814/; classtype:trojan-activity;sid:84675914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812815/; classtype:trojan-activity;sid:84675915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812816/; classtype:trojan-activity;sid:84675916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812817/; classtype:trojan-activity;sid:84675917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.powerpc-440fp"; depth:19; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812818/; classtype:trojan-activity;sid:84675918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812819/; classtype:trojan-activity;sid:84675919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.i686"; depth:10; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812810/; classtype:trojan-activity;sid:84675910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.powerpc"; depth:13; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812811/; classtype:trojan-activity;sid:84675911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812812/; classtype:trojan-activity;sid:84675912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cali.i586"; depth:10; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812813/; classtype:trojan-activity;sid:84675913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812808/; classtype:trojan-activity;sid:84675908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812809/; classtype:trojan-activity;sid:84675909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.170.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812807/; classtype:trojan-activity;sid:84675907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"core-logic.axiomaticgrid.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812806/; classtype:trojan-activity;sid:84675906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.115.161.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812805/; classtype:trojan-activity;sid:84675905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812804/; classtype:trojan-activity;sid:84675904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.i686"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812803/; classtype:trojan-activity;sid:84675903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.mpsl"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812794/; classtype:trojan-activity;sid:84675894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.spc"; depth:13; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812795/; classtype:trojan-activity;sid:84675895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.m68k"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812796/; classtype:trojan-activity;sid:84675896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.x86_64"; depth:16; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812797/; classtype:trojan-activity;sid:84675897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.i486"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812798/; classtype:trojan-activity;sid:84675898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.ppc"; depth:13; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812799/; classtype:trojan-activity;sid:84675899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.sh4"; depth:13; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812800/; classtype:trojan-activity;sid:84675900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.arm"; depth:13; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812801/; classtype:trojan-activity;sid:84675901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.49.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812802/; classtype:trojan-activity;sid:84675902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rule-set.axiomaticgrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812793/; classtype:trojan-activity;sid:84675893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.mips"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812787/; classtype:trojan-activity;sid:84675887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.arm5"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812788/; classtype:trojan-activity;sid:84675888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.arm6"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812789/; classtype:trojan-activity;sid:84675889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.x86"; depth:13; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812790/; classtype:trojan-activity;sid:84675890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.arm7"; depth:14; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812791/; classtype:trojan-activity;sid:84675891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mao.arc"; depth:13; endswith; nocase; http.host; content:"89.190.156.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812792/; classtype:trojan-activity;sid:84675892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/github-production-release-asset/1201672648/2630ced6-3c20-444a-9e9c-5ea38846399c|3f|sp=r|7c|26|7c|sv=2018-11-09|7c|26|7c|sr=b|7c|26|7c|spr=https|7c|26|7c|se=2026-04-06t08%3a27%3a39z|7c|26|7c|rscd=attachment%3b+filename%3dfile.exe"; depth:229; endswith; nocase; http.host; content:"release-assets.githubusercontent.com"; depth:36; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812786/; classtype:trojan-activity;sid:84675886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e7%88%b1%e7%bf%bb%e8%af%91-20260404.rar"; depth:41; endswith; nocase; http.host; content:"e-ifanyi.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812785/; classtype:trojan-activity;sid:84675885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"paper.recentbox.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812782/; classtype:trojan-activity;sid:84675882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/public/69adbe084cd3b016d9ae3891/7f201bfb1_donutmoneydisplay-100.jar"; depth:74; endswith; nocase; http.host; content:"media.base44.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812781/; classtype:trojan-activity;sid:84675881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/public/69adbe084cd3b016d9ae3891/733184ba4_gambling-rig-121x2.jar"; depth:71; endswith; nocase; http.host; content:"media.base44.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812780/; classtype:trojan-activity;sid:84675880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"cdnlivechatinc.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812776/; classtype:trojan-activity;sid:84675876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ws"; depth:3; endswith; nocase; http.host; content:"cdnlivechatinc.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812777/; classtype:trojan-activity;sid:84675877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/public/69adbe084cd3b016d9ae3891/37360cb4e_dupe.jar"; depth:57; endswith; nocase; http.host; content:"media.base44.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812778/; classtype:trojan-activity;sid:84675878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/public/69adbe084cd3b016d9ae3891/b595cccce_donutextras-131219.jar"; depth:71; endswith; nocase; http.host; content:"media.base44.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812779/; classtype:trojan-activity;sid:84675879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"bot.cdnlivechatinc.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812775/; classtype:trojan-activity;sid:84675875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minecraft.sh"; depth:13; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812773/; classtype:trojan-activity;sid:84675873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812774/; classtype:trojan-activity;sid:84675874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812772/; classtype:trojan-activity;sid:84675872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"top.recentbox.life"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812771/; classtype:trojan-activity;sid:84675871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/catlean-1.21.11.jar"; depth:30; endswith; nocase; http.host; content:"pub-429e5192f69c4021acef9add7ed1790a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812766/; classtype:trojan-activity;sid:84675866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"ok-vsefotki.online"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812767/; classtype:trojan-activity;sid:84675867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/krypton_client-1.21.11.jar"; depth:37; endswith; nocase; http.host; content:"pub-429e5192f69c4021acef9add7ed1790a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812769/; classtype:trojan-activity;sid:84675869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divinex.zip"; depth:12; endswith; nocase; http.host; content:"job.recentbox.life"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812770/; classtype:trojan-activity;sid:84675870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dz72gn.bat"; depth:11; endswith; nocase; http.host; content:"files.catbox.moe"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812765/; classtype:trojan-activity;sid:84675865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/radium-1.21.11.jar"; depth:29; endswith; nocase; http.host; content:"pub-429e5192f69c4021acef9add7ed1790a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812764/; classtype:trojan-activity;sid:84675864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerchrome/svc/raw/refs/heads/main/xaerominimap-fabric-1.21.5-25.3.10.jar"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812763/; classtype:trojan-activity;sid:84675863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerchrome/az/raw/refs/heads/main/loade.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812761/; classtype:trojan-activity;sid:84675861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/fabric_api-0.141.31.21.11.jar"; depth:40; endswith; nocase; http.host; content:"pub-429e5192f69c4021acef9add7ed1790a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812762/; classtype:trojan-activity;sid:84675862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerchrome/svc/raw/refs/heads/main/bettertotemhighlight-1.0%20(1).jar"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812757/; classtype:trojan-activity;sid:84675857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerchrome/cvr/raw/refs/heads/main/zaza-1.2.1.jar"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812758/; classtype:trojan-activity;sid:84675858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/doomsday_client-1.21.11.jar"; depth:38; endswith; nocase; http.host; content:"pub-429e5192f69c4021acef9add7ed1790a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812759/; classtype:trojan-activity;sid:84675859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sdfggg.js"; depth:10; endswith; nocase; http.host; content:"djasdajnsdnjgjg.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812760/; classtype:trojan-activity;sid:84675860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/share.php"; depth:10; endswith; nocase; http.host; content:"filehost.sbs"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812755/; classtype:trojan-activity;sid:84675855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/californication.sh"; depth:19; endswith; nocase; http.host; content:"82.25.56.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812756/; classtype:trojan-activity;sid:84675856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.101.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812754/; classtype:trojan-activity;sid:84675854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.115.161.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812753/; classtype:trojan-activity;sid:84675853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"exist-api.ontologicstream.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812752/; classtype:trojan-activity;sid:84675852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.17.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812751/; classtype:trojan-activity;sid:84675851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.170.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812750/; classtype:trojan-activity;sid:84675850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"source-data.ontologicstream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812749/; classtype:trojan-activity;sid:84675849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.102.129.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812748/; classtype:trojan-activity;sid:84675848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"real-time-io.ontologicstream.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812747/; classtype:trojan-activity;sid:84675847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"being-node.ontologicstream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812746/; classtype:trojan-activity;sid:84675846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.17.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812745/; classtype:trojan-activity;sid:84675845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812744/; classtype:trojan-activity;sid:84675844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.101.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812743/; classtype:trojan-activity;sid:84675843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/x3qow0s.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812742/; classtype:trojan-activity;sid:84675842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/cgcnzfo.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812740/; classtype:trojan-activity;sid:84675840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/pen7qdm.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812741/; classtype:trojan-activity;sid:84675841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/160066.jpg"; depth:24; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812739/; classtype:trojan-activity;sid:84675839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work/addon.exe"; depth:15; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812738/; classtype:trojan-activity;sid:84675838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work/addon2.exe"; depth:16; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812737/; classtype:trojan-activity;sid:84675837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.49.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812736/; classtype:trojan-activity;sid:84675836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.59.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812735/; classtype:trojan-activity;sid:84675835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.201.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812734/; classtype:trojan-activity;sid:84675834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.173.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812733/; classtype:trojan-activity;sid:84675833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.142.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812732/; classtype:trojan-activity;sid:84675832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.87.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812731/; classtype:trojan-activity;sid:84675831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.59.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812730/; classtype:trojan-activity;sid:84675830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.118.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812729/; classtype:trojan-activity;sid:84675829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.140.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812728/; classtype:trojan-activity;sid:84675828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.240.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812727/; classtype:trojan-activity;sid:84675827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbc"; depth:4; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812726/; classtype:trojan-activity;sid:84675826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.201.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812725/; classtype:trojan-activity;sid:84675825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.140.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812724/; classtype:trojan-activity;sid:84675824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.142.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812723/; classtype:trojan-activity;sid:84675823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.118.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812722/; classtype:trojan-activity;sid:84675822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.96.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812721/; classtype:trojan-activity;sid:84675821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.248.121.105"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812720/; classtype:trojan-activity;sid:84675820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.227.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812719/; classtype:trojan-activity;sid:84675819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.149.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812718/; classtype:trojan-activity;sid:84675818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.175.206.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812717/; classtype:trojan-activity;sid:84675817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.227.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812716/; classtype:trojan-activity;sid:84675816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.248.121.105"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812715/; classtype:trojan-activity;sid:84675815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.87.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812714/; classtype:trojan-activity;sid:84675814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.105.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812713/; classtype:trojan-activity;sid:84675813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.150.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812712/; classtype:trojan-activity;sid:84675812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.193.143.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812711/; classtype:trojan-activity;sid:84675811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.193.143.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812710/; classtype:trojan-activity;sid:84675810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.78.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812709/; classtype:trojan-activity;sid:84675809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.78.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812708/; classtype:trojan-activity;sid:84675808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.150.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812707/; classtype:trojan-activity;sid:84675807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812706/; classtype:trojan-activity;sid:84675806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.195.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812705/; classtype:trojan-activity;sid:84675805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812704/; classtype:trojan-activity;sid:84675804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.244.11.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812703/; classtype:trojan-activity;sid:84675803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.150.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812702/; classtype:trojan-activity;sid:84675802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"176.226.235.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812701/; classtype:trojan-activity;sid:84675801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.229.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812700/; classtype:trojan-activity;sid:84675800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.232.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812699/; classtype:trojan-activity;sid:84675799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.234.155.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812698/; classtype:trojan-activity;sid:84675798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.244.11.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812697/; classtype:trojan-activity;sid:84675797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.234.155.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812696/; classtype:trojan-activity;sid:84675796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.153.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812695/; classtype:trojan-activity;sid:84675795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.232.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812694/; classtype:trojan-activity;sid:84675794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.153.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812693/; classtype:trojan-activity;sid:84675793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.183.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812692/; classtype:trojan-activity;sid:84675792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.34.25.18"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812691/; classtype:trojan-activity;sid:84675791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812689/; classtype:trojan-activity;sid:84675789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812690/; classtype:trojan-activity;sid:84675790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.244.15.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812688/; classtype:trojan-activity;sid:84675788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812679/; classtype:trojan-activity;sid:84675779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812680/; classtype:trojan-activity;sid:84675780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812681/; classtype:trojan-activity;sid:84675781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812682/; classtype:trojan-activity;sid:84675782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812683/; classtype:trojan-activity;sid:84675783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812684/; classtype:trojan-activity;sid:84675784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812685/; classtype:trojan-activity;sid:84675785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812686/; classtype:trojan-activity;sid:84675786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"194.26.192.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812687/; classtype:trojan-activity;sid:84675787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812666/; classtype:trojan-activity;sid:84675766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812667/; classtype:trojan-activity;sid:84675767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812668/; classtype:trojan-activity;sid:84675768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812669/; classtype:trojan-activity;sid:84675769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812670/; classtype:trojan-activity;sid:84675770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812671/; classtype:trojan-activity;sid:84675771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812672/; classtype:trojan-activity;sid:84675772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812673/; classtype:trojan-activity;sid:84675773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812674/; classtype:trojan-activity;sid:84675774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812675/; classtype:trojan-activity;sid:84675775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812676/; classtype:trojan-activity;sid:84675776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812677/; classtype:trojan-activity;sid:84675777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.149.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812678/; classtype:trojan-activity;sid:84675778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.183.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812665/; classtype:trojan-activity;sid:84675765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812664/; classtype:trojan-activity;sid:84675764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.98.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812663/; classtype:trojan-activity;sid:84675763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.69.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812662/; classtype:trojan-activity;sid:84675762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.98.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812661/; classtype:trojan-activity;sid:84675761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.156.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812660/; classtype:trojan-activity;sid:84675760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.203.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812659/; classtype:trojan-activity;sid:84675759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/mirai.arm"; depth:15; endswith; nocase; http.host; content:"fdsafa.best"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812658/; classtype:trojan-activity;sid:84675758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.69.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812657/; classtype:trojan-activity;sid:84675757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.57.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812656/; classtype:trojan-activity;sid:84675756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.156.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812655/; classtype:trojan-activity;sid:84675755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.242.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812654/; classtype:trojan-activity;sid:84675754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.145.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812653/; classtype:trojan-activity;sid:84675753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.180.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812652/; classtype:trojan-activity;sid:84675752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.5.15"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812651/; classtype:trojan-activity;sid:84675751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.145.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812650/; classtype:trojan-activity;sid:84675750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.134.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812649/; classtype:trojan-activity;sid:84675749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.240.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812648/; classtype:trojan-activity;sid:84675748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.5.15"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812647/; classtype:trojan-activity;sid:84675747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.1.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812646/; classtype:trojan-activity;sid:84675746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.134.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812645/; classtype:trojan-activity;sid:84675745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812644/; classtype:trojan-activity;sid:84675744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.1.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812643/; classtype:trojan-activity;sid:84675743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812642/; classtype:trojan-activity;sid:84675742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812641/; classtype:trojan-activity;sid:84675741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.91.10"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812639/; classtype:trojan-activity;sid:84675739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.91.10"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812640/; classtype:trojan-activity;sid:84675740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812638/; classtype:trojan-activity;sid:84675738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812636/; classtype:trojan-activity;sid:84675736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812637/; classtype:trojan-activity;sid:84675737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812635/; classtype:trojan-activity;sid:84675735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812634/; classtype:trojan-activity;sid:84675734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812629/; classtype:trojan-activity;sid:84675729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812630/; classtype:trojan-activity;sid:84675730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812631/; classtype:trojan-activity;sid:84675731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812632/; classtype:trojan-activity;sid:84675732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812633/; classtype:trojan-activity;sid:84675733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"176.65.150.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812628/; classtype:trojan-activity;sid:84675728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.167.25.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812627/; classtype:trojan-activity;sid:84675727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.255.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812626/; classtype:trojan-activity;sid:84675726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"flow-object.ontologicstream.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812625/; classtype:trojan-activity;sid:84675725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.167.25.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812624/; classtype:trojan-activity;sid:84675724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.91.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812623/; classtype:trojan-activity;sid:84675723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.255.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812622/; classtype:trojan-activity;sid:84675722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.199.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812621/; classtype:trojan-activity;sid:84675721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"entity-map.ontologicstream.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812620/; classtype:trojan-activity;sid:84675720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"study-sync.epistemicforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812619/; classtype:trojan-activity;sid:84675719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mind-vault.epistemicforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812618/; classtype:trojan-activity;sid:84675718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812617/; classtype:trojan-activity;sid:84675717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"base-theory.epistemicforge.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812616/; classtype:trojan-activity;sid:84675716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"proof-engine.epistemicforge.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812615/; classtype:trojan-activity;sid:84675715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.210.233.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812614/; classtype:trojan-activity;sid:84675714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.116.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812613/; classtype:trojan-activity;sid:84675713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.199.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812612/; classtype:trojan-activity;sid:84675712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812611/; classtype:trojan-activity;sid:84675711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"logic-audit.epistemicforge.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812610/; classtype:trojan-activity;sid:84675710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"truth-verify.epistemicforge.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812609/; classtype:trojan-activity;sid:84675709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"draw-sync.gouachesoror.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812608/; classtype:trojan-activity;sid:84675708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"color-set.gouachesoror.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812607/; classtype:trojan-activity;sid:84675707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.91.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812606/; classtype:trojan-activity;sid:84675706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sister-hub.gouachesoror.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812605/; classtype:trojan-activity;sid:84675705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812604/; classtype:trojan-activity;sid:84675704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.37.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812603/; classtype:trojan-activity;sid:84675703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"brush-api.gouachesoror.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812602/; classtype:trojan-activity;sid:84675702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"paint-job.gouachesoror.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812601/; classtype:trojan-activity;sid:84675701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.168.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812600/; classtype:trojan-activity;sid:84675700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"art-studio.gouachesoror.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812599/; classtype:trojan-activity;sid:84675699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812598/; classtype:trojan-activity;sid:84675698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.98.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812597/; classtype:trojan-activity;sid:84675697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.173.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812596/; classtype:trojan-activity;sid:84675696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.37.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812595/; classtype:trojan-activity;sid:84675695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.77.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812594/; classtype:trojan-activity;sid:84675694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tony.x86"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812593/; classtype:trojan-activity;sid:84675693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/fak.sh"; depth:12; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812592/; classtype:trojan-activity;sid:84675692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812591/; classtype:trojan-activity;sid:84675691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"187.45.95.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812590/; classtype:trojan-activity;sid:84675690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.227.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812589/; classtype:trojan-activity;sid:84675689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"187.45.95.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812588/; classtype:trojan-activity;sid:84675688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812587/; classtype:trojan-activity;sid:84675687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.251.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812586/; classtype:trojan-activity;sid:84675686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812585/; classtype:trojan-activity;sid:84675685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/debug"; depth:24; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812584/; classtype:trojan-activity;sid:84675684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.140.201.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812583/; classtype:trojan-activity;sid:84675683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.80.104"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812582/; classtype:trojan-activity;sid:84675682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812581/; classtype:trojan-activity;sid:84675681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.86.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812580/; classtype:trojan-activity;sid:84675680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.189.31.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812579/; classtype:trojan-activity;sid:84675679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812578/; classtype:trojan-activity;sid:84675678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812577/; classtype:trojan-activity;sid:84675677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.120.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812576/; classtype:trojan-activity;sid:84675676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.189.31.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812575/; classtype:trojan-activity;sid:84675675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.232.64.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812574/; classtype:trojan-activity;sid:84675674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812573/; classtype:trojan-activity;sid:84675673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/ppc"; depth:12; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812560/; classtype:trojan-activity;sid:84675660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mpsl"; depth:13; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812561/; classtype:trojan-activity;sid:84675661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/ppc440"; depth:15; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812562/; classtype:trojan-activity;sid:84675662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/x86"; depth:12; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812563/; classtype:trojan-activity;sid:84675663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812564/; classtype:trojan-activity;sid:84675664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/arm7"; depth:13; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812565/; classtype:trojan-activity;sid:84675665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/x86_64"; depth:15; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812566/; classtype:trojan-activity;sid:84675666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/x86_32"; depth:15; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812567/; classtype:trojan-activity;sid:84675667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/arm6"; depth:13; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812568/; classtype:trojan-activity;sid:84675668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/arm5"; depth:13; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812569/; classtype:trojan-activity;sid:84675669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812570/; classtype:trojan-activity;sid:84675670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/sh4"; depth:12; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812571/; classtype:trojan-activity;sid:84675671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/m68k"; depth:13; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812572/; classtype:trojan-activity;sid:84675672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.112.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812559/; classtype:trojan-activity;sid:84675659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812558/; classtype:trojan-activity;sid:84675658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/move"; depth:5; endswith; nocase; http.host; content:"45.194.92.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812557/; classtype:trojan-activity;sid:84675657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.229.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812556/; classtype:trojan-activity;sid:84675656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812555/; classtype:trojan-activity;sid:84675655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.112.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812554/; classtype:trojan-activity;sid:84675654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.155.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812553/; classtype:trojan-activity;sid:84675653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.151.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812552/; classtype:trojan-activity;sid:84675652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.238.156.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812551/; classtype:trojan-activity;sid:84675651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812550/; classtype:trojan-activity;sid:84675650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.151.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812549/; classtype:trojan-activity;sid:84675649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.112.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812548/; classtype:trojan-activity;sid:84675648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.56.146.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812547/; classtype:trojan-activity;sid:84675647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/kvjuxwl.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812546/; classtype:trojan-activity;sid:84675646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812545/; classtype:trojan-activity;sid:84675645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812544/; classtype:trojan-activity;sid:84675644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.112.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812543/; classtype:trojan-activity;sid:84675643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.156.90.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812542/; classtype:trojan-activity;sid:84675642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.128.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812541/; classtype:trojan-activity;sid:84675641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812540/; classtype:trojan-activity;sid:84675640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.126.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812539/; classtype:trojan-activity;sid:84675639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.227.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812538/; classtype:trojan-activity;sid:84675638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.232.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812537/; classtype:trojan-activity;sid:84675637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.238.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812536/; classtype:trojan-activity;sid:84675636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.50.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812535/; classtype:trojan-activity;sid:84675635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.232.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812534/; classtype:trojan-activity;sid:84675634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.255.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812533/; classtype:trojan-activity;sid:84675633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.255.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812532/; classtype:trojan-activity;sid:84675632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812530/; classtype:trojan-activity;sid:84675630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.126.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812531/; classtype:trojan-activity;sid:84675631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.238.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812529/; classtype:trojan-activity;sid:84675629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.232.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812528/; classtype:trojan-activity;sid:84675628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.30.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812527/; classtype:trojan-activity;sid:84675627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.50.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812526/; classtype:trojan-activity;sid:84675626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.71.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812525/; classtype:trojan-activity;sid:84675625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.191.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812524/; classtype:trojan-activity;sid:84675624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812523/; classtype:trojan-activity;sid:84675623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.236.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812522/; classtype:trojan-activity;sid:84675622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.111.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812521/; classtype:trojan-activity;sid:84675621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.83.3"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812520/; classtype:trojan-activity;sid:84675620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812519/; classtype:trojan-activity;sid:84675619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812518/; classtype:trojan-activity;sid:84675618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harm7"; depth:6; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812516/; classtype:trojan-activity;sid:84675616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812517/; classtype:trojan-activity;sid:84675617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmips"; depth:6; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812514/; classtype:trojan-activity;sid:84675614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812515/; classtype:trojan-activity;sid:84675615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812510/; classtype:trojan-activity;sid:84675610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812511/; classtype:trojan-activity;sid:84675611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harm6"; depth:6; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812512/; classtype:trojan-activity;sid:84675612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812513/; classtype:trojan-activity;sid:84675613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812508/; classtype:trojan-activity;sid:84675608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harm5"; depth:6; endswith; nocase; http.host; content:"185.208.159.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812509/; classtype:trojan-activity;sid:84675609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812501/; classtype:trojan-activity;sid:84675601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812502/; classtype:trojan-activity;sid:84675602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812503/; classtype:trojan-activity;sid:84675603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm4"; depth:10; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812504/; classtype:trojan-activity;sid:84675604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812505/; classtype:trojan-activity;sid:84675605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812506/; classtype:trojan-activity;sid:84675606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"38.60.216.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812507/; classtype:trojan-activity;sid:84675607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.239.199.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812493/; classtype:trojan-activity;sid:84675593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812494/; classtype:trojan-activity;sid:84675594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812495/; classtype:trojan-activity;sid:84675595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812496/; classtype:trojan-activity;sid:84675596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812497/; classtype:trojan-activity;sid:84675597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812498/; classtype:trojan-activity;sid:84675598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812499/; classtype:trojan-activity;sid:84675599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"45.156.87.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812500/; classtype:trojan-activity;sid:84675600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.71.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812492/; classtype:trojan-activity;sid:84675592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.8.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812491/; classtype:trojan-activity;sid:84675591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.191.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812490/; classtype:trojan-activity;sid:84675590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812489/; classtype:trojan-activity;sid:84675589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.164.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812488/; classtype:trojan-activity;sid:84675588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.111.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812487/; classtype:trojan-activity;sid:84675587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.8.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812486/; classtype:trojan-activity;sid:84675586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.239.199.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812485/; classtype:trojan-activity;sid:84675585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812483/; classtype:trojan-activity;sid:84675583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812484/; classtype:trojan-activity;sid:84675584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812482/; classtype:trojan-activity;sid:84675582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.164.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812481/; classtype:trojan-activity;sid:84675581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.122.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812480/; classtype:trojan-activity;sid:84675580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.248.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812479/; classtype:trojan-activity;sid:84675579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.71.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812478/; classtype:trojan-activity;sid:84675578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.158.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812477/; classtype:trojan-activity;sid:84675577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.244.180.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812476/; classtype:trojan-activity;sid:84675576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.238.156.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812475/; classtype:trojan-activity;sid:84675575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.71.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812474/; classtype:trojan-activity;sid:84675574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.108.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812473/; classtype:trojan-activity;sid:84675573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.158.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812472/; classtype:trojan-activity;sid:84675572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.5.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812471/; classtype:trojan-activity;sid:84675571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.173.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812470/; classtype:trojan-activity;sid:84675570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.108.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812469/; classtype:trojan-activity;sid:84675569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.5.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812468/; classtype:trojan-activity;sid:84675568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.239.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812467/; classtype:trojan-activity;sid:84675567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.59.114.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812466/; classtype:trojan-activity;sid:84675566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.178.250.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812465/; classtype:trojan-activity;sid:84675565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.219.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812464/; classtype:trojan-activity;sid:84675564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.43.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812463/; classtype:trojan-activity;sid:84675563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.239.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812462/; classtype:trojan-activity;sid:84675562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.59.114.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812461/; classtype:trojan-activity;sid:84675561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.178.250.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812460/; classtype:trojan-activity;sid:84675560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.43.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812459/; classtype:trojan-activity;sid:84675559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.33.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812458/; classtype:trojan-activity;sid:84675558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.219.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812457/; classtype:trojan-activity;sid:84675557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.33.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812456/; classtype:trojan-activity;sid:84675556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.116.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812455/; classtype:trojan-activity;sid:84675555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.89.121.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812454/; classtype:trojan-activity;sid:84675554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.219.79.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812453/; classtype:trojan-activity;sid:84675553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.77.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812451/; classtype:trojan-activity;sid:84675551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.24.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812452/; classtype:trojan-activity;sid:84675552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.235.72.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812450/; classtype:trojan-activity;sid:84675550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.93.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812449/; classtype:trojan-activity;sid:84675549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.180.158.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812448/; classtype:trojan-activity;sid:84675548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.180.158.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812447/; classtype:trojan-activity;sid:84675547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.24.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812446/; classtype:trojan-activity;sid:84675546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.77.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812445/; classtype:trojan-activity;sid:84675545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.93.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812444/; classtype:trojan-activity;sid:84675544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.208.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812441/; classtype:trojan-activity;sid:84675541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.176.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812442/; classtype:trojan-activity;sid:84675542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.176.71.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812443/; classtype:trojan-activity;sid:84675543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.162.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812440/; classtype:trojan-activity;sid:84675540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.92.201"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812439/; classtype:trojan-activity;sid:84675539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.7.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812438/; classtype:trojan-activity;sid:84675538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.109.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812437/; classtype:trojan-activity;sid:84675537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.176.71.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812436/; classtype:trojan-activity;sid:84675536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.176.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812435/; classtype:trojan-activity;sid:84675535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.208.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812434/; classtype:trojan-activity;sid:84675534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.33.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812433/; classtype:trojan-activity;sid:84675533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.184.19.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812432/; classtype:trojan-activity;sid:84675532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.204.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812431/; classtype:trojan-activity;sid:84675531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=qyxcbmmvbzghcbqv"; depth:53; endswith; nocase; http.host; content:"051516xx.vectorprospera.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812430/; classtype:trojan-activity;sid:84675530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.193.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812429/; classtype:trojan-activity;sid:84675529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.187.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812428/; classtype:trojan-activity;sid:84675528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.184.19.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812427/; classtype:trojan-activity;sid:84675527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.33.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812426/; classtype:trojan-activity;sid:84675526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.204.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812425/; classtype:trojan-activity;sid:84675525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.211.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812424/; classtype:trojan-activity;sid:84675524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.96.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812423/; classtype:trojan-activity;sid:84675523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.80.104"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812422/; classtype:trojan-activity;sid:84675522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.187.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812421/; classtype:trojan-activity;sid:84675521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.251.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812420/; classtype:trojan-activity;sid:84675520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.193.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812419/; classtype:trojan-activity;sid:84675519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.183.184.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812418/; classtype:trojan-activity;sid:84675518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.240.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812417/; classtype:trojan-activity;sid:84675517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.48.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812416/; classtype:trojan-activity;sid:84675516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.211.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812415/; classtype:trojan-activity;sid:84675515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.96.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812414/; classtype:trojan-activity;sid:84675514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.11.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812413/; classtype:trojan-activity;sid:84675513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8301037712/jsmjxqg.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812412/; classtype:trojan-activity;sid:84675512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.240.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812411/; classtype:trojan-activity;sid:84675511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812410/; classtype:trojan-activity;sid:84675510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812409/; classtype:trojan-activity;sid:84675509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812407/; classtype:trojan-activity;sid:84675507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giga.sh"; depth:8; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812408/; classtype:trojan-activity;sid:84675508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_spc"; depth:9; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812406/; classtype:trojan-activity;sid:84675506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc440"; depth:15; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812405/; classtype:trojan-activity;sid:84675505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.m68k"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812400/; classtype:trojan-activity;sid:84675500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812401/; classtype:trojan-activity;sid:84675501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mips"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812402/; classtype:trojan-activity;sid:84675502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm6"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812403/; classtype:trojan-activity;sid:84675503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812404/; classtype:trojan-activity;sid:84675504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812394/; classtype:trojan-activity;sid:84675494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812395/; classtype:trojan-activity;sid:84675495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812396/; classtype:trojan-activity;sid:84675496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812397/; classtype:trojan-activity;sid:84675497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812398/; classtype:trojan-activity;sid:84675498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812399/; classtype:trojan-activity;sid:84675499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm5"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812393/; classtype:trojan-activity;sid:84675493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812392/; classtype:trojan-activity;sid:84675492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812388/; classtype:trojan-activity;sid:84675488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812389/; classtype:trojan-activity;sid:84675489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812390/; classtype:trojan-activity;sid:84675490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812391/; classtype:trojan-activity;sid:84675491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812385/; classtype:trojan-activity;sid:84675485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812386/; classtype:trojan-activity;sid:84675486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812387/; classtype:trojan-activity;sid:84675487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.sh4"; depth:12; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812378/; classtype:trojan-activity;sid:84675478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812379/; classtype:trojan-activity;sid:84675479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812380/; classtype:trojan-activity;sid:84675480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arc"; depth:12; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812381/; classtype:trojan-activity;sid:84675481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812382/; classtype:trojan-activity;sid:84675482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mipsl"; depth:14; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812383/; classtype:trojan-activity;sid:84675483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812384/; classtype:trojan-activity;sid:84675484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812376/; classtype:trojan-activity;sid:84675476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812377/; classtype:trojan-activity;sid:84675477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm7"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812363/; classtype:trojan-activity;sid:84675463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812364/; classtype:trojan-activity;sid:84675464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_64"; depth:15; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812365/; classtype:trojan-activity;sid:84675465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812366/; classtype:trojan-activity;sid:84675466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812367/; classtype:trojan-activity;sid:84675467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812368/; classtype:trojan-activity;sid:84675468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812369/; classtype:trojan-activity;sid:84675469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812370/; classtype:trojan-activity;sid:84675470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812371/; classtype:trojan-activity;sid:84675471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812372/; classtype:trojan-activity;sid:84675472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812373/; classtype:trojan-activity;sid:84675473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812374/; classtype:trojan-activity;sid:84675474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812375/; classtype:trojan-activity;sid:84675475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812355/; classtype:trojan-activity;sid:84675455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812356/; classtype:trojan-activity;sid:84675456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812357/; classtype:trojan-activity;sid:84675457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc"; depth:12; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812358/; classtype:trojan-activity;sid:84675458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812359/; classtype:trojan-activity;sid:84675459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812360/; classtype:trojan-activity;sid:84675460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812361/; classtype:trojan-activity;sid:84675461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812362/; classtype:trojan-activity;sid:84675462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812353/; classtype:trojan-activity;sid:84675453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812354/; classtype:trojan-activity;sid:84675454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812352/; classtype:trojan-activity;sid:84675452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812342/; classtype:trojan-activity;sid:84675442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812343/; classtype:trojan-activity;sid:84675443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812344/; classtype:trojan-activity;sid:84675444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812345/; classtype:trojan-activity;sid:84675445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i686"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812346/; classtype:trojan-activity;sid:84675446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812347/; classtype:trojan-activity;sid:84675447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812348/; classtype:trojan-activity;sid:84675448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812349/; classtype:trojan-activity;sid:84675449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i486"; depth:13; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812350/; classtype:trojan-activity;sid:84675450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm"; depth:12; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812351/; classtype:trojan-activity;sid:84675451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_32"; depth:15; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812339/; classtype:trojan-activity;sid:84675439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812340/; classtype:trojan-activity;sid:84675440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"kual11.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812341/; classtype:trojan-activity;sid:84675441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.192.125.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812338/; classtype:trojan-activity;sid:84675438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.11.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812337/; classtype:trojan-activity;sid:84675437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.101.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812336/; classtype:trojan-activity;sid:84675436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.19.49.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812335/; classtype:trojan-activity;sid:84675435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"154.242.3.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812334/; classtype:trojan-activity;sid:84675434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.242.3.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812333/; classtype:trojan-activity;sid:84675433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.101.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812332/; classtype:trojan-activity;sid:84675432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.192.125.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812331/; classtype:trojan-activity;sid:84675431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.12.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812330/; classtype:trojan-activity;sid:84675430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm5"; depth:20; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812329/; classtype:trojan-activity;sid:84675429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm7"; depth:20; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812324/; classtype:trojan-activity;sid:84675424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_x86"; depth:19; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812325/; classtype:trojan-activity;sid:84675425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_mips"; depth:20; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812326/; classtype:trojan-activity;sid:84675426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_m68k"; depth:20; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812327/; classtype:trojan-activity;sid:84675427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_ppc"; depth:19; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812328/; classtype:trojan-activity;sid:84675428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812323/; classtype:trojan-activity;sid:84675423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm6"; depth:20; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812321/; classtype:trojan-activity;sid:84675421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm"; depth:19; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812322/; classtype:trojan-activity;sid:84675422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_sh4"; depth:19; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812319/; classtype:trojan-activity;sid:84675419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_mpsl"; depth:20; endswith; nocase; http.host; content:"cnc.xenema.vip"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812320/; classtype:trojan-activity;sid:84675420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"clear-sky.okiselwhiten.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812318/; classtype:trojan-activity;sid:84675418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.101.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812317/; classtype:trojan-activity;sid:84675417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc440"; depth:7; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812315/; classtype:trojan-activity;sid:84675415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips.sh"; depth:8; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812316/; classtype:trojan-activity;sid:84675416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.x86_64"; depth:53; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812313/; classtype:trojan-activity;sid:84675413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.ppc"; depth:50; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812314/; classtype:trojan-activity;sid:84675414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812300/; classtype:trojan-activity;sid:84675400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812301/; classtype:trojan-activity;sid:84675401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812302/; classtype:trojan-activity;sid:84675402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.222.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812303/; classtype:trojan-activity;sid:84675403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/snoopy.sh"; depth:10; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812304/; classtype:trojan-activity;sid:84675404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_x86_64"; depth:22; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812305/; classtype:trojan-activity;sid:84675405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm"; depth:19; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812306/; classtype:trojan-activity;sid:84675406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm5"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812307/; classtype:trojan-activity;sid:84675407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_x86"; depth:19; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812308/; classtype:trojan-activity;sid:84675408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm7"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812309/; classtype:trojan-activity;sid:84675409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_m68k"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812310/; classtype:trojan-activity;sid:84675410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arm6"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812311/; classtype:trojan-activity;sid:84675411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_mpsl"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812312/; classtype:trojan-activity;sid:84675412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_i468"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812283/; classtype:trojan-activity;sid:84675383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.x86"; depth:50; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812284/; classtype:trojan-activity;sid:84675384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.sh4"; depth:50; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812285/; classtype:trojan-activity;sid:84675385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.arm6"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812286/; classtype:trojan-activity;sid:84675386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.mpsl"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812287/; classtype:trojan-activity;sid:84675387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.i686"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812288/; classtype:trojan-activity;sid:84675388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.arc"; depth:50; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812289/; classtype:trojan-activity;sid:84675389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.mips"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812290/; classtype:trojan-activity;sid:84675390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.m68k"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812291/; classtype:trojan-activity;sid:84675391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.arm"; depth:50; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812292/; classtype:trojan-activity;sid:84675392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_i686"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812293/; classtype:trojan-activity;sid:84675393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.spc"; depth:50; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812294/; classtype:trojan-activity;sid:84675394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_arc"; depth:19; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812295/; classtype:trojan-activity;sid:84675395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr"; depth:13; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812296/; classtype:trojan-activity;sid:84675396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.arm7"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812297/; classtype:trojan-activity;sid:84675397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.arm5"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812298/; classtype:trojan-activity;sid:84675398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0l1mxjm4mdl4jjfjf7sb2vdmv/mmaarriioisectanee.i486"; depth:51; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812299/; classtype:trojan-activity;sid:84675399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812275/; classtype:trojan-activity;sid:84675375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_86_64"; depth:11; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812276/; classtype:trojan-activity;sid:84675376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812280/; classtype:trojan-activity;sid:84675380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-5.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812281/; classtype:trojan-activity;sid:84675381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_spc"; depth:19; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812282/; classtype:trojan-activity;sid:84675382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_ppc"; depth:19; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812273/; classtype:trojan-activity;sid:84675373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_sh4"; depth:19; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812274/; classtype:trojan-activity;sid:84675374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812272/; classtype:trojan-activity;sid:84675372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins.sh"; depth:13; endswith; nocase; http.host; content:"206.189.98.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812270/; classtype:trojan-activity;sid:84675370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache"; depth:6; endswith; nocase; http.host; content:"103.38.236.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812271/; classtype:trojan-activity;sid:84675371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812265/; classtype:trojan-activity;sid:84675365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812266/; classtype:trojan-activity;sid:84675366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812267/; classtype:trojan-activity;sid:84675367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812268/; classtype:trojan-activity;sid:84675368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812269/; classtype:trojan-activity;sid:84675369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.101.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812264/; classtype:trojan-activity;sid:84675364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"wash-logic.okiselwhiten.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812263/; classtype:trojan-activity;sid:84675363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.199.173.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812262/; classtype:trojan-activity;sid:84675362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812260/; classtype:trojan-activity;sid:84675360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_32"; depth:7; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812261/; classtype:trojan-activity;sid:84675361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812257/; classtype:trojan-activity;sid:84675357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812258/; classtype:trojan-activity;sid:84675358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812259/; classtype:trojan-activity;sid:84675359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.12.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812256/; classtype:trojan-activity;sid:84675356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812253/; classtype:trojan-activity;sid:84675353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812254/; classtype:trojan-activity;sid:84675354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812255/; classtype:trojan-activity;sid:84675355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812244/; classtype:trojan-activity;sid:84675344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812245/; classtype:trojan-activity;sid:84675345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812246/; classtype:trojan-activity;sid:84675346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812247/; classtype:trojan-activity;sid:84675347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812248/; classtype:trojan-activity;sid:84675348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.150.66.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812249/; classtype:trojan-activity;sid:84675349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"5.181.3.240"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812250/; classtype:trojan-activity;sid:84675350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812251/; classtype:trojan-activity;sid:84675351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812252/; classtype:trojan-activity;sid:84675352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812236/; classtype:trojan-activity;sid:84675336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812237/; classtype:trojan-activity;sid:84675337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812238/; classtype:trojan-activity;sid:84675338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812239/; classtype:trojan-activity;sid:84675339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812240/; classtype:trojan-activity;sid:84675340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812241/; classtype:trojan-activity;sid:84675341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812242/; classtype:trojan-activity;sid:84675342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812243/; classtype:trojan-activity;sid:84675343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812234/; classtype:trojan-activity;sid:84675334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812235/; classtype:trojan-activity;sid:84675335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"75.119.155.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812230/; classtype:trojan-activity;sid:84675330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"74.48.134.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812231/; classtype:trojan-activity;sid:84675331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812232/; classtype:trojan-activity;sid:84675332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"8.211.154.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812233/; classtype:trojan-activity;sid:84675333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812224/; classtype:trojan-activity;sid:84675324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812225/; classtype:trojan-activity;sid:84675325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812226/; classtype:trojan-activity;sid:84675326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812227/; classtype:trojan-activity;sid:84675327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812228/; classtype:trojan-activity;sid:84675328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812229/; classtype:trojan-activity;sid:84675329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.231.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812223/; classtype:trojan-activity;sid:84675323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"clean-svc.okiselwhiten.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812222/; classtype:trojan-activity;sid:84675322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.148.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812221/; classtype:trojan-activity;sid:84675321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bright-node.okiselwhiten.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812220/; classtype:trojan-activity;sid:84675320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.199.173.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812219/; classtype:trojan-activity;sid:84675319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.225.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812218/; classtype:trojan-activity;sid:84675318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.80.198.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812217/; classtype:trojan-activity;sid:84675317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.228.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812216/; classtype:trojan-activity;sid:84675316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.148.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812215/; classtype:trojan-activity;sid:84675315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"berry-mix.okiselwhiten.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812214/; classtype:trojan-activity;sid:84675314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.68.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812213/; classtype:trojan-activity;sid:84675313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.77.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812212/; classtype:trojan-activity;sid:84675312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"drink-sync.okiselwhiten.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812211/; classtype:trojan-activity;sid:84675311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.174.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812210/; classtype:trojan-activity;sid:84675310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.222.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812209/; classtype:trojan-activity;sid:84675309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812208/; classtype:trojan-activity;sid:84675308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hot-belyash.balkarbelyashi.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812207/; classtype:trojan-activity;sid:84675307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"snack-api.balkarbelyashi.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812206/; classtype:trojan-activity;sid:84675306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.225.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812205/; classtype:trojan-activity;sid:84675305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.110.208.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812204/; classtype:trojan-activity;sid:84675304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.144.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812203/; classtype:trojan-activity;sid:84675303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812202/; classtype:trojan-activity;sid:84675302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.198.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812201/; classtype:trojan-activity;sid:84675301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.198.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812200/; classtype:trojan-activity;sid:84675300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.144.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812199/; classtype:trojan-activity;sid:84675299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812198/; classtype:trojan-activity;sid:84675298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.35.126.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812197/; classtype:trojan-activity;sid:84675297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.254.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812196/; classtype:trojan-activity;sid:84675296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.219.74.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812195/; classtype:trojan-activity;sid:84675295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.35.126.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812194/; classtype:trojan-activity;sid:84675294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.128.184.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812193/; classtype:trojan-activity;sid:84675293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.114.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812192/; classtype:trojan-activity;sid:84675292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.178.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812191/; classtype:trojan-activity;sid:84675291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.48.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812190/; classtype:trojan-activity;sid:84675290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.128.184.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812189/; classtype:trojan-activity;sid:84675289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/per.go"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812188/; classtype:trojan-activity;sid:84675288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/per"; depth:4; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812187/; classtype:trojan-activity;sid:84675287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.114.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812186/; classtype:trojan-activity;sid:84675286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.254.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812185/; classtype:trojan-activity;sid:84675285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/parm7"; depth:6; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812184/; classtype:trojan-activity;sid:84675284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.178.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812183/; classtype:trojan-activity;sid:84675283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.48.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812182/; classtype:trojan-activity;sid:84675282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.7.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812181/; classtype:trojan-activity;sid:84675281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.110.208.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812180/; classtype:trojan-activity;sid:84675280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.23.75.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812179/; classtype:trojan-activity;sid:84675279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.149.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812178/; classtype:trojan-activity;sid:84675278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.50.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812177/; classtype:trojan-activity;sid:84675277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.254.10.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812176/; classtype:trojan-activity;sid:84675276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.206.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812175/; classtype:trojan-activity;sid:84675275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.125.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812174/; classtype:trojan-activity;sid:84675274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.23.75.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812173/; classtype:trojan-activity;sid:84675273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.50.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812172/; classtype:trojan-activity;sid:84675272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.1.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812171/; classtype:trojan-activity;sid:84675271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.162.63.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812170/; classtype:trojan-activity;sid:84675270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/pppc"; depth:13; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812164/; classtype:trojan-activity;sid:84675264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/psh4"; depth:13; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812165/; classtype:trojan-activity;sid:84675265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/parm"; depth:13; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812166/; classtype:trojan-activity;sid:84675266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/parm6"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812167/; classtype:trojan-activity;sid:84675267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/pm68k"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812168/; classtype:trojan-activity;sid:84675268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/pmips"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812169/; classtype:trojan-activity;sid:84675269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/pmpsl"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812163/; classtype:trojan-activity;sid:84675263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/pspc"; depth:13; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812161/; classtype:trojan-activity;sid:84675261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/parm5"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812162/; classtype:trojan-activity;sid:84675262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/parm7"; depth:14; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812160/; classtype:trojan-activity;sid:84675260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/px86"; depth:5; endswith; nocase; http.host; content:"94.156.152.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812159/; classtype:trojan-activity;sid:84675259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.253.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812158/; classtype:trojan-activity;sid:84675258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.1.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812157/; classtype:trojan-activity;sid:84675257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.223.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812156/; classtype:trojan-activity;sid:84675256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.162.63.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812155/; classtype:trojan-activity;sid:84675255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.26.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812154/; classtype:trojan-activity;sid:84675254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.219.79.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812153/; classtype:trojan-activity;sid:84675253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.170.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812152/; classtype:trojan-activity;sid:84675252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.150.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812151/; classtype:trojan-activity;sid:84675251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812143/; classtype:trojan-activity;sid:84675243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm4n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812144/; classtype:trojan-activity;sid:84675244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudp32"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812145/; classtype:trojan-activity;sid:84675245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812146/; classtype:trojan-activity;sid:84675246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpmpsl"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812147/; classtype:trojan-activity;sid:84675247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcix86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812148/; classtype:trojan-activity;sid:84675248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm6"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812149/; classtype:trojan-activity;sid:84675249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sippc"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812150/; classtype:trojan-activity;sid:84675250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812134/; classtype:trojan-activity;sid:84675234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandx86_64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812135/; classtype:trojan-activity;sid:84675235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812136/; classtype:trojan-activity;sid:84675236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812137/; classtype:trojan-activity;sid:84675237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm5n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812138/; classtype:trojan-activity;sid:84675238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812139/; classtype:trojan-activity;sid:84675239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandx64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812140/; classtype:trojan-activity;sid:84675240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siix64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812141/; classtype:trojan-activity;sid:84675241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm7"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812142/; classtype:trojan-activity;sid:84675242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812124/; classtype:trojan-activity;sid:84675224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812125/; classtype:trojan-activity;sid:84675225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812126/; classtype:trojan-activity;sid:84675226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv6"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812127/; classtype:trojan-activity;sid:84675227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812128/; classtype:trojan-activity;sid:84675228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstx86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812129/; classtype:trojan-activity;sid:84675229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki386n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812130/; classtype:trojan-activity;sid:84675230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdmipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812131/; classtype:trojan-activity;sid:84675231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i486n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812132/; classtype:trojan-activity;sid:84675232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhriscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812133/; classtype:trojan-activity;sid:84675233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv6"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812123/; classtype:trojan-activity;sid:84675223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynx86-64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812120/; classtype:trojan-activity;sid:84675220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm4n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812121/; classtype:trojan-activity;sid:84675221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812122/; classtype:trojan-activity;sid:84675222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812118/; classtype:trojan-activity;sid:84675218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siimipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812119/; classtype:trojan-activity;sid:84675219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv5"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812110/; classtype:trojan-activity;sid:84675210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812111/; classtype:trojan-activity;sid:84675211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/si"; depth:8; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812112/; classtype:trojan-activity;sid:84675212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm7n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812113/; classtype:trojan-activity;sid:84675213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockx86_64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812114/; classtype:trojan-activity;sid:84675214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryx86"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812115/; classtype:trojan-activity;sid:84675215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812116/; classtype:trojan-activity;sid:84675216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2mipsel"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812117/; classtype:trojan-activity;sid:84675217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812102/; classtype:trojan-activity;sid:84675202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x64"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812103/; classtype:trojan-activity;sid:84675203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandmipsel"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812104/; classtype:trojan-activity;sid:84675204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812105/; classtype:trojan-activity;sid:84675205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tci32"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812106/; classtype:trojan-activity;sid:84675206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv6l"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812107/; classtype:trojan-activity;sid:84675207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812108/; classtype:trojan-activity;sid:84675208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv4l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812109/; classtype:trojan-activity;sid:84675209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv5"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812095/; classtype:trojan-activity;sid:84675195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm6"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812096/; classtype:trojan-activity;sid:84675196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni486"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812097/; classtype:trojan-activity;sid:84675197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812098/; classtype:trojan-activity;sid:84675198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiamd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812099/; classtype:trojan-activity;sid:84675199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv7l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812100/; classtype:trojan-activity;sid:84675200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockriscv64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812101/; classtype:trojan-activity;sid:84675201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv4l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812094/; classtype:trojan-activity;sid:84675194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandmpsl"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812092/; classtype:trojan-activity;sid:84675192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstamd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812093/; classtype:trojan-activity;sid:84675193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryriscv64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812091/; classtype:trojan-activity;sid:84675191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstmips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812090/; classtype:trojan-activity;sid:84675190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812085/; classtype:trojan-activity;sid:84675185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812086/; classtype:trojan-activity;sid:84675186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812087/; classtype:trojan-activity;sid:84675187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv5l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812088/; classtype:trojan-activity;sid:84675188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm5n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812089/; classtype:trojan-activity;sid:84675189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv4"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812076/; classtype:trojan-activity;sid:84675176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv5l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812077/; classtype:trojan-activity;sid:84675177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812078/; classtype:trojan-activity;sid:84675178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm5n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812079/; classtype:trojan-activity;sid:84675179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812080/; classtype:trojan-activity;sid:84675180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv5"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812081/; classtype:trojan-activity;sid:84675181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812082/; classtype:trojan-activity;sid:84675182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv4"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812083/; classtype:trojan-activity;sid:84675183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812084/; classtype:trojan-activity;sid:84675184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi686"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812075/; classtype:trojan-activity;sid:84675175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdppc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812074/; classtype:trojan-activity;sid:84675174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpx64"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812066/; classtype:trojan-activity;sid:84675166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812067/; classtype:trojan-activity;sid:84675167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni686"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812068/; classtype:trojan-activity;sid:84675168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstx86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812069/; classtype:trojan-activity;sid:84675169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812070/; classtype:trojan-activity;sid:84675170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812071/; classtype:trojan-activity;sid:84675171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812072/; classtype:trojan-activity;sid:84675172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812073/; classtype:trojan-activity;sid:84675173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi386n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812064/; classtype:trojan-activity;sid:84675164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv5"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812065/; classtype:trojan-activity;sid:84675165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812058/; classtype:trojan-activity;sid:84675158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv7"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812059/; classtype:trojan-activity;sid:84675159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni586"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812060/; classtype:trojan-activity;sid:84675160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi586"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812061/; classtype:trojan-activity;sid:84675161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackaarch64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812062/; classtype:trojan-activity;sid:84675162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812063/; classtype:trojan-activity;sid:84675163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstmipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812056/; classtype:trojan-activity;sid:84675156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryppc"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812057/; classtype:trojan-activity;sid:84675157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki586"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812055/; classtype:trojan-activity;sid:84675155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovh32"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812051/; classtype:trojan-activity;sid:84675151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii586n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812052/; classtype:trojan-activity;sid:84675152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm4n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812053/; classtype:trojan-activity;sid:84675153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm5n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812054/; classtype:trojan-activity;sid:84675154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm4"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812050/; classtype:trojan-activity;sid:84675150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm7n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812036/; classtype:trojan-activity;sid:84675136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni386n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812037/; classtype:trojan-activity;sid:84675137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812038/; classtype:trojan-activity;sid:84675138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812039/; classtype:trojan-activity;sid:84675139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812040/; classtype:trojan-activity;sid:84675140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii686n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812041/; classtype:trojan-activity;sid:84675141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockx86-64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812042/; classtype:trojan-activity;sid:84675142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki386"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812043/; classtype:trojan-activity;sid:84675143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812044/; classtype:trojan-activity;sid:84675144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2x86_64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812045/; classtype:trojan-activity;sid:84675145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812046/; classtype:trojan-activity;sid:84675146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812047/; classtype:trojan-activity;sid:84675147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siack"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812048/; classtype:trojan-activity;sid:84675148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi386n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812049/; classtype:trojan-activity;sid:84675149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812033/; classtype:trojan-activity;sid:84675133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockaarch64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812034/; classtype:trojan-activity;sid:84675134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812035/; classtype:trojan-activity;sid:84675135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv4l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812021/; classtype:trojan-activity;sid:84675121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm6n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812022/; classtype:trojan-activity;sid:84675122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv7l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812023/; classtype:trojan-activity;sid:84675123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi386"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812024/; classtype:trojan-activity;sid:84675124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812025/; classtype:trojan-activity;sid:84675125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhmpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812026/; classtype:trojan-activity;sid:84675126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812027/; classtype:trojan-activity;sid:84675127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812028/; classtype:trojan-activity;sid:84675128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdx86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812029/; classtype:trojan-activity;sid:84675129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm5"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812030/; classtype:trojan-activity;sid:84675130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siimips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812031/; classtype:trojan-activity;sid:84675131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhppc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812032/; classtype:trojan-activity;sid:84675132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.dbg"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812020/; classtype:trojan-activity;sid:84675120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm7"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812016/; classtype:trojan-activity;sid:84675116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi586n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812017/; classtype:trojan-activity;sid:84675117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcimips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812018/; classtype:trojan-activity;sid:84675118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudp"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812019/; classtype:trojan-activity;sid:84675119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2x86-64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812013/; classtype:trojan-activity;sid:84675113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni686n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812014/; classtype:trojan-activity;sid:84675114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812015/; classtype:trojan-activity;sid:84675115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynamd64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812002/; classtype:trojan-activity;sid:84675102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstx86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812003/; classtype:trojan-activity;sid:84675103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/librarymips"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812004/; classtype:trojan-activity;sid:84675104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x86"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812005/; classtype:trojan-activity;sid:84675105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv4l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812006/; classtype:trojan-activity;sid:84675106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812007/; classtype:trojan-activity;sid:84675107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siriscv64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812008/; classtype:trojan-activity;sid:84675108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv5"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812009/; classtype:trojan-activity;sid:84675109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812010/; classtype:trojan-activity;sid:84675110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812011/; classtype:trojan-activity;sid:84675111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812012/; classtype:trojan-activity;sid:84675112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811998/; classtype:trojan-activity;sid:84675098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperppc"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811999/; classtype:trojan-activity;sid:84675099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812000/; classtype:trojan-activity;sid:84675100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynaarch64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812001/; classtype:trojan-activity;sid:84675101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv4l"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811992/; classtype:trojan-activity;sid:84675092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811993/; classtype:trojan-activity;sid:84675093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811994/; classtype:trojan-activity;sid:84675094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynmipsel"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811995/; classtype:trojan-activity;sid:84675095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm7n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811996/; classtype:trojan-activity;sid:84675096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv6"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811997/; classtype:trojan-activity;sid:84675097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki686"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811990/; classtype:trojan-activity;sid:84675090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rst"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811991/; classtype:trojan-activity;sid:84675091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siix86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811983/; classtype:trojan-activity;sid:84675083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv4l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811984/; classtype:trojan-activity;sid:84675084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhamd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811985/; classtype:trojan-activity;sid:84675085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/si32"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811986/; classtype:trojan-activity;sid:84675086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811987/; classtype:trojan-activity;sid:84675087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackx64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811988/; classtype:trojan-activity;sid:84675088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandx86-64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811989/; classtype:trojan-activity;sid:84675089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm6n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811976/; classtype:trojan-activity;sid:84675076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryx64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811977/; classtype:trojan-activity;sid:84675077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811978/; classtype:trojan-activity;sid:84675078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackx86"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811979/; classtype:trojan-activity;sid:84675079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811980/; classtype:trojan-activity;sid:84675080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii486n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811981/; classtype:trojan-activity;sid:84675081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv7l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811982/; classtype:trojan-activity;sid:84675082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mpsl"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811975/; classtype:trojan-activity;sid:84675075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811973/; classtype:trojan-activity;sid:84675073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811974/; classtype:trojan-activity;sid:84675074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811972/; classtype:trojan-activity;sid:84675072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyn32"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811967/; classtype:trojan-activity;sid:84675067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv6l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811968/; classtype:trojan-activity;sid:84675068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811969/; classtype:trojan-activity;sid:84675069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi386"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811970/; classtype:trojan-activity;sid:84675070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi686n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811971/; classtype:trojan-activity;sid:84675071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811966/; classtype:trojan-activity;sid:84675066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv5l"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811955/; classtype:trojan-activity;sid:84675055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811956/; classtype:trojan-activity;sid:84675056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstppc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811957/; classtype:trojan-activity;sid:84675057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/six64"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811958/; classtype:trojan-activity;sid:84675058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2x86"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811959/; classtype:trojan-activity;sid:84675059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdx86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811960/; classtype:trojan-activity;sid:84675060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811961/; classtype:trojan-activity;sid:84675061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811962/; classtype:trojan-activity;sid:84675062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i486"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811963/; classtype:trojan-activity;sid:84675063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdx64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811964/; classtype:trojan-activity;sid:84675064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm4"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811965/; classtype:trojan-activity;sid:84675065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhx86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811946/; classtype:trojan-activity;sid:84675046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm7n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811947/; classtype:trojan-activity;sid:84675047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i686"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811948/; classtype:trojan-activity;sid:84675048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi486n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811949/; classtype:trojan-activity;sid:84675049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm4"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811950/; classtype:trojan-activity;sid:84675050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811951/; classtype:trojan-activity;sid:84675051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811952/; classtype:trojan-activity;sid:84675052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811953/; classtype:trojan-activity;sid:84675053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811954/; classtype:trojan-activity;sid:84675054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811942/; classtype:trojan-activity;sid:84675042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynmpsl"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811943/; classtype:trojan-activity;sid:84675043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii486"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811944/; classtype:trojan-activity;sid:84675044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811945/; classtype:trojan-activity;sid:84675045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv5l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811938/; classtype:trojan-activity;sid:84675038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811939/; classtype:trojan-activity;sid:84675039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi586n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811940/; classtype:trojan-activity;sid:84675040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi486"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811941/; classtype:trojan-activity;sid:84675041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siaarch64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811934/; classtype:trojan-activity;sid:84675034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki486"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811935/; classtype:trojan-activity;sid:84675035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811936/; classtype:trojan-activity;sid:84675036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811937/; classtype:trojan-activity;sid:84675037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811933/; classtype:trojan-activity;sid:84675033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.i686"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811931/; classtype:trojan-activity;sid:84675031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811932/; classtype:trojan-activity;sid:84675032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii32"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811916/; classtype:trojan-activity;sid:84675016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811917/; classtype:trojan-activity;sid:84675017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811918/; classtype:trojan-activity;sid:84675018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpx86"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811919/; classtype:trojan-activity;sid:84675019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv4"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811920/; classtype:trojan-activity;sid:84675020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi386"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811921/; classtype:trojan-activity;sid:84675021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm6n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811922/; classtype:trojan-activity;sid:84675022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811923/; classtype:trojan-activity;sid:84675023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm6"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811924/; classtype:trojan-activity;sid:84675024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii686"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811925/; classtype:trojan-activity;sid:84675025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811926/; classtype:trojan-activity;sid:84675026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv6l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811927/; classtype:trojan-activity;sid:84675027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi486"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811928/; classtype:trojan-activity;sid:84675028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811929/; classtype:trojan-activity;sid:84675029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2aarch64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811930/; classtype:trojan-activity;sid:84675030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki386n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811914/; classtype:trojan-activity;sid:84675014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm7"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811915/; classtype:trojan-activity;sid:84675015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki586n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811911/; classtype:trojan-activity;sid:84675011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811912/; classtype:trojan-activity;sid:84675012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv6"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811913/; classtype:trojan-activity;sid:84675013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi586"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811908/; classtype:trojan-activity;sid:84675008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811909/; classtype:trojan-activity;sid:84675009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i686n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811910/; classtype:trojan-activity;sid:84675010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynriscv64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811902/; classtype:trojan-activity;sid:84675002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811903/; classtype:trojan-activity;sid:84675003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm6"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811904/; classtype:trojan-activity;sid:84675004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811905/; classtype:trojan-activity;sid:84675005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv7"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811906/; classtype:trojan-activity;sid:84675006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2riscv64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811907/; classtype:trojan-activity;sid:84675007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackx86-64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811899/; classtype:trojan-activity;sid:84674999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtd32"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811900/; classtype:trojan-activity;sid:84675000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siippc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811901/; classtype:trojan-activity;sid:84675001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811897/; classtype:trojan-activity;sid:84674997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811898/; classtype:trojan-activity;sid:84674998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcippc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811889/; classtype:trojan-activity;sid:84674989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811890/; classtype:trojan-activity;sid:84674990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm6n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811891/; classtype:trojan-activity;sid:84674991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811892/; classtype:trojan-activity;sid:84674992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv7l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811893/; classtype:trojan-activity;sid:84674993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstriscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811894/; classtype:trojan-activity;sid:84674994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i386n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811895/; classtype:trojan-activity;sid:84674995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i586n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811896/; classtype:trojan-activity;sid:84674996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackx86_64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811887/; classtype:trojan-activity;sid:84674987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv7"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811888/; classtype:trojan-activity;sid:84674988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811880/; classtype:trojan-activity;sid:84674980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm6n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811881/; classtype:trojan-activity;sid:84674981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811882/; classtype:trojan-activity;sid:84674982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii586"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811883/; classtype:trojan-activity;sid:84674983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovh"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811884/; classtype:trojan-activity;sid:84674984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811885/; classtype:trojan-activity;sid:84674985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackmipsel"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811886/; classtype:trojan-activity;sid:84674986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi486n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811878/; classtype:trojan-activity;sid:84674978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv5l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811879/; classtype:trojan-activity;sid:84674979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv7"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811869/; classtype:trojan-activity;sid:84674969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811870/; classtype:trojan-activity;sid:84674970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811871/; classtype:trojan-activity;sid:84674971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm5n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811872/; classtype:trojan-activity;sid:84674972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811873/; classtype:trojan-activity;sid:84674973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811874/; classtype:trojan-activity;sid:84674974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryx86-64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811875/; classtype:trojan-activity;sid:84674975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv7"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811876/; classtype:trojan-activity;sid:84674976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynppc"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811877/; classtype:trojan-activity;sid:84674977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm6n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811868/; classtype:trojan-activity;sid:84674968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv6l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811865/; classtype:trojan-activity;sid:84674965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtd"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811866/; classtype:trojan-activity;sid:84674966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811867/; classtype:trojan-activity;sid:84674967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811859/; classtype:trojan-activity;sid:84674959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynx86_64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811860/; classtype:trojan-activity;sid:84674960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpamd64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811861/; classtype:trojan-activity;sid:84674961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhx86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811862/; classtype:trojan-activity;sid:84674962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi486n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811863/; classtype:trojan-activity;sid:84674963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv4l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811864/; classtype:trojan-activity;sid:84674964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyn"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811856/; classtype:trojan-activity;sid:84674956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpaarch64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811857/; classtype:trojan-activity;sid:84674957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciaarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811858/; classtype:trojan-activity;sid:84674958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandamd64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811854/; classtype:trojan-activity;sid:84674954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm5n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811855/; classtype:trojan-activity;sid:84674955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv5"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811852/; classtype:trojan-activity;sid:84674952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv6"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811853/; classtype:trojan-activity;sid:84674953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siix86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811838/; classtype:trojan-activity;sid:84674938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhx64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811839/; classtype:trojan-activity;sid:84674939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdx86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811840/; classtype:trojan-activity;sid:84674940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhx86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811841/; classtype:trojan-activity;sid:84674941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811842/; classtype:trojan-activity;sid:84674942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarmv4"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811843/; classtype:trojan-activity;sid:84674943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811844/; classtype:trojan-activity;sid:84674944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv7l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811845/; classtype:trojan-activity;sid:84674945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstx64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811846/; classtype:trojan-activity;sid:84674946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv5"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811847/; classtype:trojan-activity;sid:84674947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv6l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811848/; classtype:trojan-activity;sid:84674948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv7"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811849/; classtype:trojan-activity;sid:84674949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm7n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811850/; classtype:trojan-activity;sid:84674950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhmips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811851/; classtype:trojan-activity;sid:84674951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpriscv64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811837/; classtype:trojan-activity;sid:84674937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynmips"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811836/; classtype:trojan-activity;sid:84674936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811833/; classtype:trojan-activity;sid:84674933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandaarch64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811834/; classtype:trojan-activity;sid:84674934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shand"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811835/; classtype:trojan-activity;sid:84674935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm64"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811825/; classtype:trojan-activity;sid:84674925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki586n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811826/; classtype:trojan-activity;sid:84674926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811827/; classtype:trojan-activity;sid:84674927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/six86-64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811828/; classtype:trojan-activity;sid:84674928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811829/; classtype:trojan-activity;sid:84674929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm6n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811830/; classtype:trojan-activity;sid:84674930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv6l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811831/; classtype:trojan-activity;sid:84674931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm4"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811832/; classtype:trojan-activity;sid:84674932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811821/; classtype:trojan-activity;sid:84674921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i686n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811822/; classtype:trojan-activity;sid:84674922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2mpsl"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811823/; classtype:trojan-activity;sid:84674923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2ppc"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811824/; classtype:trojan-activity;sid:84674924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki486n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811812/; classtype:trojan-activity;sid:84674912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811813/; classtype:trojan-activity;sid:84674913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackamd64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811814/; classtype:trojan-activity;sid:84674914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpmipsel"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811815/; classtype:trojan-activity;sid:84674915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandppc"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811816/; classtype:trojan-activity;sid:84674916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811817/; classtype:trojan-activity;sid:84674917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811818/; classtype:trojan-activity;sid:84674918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811819/; classtype:trojan-activity;sid:84674919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockmips"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811820/; classtype:trojan-activity;sid:84674920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynx86"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811800/; classtype:trojan-activity;sid:84674900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockmipsel"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811801/; classtype:trojan-activity;sid:84674901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciamd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811802/; classtype:trojan-activity;sid:84674902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcimpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811803/; classtype:trojan-activity;sid:84674903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpx86-64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811804/; classtype:trojan-activity;sid:84674904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811805/; classtype:trojan-activity;sid:84674905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811806/; classtype:trojan-activity;sid:84674906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sock32"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811807/; classtype:trojan-activity;sid:84674907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm4n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811808/; classtype:trojan-activity;sid:84674908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii386"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811809/; classtype:trojan-activity;sid:84674909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siimpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811810/; classtype:trojan-activity;sid:84674910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811811/; classtype:trojan-activity;sid:84674911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811795/; classtype:trojan-activity;sid:84674895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki686n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811796/; classtype:trojan-activity;sid:84674896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi386n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811797/; classtype:trojan-activity;sid:84674897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811798/; classtype:trojan-activity;sid:84674898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811799/; classtype:trojan-activity;sid:84674899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811793/; classtype:trojan-activity;sid:84674893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811794/; classtype:trojan-activity;sid:84674894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811786/; classtype:trojan-activity;sid:84674886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv7l"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811787/; classtype:trojan-activity;sid:84674887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811788/; classtype:trojan-activity;sid:84674888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811790/; classtype:trojan-activity;sid:84674890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstmpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811791/; classtype:trojan-activity;sid:84674891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdriscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811792/; classtype:trojan-activity;sid:84674892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811785/; classtype:trojan-activity;sid:84674885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811784/; classtype:trojan-activity;sid:84674884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackppc"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811782/; classtype:trojan-activity;sid:84674882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2mips"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811783/; classtype:trojan-activity;sid:84674883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni486n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811775/; classtype:trojan-activity;sid:84674875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siack32"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811776/; classtype:trojan-activity;sid:84674876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siacki686n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811777/; classtype:trojan-activity;sid:84674877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811778/; classtype:trojan-activity;sid:84674878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpppc"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811779/; classtype:trojan-activity;sid:84674879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811780/; classtype:trojan-activity;sid:84674880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811781/; classtype:trojan-activity;sid:84674881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpx86_64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811766/; classtype:trojan-activity;sid:84674866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackmpsl"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811767/; classtype:trojan-activity;sid:84674867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackriscv64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811768/; classtype:trojan-activity;sid:84674868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811769/; classtype:trojan-activity;sid:84674869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciarmv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811770/; classtype:trojan-activity;sid:84674870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/six86_64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811771/; classtype:trojan-activity;sid:84674871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparm6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811772/; classtype:trojan-activity;sid:84674872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi486"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811773/; classtype:trojan-activity;sid:84674873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi586n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811774/; classtype:trojan-activity;sid:84674874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcix64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811760/; classtype:trojan-activity;sid:84674860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811761/; classtype:trojan-activity;sid:84674861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811762/; classtype:trojan-activity;sid:84674862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi586"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811763/; classtype:trojan-activity;sid:84674863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki486n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811764/; classtype:trojan-activity;sid:84674864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm4n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811765/; classtype:trojan-activity;sid:84674865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcix86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811750/; classtype:trojan-activity;sid:84674850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811751/; classtype:trojan-activity;sid:84674851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm7n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811752/; classtype:trojan-activity;sid:84674852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811753/; classtype:trojan-activity;sid:84674853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm4n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811754/; classtype:trojan-activity;sid:84674854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv7l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811755/; classtype:trojan-activity;sid:84674855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811756/; classtype:trojan-activity;sid:84674856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/simpsl"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811757/; classtype:trojan-activity;sid:84674857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/librarympsl"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811758/; classtype:trojan-activity;sid:84674858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm5"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811759/; classtype:trojan-activity;sid:84674859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv4"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811746/; classtype:trojan-activity;sid:84674846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811747/; classtype:trojan-activity;sid:84674847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockx86"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811748/; classtype:trojan-activity;sid:84674848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv6l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811749/; classtype:trojan-activity;sid:84674849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811745/; classtype:trojan-activity;sid:84674845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv4"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811744/; classtype:trojan-activity;sid:84674844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm5"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811743/; classtype:trojan-activity;sid:84674843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811738/; classtype:trojan-activity;sid:84674838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynx64"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811739/; classtype:trojan-activity;sid:84674839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811740/; classtype:trojan-activity;sid:84674840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovharmv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811741/; classtype:trojan-activity;sid:84674841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki686"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811742/; classtype:trojan-activity;sid:84674842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811736/; classtype:trojan-activity;sid:84674836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siix86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811737/; classtype:trojan-activity;sid:84674837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni586n"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811734/; classtype:trojan-activity;sid:84674834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811735/; classtype:trojan-activity;sid:84674835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i586"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811733/; classtype:trojan-activity;sid:84674833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/simips"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811732/; classtype:trojan-activity;sid:84674832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryx86_64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811726/; classtype:trojan-activity;sid:84674826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811727/; classtype:trojan-activity;sid:84674827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv5l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811728/; classtype:trojan-activity;sid:84674828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811729/; classtype:trojan-activity;sid:84674829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki386"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811730/; classtype:trojan-activity;sid:84674830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpmips"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811731/; classtype:trojan-activity;sid:84674831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811723/; classtype:trojan-activity;sid:84674823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdaarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811724/; classtype:trojan-activity;sid:84674824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.apk"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811725/; classtype:trojan-activity;sid:84674825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811715/; classtype:trojan-activity;sid:84674815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcimipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811716/; classtype:trojan-activity;sid:84674816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhmipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811717/; classtype:trojan-activity;sid:84674817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs232"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811718/; classtype:trojan-activity;sid:84674818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockmpsl"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811719/; classtype:trojan-activity;sid:84674819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdamd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811720/; classtype:trojan-activity;sid:84674820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siamd64"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811721/; classtype:trojan-activity;sid:84674821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdmips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811722/; classtype:trojan-activity;sid:84674822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2amd64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811705/; classtype:trojan-activity;sid:84674805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2i386"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811706/; classtype:trojan-activity;sid:84674806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811707/; classtype:trojan-activity;sid:84674807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm7"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811708/; classtype:trojan-activity;sid:84674808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarmv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811709/; classtype:trojan-activity;sid:84674809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi686n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811710/; classtype:trojan-activity;sid:84674810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudparmv4l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811711/; classtype:trojan-activity;sid:84674811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarmv6"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811712/; classtype:trojan-activity;sid:84674812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiarmv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811713/; classtype:trojan-activity;sid:84674813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rst32"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811714/; classtype:trojan-activity;sid:84674814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackmips"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811701/; classtype:trojan-activity;sid:84674801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/librarymipsel"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811702/; classtype:trojan-activity;sid:84674802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm4n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811703/; classtype:trojan-activity;sid:84674803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki586"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811704/; classtype:trojan-activity;sid:84674804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811693/; classtype:trojan-activity;sid:84674793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm7n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811694/; classtype:trojan-activity;sid:84674794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcix86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811695/; classtype:trojan-activity;sid:84674795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv7l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811696/; classtype:trojan-activity;sid:84674796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811697/; classtype:trojan-activity;sid:84674797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rsti586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811698/; classtype:trojan-activity;sid:84674798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siii386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811699/; classtype:trojan-activity;sid:84674799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockppc"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811700/; classtype:trojan-activity;sid:84674800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sii386n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811692/; classtype:trojan-activity;sid:84674792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandi686"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811686/; classtype:trojan-activity;sid:84674786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm4"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811687/; classtype:trojan-activity;sid:84674787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarmv5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811688/; classtype:trojan-activity;sid:84674788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811689/; classtype:trojan-activity;sid:84674789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv5l"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811690/; classtype:trojan-activity;sid:84674790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarm5"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811691/; classtype:trojan-activity;sid:84674791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarm5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811685/; classtype:trojan-activity;sid:84674785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandmips"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811684/; classtype:trojan-activity;sid:84674784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarmv7"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811683/; classtype:trojan-activity;sid:84674783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssyni386"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811682/; classtype:trojan-activity;sid:84674782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2armv5l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811680/; classtype:trojan-activity;sid:84674780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811681/; classtype:trojan-activity;sid:84674781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811660/; classtype:trojan-activity;sid:84674760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiaarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811661/; classtype:trojan-activity;sid:84674761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tciriscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811662/; classtype:trojan-activity;sid:84674762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siiriscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811663/; classtype:trojan-activity;sid:84674763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2x64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811664/; classtype:trojan-activity;sid:84674764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/simipsel"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811665/; classtype:trojan-activity;sid:84674765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siackarm5n"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811666/; classtype:trojan-activity;sid:84674766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhi586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811667/; classtype:trojan-activity;sid:84674767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sudpi686"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811668/; classtype:trojan-activity;sid:84674768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sock"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811669/; classtype:trojan-activity;sid:84674769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/socki486"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811670/; classtype:trojan-activity;sid:84674770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tcii486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811671/; classtype:trojan-activity;sid:84674771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811672/; classtype:trojan-activity;sid:84674772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockx64"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811673/; classtype:trojan-activity;sid:84674773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarmv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811674/; classtype:trojan-activity;sid:84674774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811675/; classtype:trojan-activity;sid:84674775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mclibs2arm6n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811676/; classtype:trojan-activity;sid:84674776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdmpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811677/; classtype:trojan-activity;sid:84674777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdarm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811678/; classtype:trojan-activity;sid:84674778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ovhaarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811679/; classtype:trojan-activity;sid:84674779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811656/; classtype:trojan-activity;sid:84674756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ssynarmv6"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811657/; classtype:trojan-activity;sid:84674757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockamd64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811658/; classtype:trojan-activity;sid:84674758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandriscv64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811659/; classtype:trojan-activity;sid:84674759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv6l"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811648/; classtype:trojan-activity;sid:84674748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/tci"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811649/; classtype:trojan-activity;sid:84674749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm7n"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811650/; classtype:trojan-activity;sid:84674750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mtdi686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811651/; classtype:trojan-activity;sid:84674751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shand32"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811652/; classtype:trojan-activity;sid:84674752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/six86"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811653/; classtype:trojan-activity;sid:84674753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryi686n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811654/; classtype:trojan-activity;sid:84674754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstaarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811655/; classtype:trojan-activity;sid:84674755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sockarm64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811644/; classtype:trojan-activity;sid:84674744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm7"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811645/; classtype:trojan-activity;sid:84674745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/siarm5"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811646/; classtype:trojan-activity;sid:84674746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandarmv4"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811647/; classtype:trojan-activity;sid:84674747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/shandx86"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811643/; classtype:trojan-activity;sid:84674743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.i486"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811642/; classtype:trojan-activity;sid:84674742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rstarm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811641/; classtype:trojan-activity;sid:84674741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm6"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811635/; classtype:trojan-activity;sid:84674735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i486n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811636/; classtype:trojan-activity;sid:84674736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv6l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811637/; classtype:trojan-activity;sid:84674737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv6l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811638/; classtype:trojan-activity;sid:84674738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2mipsel"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811639/; classtype:trojan-activity;sid:84674739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi686"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811640/; classtype:trojan-activity;sid:84674740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm7n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811631/; classtype:trojan-activity;sid:84674731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2aarch64"; depth:23; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811632/; classtype:trojan-activity;sid:84674732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811633/; classtype:trojan-activity;sid:84674733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i386n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811634/; classtype:trojan-activity;sid:84674734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv6l"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811627/; classtype:trojan-activity;sid:84674727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811628/; classtype:trojan-activity;sid:84674728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7riscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811629/; classtype:trojan-activity;sid:84674729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientppc"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811630/; classtype:trojan-activity;sid:84674730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2x64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811626/; classtype:trojan-activity;sid:84674726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/client32"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811620/; classtype:trojan-activity;sid:84674720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm5"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811621/; classtype:trojan-activity;sid:84674721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811622/; classtype:trojan-activity;sid:84674722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7amd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811623/; classtype:trojan-activity;sid:84674723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv6"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811624/; classtype:trojan-activity;sid:84674724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811625/; classtype:trojan-activity;sid:84674725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperamd64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811619/; classtype:trojan-activity;sid:84674719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm5n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811616/; classtype:trojan-activity;sid:84674716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811617/; classtype:trojan-activity;sid:84674717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811618/; classtype:trojan-activity;sid:84674718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811608/; classtype:trojan-activity;sid:84674708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2mips"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811609/; classtype:trojan-activity;sid:84674709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i386"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811610/; classtype:trojan-activity;sid:84674710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv4"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811611/; classtype:trojan-activity;sid:84674711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperx64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811612/; classtype:trojan-activity;sid:84674712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi486"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811613/; classtype:trojan-activity;sid:84674713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi686n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811614/; classtype:trojan-activity;sid:84674714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811615/; classtype:trojan-activity;sid:84674715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropper"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811607/; classtype:trojan-activity;sid:84674707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv4"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811604/; classtype:trojan-activity;sid:84674704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi386n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811605/; classtype:trojan-activity;sid:84674705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv4l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811606/; classtype:trojan-activity;sid:84674706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientaarch64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811602/; classtype:trojan-activity;sid:84674702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7mips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811603/; classtype:trojan-activity;sid:84674703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv5"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811597/; classtype:trojan-activity;sid:84674697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxmipsel"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811598/; classtype:trojan-activity;sid:84674698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm6n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811599/; classtype:trojan-activity;sid:84674699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi386"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811600/; classtype:trojan-activity;sid:84674700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811601/; classtype:trojan-activity;sid:84674701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi586"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811596/; classtype:trojan-activity;sid:84674696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv7l"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811591/; classtype:trojan-activity;sid:84674691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811592/; classtype:trojan-activity;sid:84674692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2x86"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811593/; classtype:trojan-activity;sid:84674693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i486n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811594/; classtype:trojan-activity;sid:84674694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm5"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811595/; classtype:trojan-activity;sid:84674695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv6"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811587/; classtype:trojan-activity;sid:84674687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi486"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811588/; classtype:trojan-activity;sid:84674688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryamd64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811589/; classtype:trojan-activity;sid:84674689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm6"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811590/; classtype:trojan-activity;sid:84674690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackmpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811585/; classtype:trojan-activity;sid:84674685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm5n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811586/; classtype:trojan-activity;sid:84674686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811583/; classtype:trojan-activity;sid:84674683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientx86-64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811584/; classtype:trojan-activity;sid:84674684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li732"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811580/; classtype:trojan-activity;sid:84674680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7aarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811581/; classtype:trojan-activity;sid:84674681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm5"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811582/; classtype:trojan-activity;sid:84674682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv5l"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811573/; classtype:trojan-activity;sid:84674673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2mpsl"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811574/; classtype:trojan-activity;sid:84674674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm6"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811575/; classtype:trojan-activity;sid:84674675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811576/; classtype:trojan-activity;sid:84674676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperriscv64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811577/; classtype:trojan-activity;sid:84674677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv7l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811578/; classtype:trojan-activity;sid:84674678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxriscv64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811579/; classtype:trojan-activity;sid:84674679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm4n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811565/; classtype:trojan-activity;sid:84674665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientx86_64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811566/; classtype:trojan-activity;sid:84674666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811567/; classtype:trojan-activity;sid:84674667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientx64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811568/; classtype:trojan-activity;sid:84674668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv6"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811569/; classtype:trojan-activity;sid:84674669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811570/; classtype:trojan-activity;sid:84674670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm5n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811571/; classtype:trojan-activity;sid:84674671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackx86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811572/; classtype:trojan-activity;sid:84674672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/droppermpsl"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811564/; classtype:trojan-activity;sid:84674664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm4"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811561/; classtype:trojan-activity;sid:84674661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm7"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811562/; classtype:trojan-activity;sid:84674662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811563/; classtype:trojan-activity;sid:84674663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm7"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811560/; classtype:trojan-activity;sid:84674660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7ppc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811557/; classtype:trojan-activity;sid:84674657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv4l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811558/; classtype:trojan-activity;sid:84674658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientmpsl"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811559/; classtype:trojan-activity;sid:84674659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki586n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811553/; classtype:trojan-activity;sid:84674653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientmips"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811554/; classtype:trojan-activity;sid:84674654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i386"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811555/; classtype:trojan-activity;sid:84674655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7mpsl"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811556/; classtype:trojan-activity;sid:84674656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i486"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811547/; classtype:trojan-activity;sid:84674647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv4"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811548/; classtype:trojan-activity;sid:84674648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i386n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811549/; classtype:trojan-activity;sid:84674649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i686"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811550/; classtype:trojan-activity;sid:84674650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryaarch64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811551/; classtype:trojan-activity;sid:84674651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv7"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811552/; classtype:trojan-activity;sid:84674652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811540/; classtype:trojan-activity;sid:84674640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti686"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811541/; classtype:trojan-activity;sid:84674641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperaarch64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811542/; classtype:trojan-activity;sid:84674642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm6"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811543/; classtype:trojan-activity;sid:84674643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ack"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811544/; classtype:trojan-activity;sid:84674644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv5l"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811545/; classtype:trojan-activity;sid:84674645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackppc"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811546/; classtype:trojan-activity;sid:84674646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm6n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811539/; classtype:trojan-activity;sid:84674639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811536/; classtype:trojan-activity;sid:84674636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811537/; classtype:trojan-activity;sid:84674637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm7n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811538/; classtype:trojan-activity;sid:84674638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811535/; classtype:trojan-activity;sid:84674635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811526/; classtype:trojan-activity;sid:84674626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti386"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811527/; classtype:trojan-activity;sid:84674627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811528/; classtype:trojan-activity;sid:84674628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv6"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811529/; classtype:trojan-activity;sid:84674629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2x86_64"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811530/; classtype:trojan-activity;sid:84674630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm7"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811531/; classtype:trojan-activity;sid:84674631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv7"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811532/; classtype:trojan-activity;sid:84674632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm6n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811533/; classtype:trojan-activity;sid:84674633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm5n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811534/; classtype:trojan-activity;sid:84674634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxmpsl"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811525/; classtype:trojan-activity;sid:84674625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i586"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811519/; classtype:trojan-activity;sid:84674619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2x86-64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811520/; classtype:trojan-activity;sid:84674620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811521/; classtype:trojan-activity;sid:84674621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti486n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811522/; classtype:trojan-activity;sid:84674622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2x86"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811523/; classtype:trojan-activity;sid:84674623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811524/; classtype:trojan-activity;sid:84674624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv6"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811517/; classtype:trojan-activity;sid:84674617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi586"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811518/; classtype:trojan-activity;sid:84674618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2x86-64"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811515/; classtype:trojan-activity;sid:84674615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811516/; classtype:trojan-activity;sid:84674616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm6n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811514/; classtype:trojan-activity;sid:84674614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv5"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811504/; classtype:trojan-activity;sid:84674604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i486"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811505/; classtype:trojan-activity;sid:84674605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi486n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811506/; classtype:trojan-activity;sid:84674606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811507/; classtype:trojan-activity;sid:84674607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811508/; classtype:trojan-activity;sid:84674608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm4n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811509/; classtype:trojan-activity;sid:84674609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm4"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811510/; classtype:trojan-activity;sid:84674610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti486"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811511/; classtype:trojan-activity;sid:84674611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm4n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811512/; classtype:trojan-activity;sid:84674612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library32"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811513/; classtype:trojan-activity;sid:84674613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811499/; classtype:trojan-activity;sid:84674599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv4l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811500/; classtype:trojan-activity;sid:84674600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm5"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811501/; classtype:trojan-activity;sid:84674601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv7l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811502/; classtype:trojan-activity;sid:84674602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv4l"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811503/; classtype:trojan-activity;sid:84674603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv4"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811498/; classtype:trojan-activity;sid:84674598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2aarch64"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811495/; classtype:trojan-activity;sid:84674595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7prox32"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811496/; classtype:trojan-activity;sid:84674596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm7"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811497/; classtype:trojan-activity;sid:84674597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv6l"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811494/; classtype:trojan-activity;sid:84674594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti586n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811489/; classtype:trojan-activity;sid:84674589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i386n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811490/; classtype:trojan-activity;sid:84674590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv5"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811491/; classtype:trojan-activity;sid:84674591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm4n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811492/; classtype:trojan-activity;sid:84674592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/droppermips"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811493/; classtype:trojan-activity;sid:84674593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki686"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811485/; classtype:trojan-activity;sid:84674585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv5l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811486/; classtype:trojan-activity;sid:84674586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxppc"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811487/; classtype:trojan-activity;sid:84674587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientriscv64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811488/; classtype:trojan-activity;sid:84674588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm4n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811478/; classtype:trojan-activity;sid:84674578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperx86_64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811479/; classtype:trojan-activity;sid:84674579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxx86-64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811480/; classtype:trojan-activity;sid:84674580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7x86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811481/; classtype:trojan-activity;sid:84674581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2amd64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811482/; classtype:trojan-activity;sid:84674582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm5"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811483/; classtype:trojan-activity;sid:84674583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811484/; classtype:trojan-activity;sid:84674584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm5"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811475/; classtype:trojan-activity;sid:84674575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i586"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811476/; classtype:trojan-activity;sid:84674576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ack32"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811477/; classtype:trojan-activity;sid:84674577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi586n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811473/; classtype:trojan-activity;sid:84674573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv4"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811474/; classtype:trojan-activity;sid:84674574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2ppc"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811471/; classtype:trojan-activity;sid:84674571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811472/; classtype:trojan-activity;sid:84674572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm5n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811470/; classtype:trojan-activity;sid:84674570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i686n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811468/; classtype:trojan-activity;sid:84674568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxamd64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811469/; classtype:trojan-activity;sid:84674569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv6l"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811465/; classtype:trojan-activity;sid:84674565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackriscv64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811466/; classtype:trojan-activity;sid:84674566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv232"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811467/; classtype:trojan-activity;sid:84674567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811458/; classtype:trojan-activity;sid:84674558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811459/; classtype:trojan-activity;sid:84674559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm7n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811460/; classtype:trojan-activity;sid:84674560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropper32"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811461/; classtype:trojan-activity;sid:84674561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm4n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811462/; classtype:trojan-activity;sid:84674562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm7n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811463/; classtype:trojan-activity;sid:84674563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2mipsel"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811464/; classtype:trojan-activity;sid:84674564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm5n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811455/; classtype:trojan-activity;sid:84674555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv7l"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811456/; classtype:trojan-activity;sid:84674556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7x86"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811457/; classtype:trojan-activity;sid:84674557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv5l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811454/; classtype:trojan-activity;sid:84674554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm4"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811453/; classtype:trojan-activity;sid:84674553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti586"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811452/; classtype:trojan-activity;sid:84674552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811449/; classtype:trojan-activity;sid:84674549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm64"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811450/; classtype:trojan-activity;sid:84674550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm4"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811451/; classtype:trojan-activity;sid:84674551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm7n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811445/; classtype:trojan-activity;sid:84674545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library232"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811446/; classtype:trojan-activity;sid:84674546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm6"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811447/; classtype:trojan-activity;sid:84674547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti686n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811448/; classtype:trojan-activity;sid:84674548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7i686n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811443/; classtype:trojan-activity;sid:84674543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxmips"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811444/; classtype:trojan-activity;sid:84674544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxx86"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811439/; classtype:trojan-activity;sid:84674539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2riscv64"; depth:23; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811440/; classtype:trojan-activity;sid:84674540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperx86-64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811441/; classtype:trojan-activity;sid:84674541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7mipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811442/; classtype:trojan-activity;sid:84674542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi686n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811435/; classtype:trojan-activity;sid:84674535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7x86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811436/; classtype:trojan-activity;sid:84674536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/client"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811437/; classtype:trojan-activity;sid:84674537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxaarch64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811438/; classtype:trojan-activity;sid:84674538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi386"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811432/; classtype:trojan-activity;sid:84674532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv7"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811433/; classtype:trojan-activity;sid:84674533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarmv7l"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811434/; classtype:trojan-activity;sid:84674534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7prox"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811430/; classtype:trojan-activity;sid:84674530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811431/; classtype:trojan-activity;sid:84674531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv5"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811427/; classtype:trojan-activity;sid:84674527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2x64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811428/; classtype:trojan-activity;sid:84674528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm4n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811429/; classtype:trojan-activity;sid:84674529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv5l"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811424/; classtype:trojan-activity;sid:84674524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2mpsl"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811425/; classtype:trojan-activity;sid:84674525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv7l"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811426/; classtype:trojan-activity;sid:84674526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackmips"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811418/; classtype:trojan-activity;sid:84674518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm7"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811419/; classtype:trojan-activity;sid:84674519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarmv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811420/; classtype:trojan-activity;sid:84674520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv6"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811421/; classtype:trojan-activity;sid:84674521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv7"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811422/; classtype:trojan-activity;sid:84674522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarmv7"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811423/; classtype:trojan-activity;sid:84674523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv5"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811414/; classtype:trojan-activity;sid:84674514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm5"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811415/; classtype:trojan-activity;sid:84674515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2x86_64"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811416/; classtype:trojan-activity;sid:84674516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki486n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811417/; classtype:trojan-activity;sid:84674517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi586n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811410/; classtype:trojan-activity;sid:84674510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm6n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811411/; classtype:trojan-activity;sid:84674511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv4"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811412/; classtype:trojan-activity;sid:84674512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientx86"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811413/; classtype:trojan-activity;sid:84674513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm7"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811405/; classtype:trojan-activity;sid:84674505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811406/; classtype:trojan-activity;sid:84674506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarmv7"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811407/; classtype:trojan-activity;sid:84674507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm6n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811408/; classtype:trojan-activity;sid:84674508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/acki486"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811409/; classtype:trojan-activity;sid:84674509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi486n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811403/; classtype:trojan-activity;sid:84674503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/libraryarm6"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811404/; classtype:trojan-activity;sid:84674504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackamd64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811401/; classtype:trojan-activity;sid:84674501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxi386n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811402/; classtype:trojan-activity;sid:84674502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxx86_64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811400/; classtype:trojan-activity;sid:84674500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientmipsel"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811395/; classtype:trojan-activity;sid:84674495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperarm4"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811396/; classtype:trojan-activity;sid:84674496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7x64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811397/; classtype:trojan-activity;sid:84674497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7arm5n"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811398/; classtype:trojan-activity;sid:84674498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811399/; classtype:trojan-activity;sid:84674499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm4"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811390/; classtype:trojan-activity;sid:84674490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i586n"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811391/; classtype:trojan-activity;sid:84674491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientamd64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811392/; classtype:trojan-activity;sid:84674492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i586n"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811393/; classtype:trojan-activity;sid:84674493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7"; depth:9; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811394/; classtype:trojan-activity;sid:84674494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clientarm64"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811384/; classtype:trojan-activity;sid:84674484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811385/; classtype:trojan-activity;sid:84674485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm64"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811386/; classtype:trojan-activity;sid:84674486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxx64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811387/; classtype:trojan-activity;sid:84674487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/droppermipsel"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811388/; classtype:trojan-activity;sid:84674488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/clienti386n"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811389/; classtype:trojan-activity;sid:84674489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv5l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811382/; classtype:trojan-activity;sid:84674482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackx86_64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811383/; classtype:trojan-activity;sid:84674483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv6l"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811377/; classtype:trojan-activity;sid:84674477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7armv5"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811378/; classtype:trojan-activity;sid:84674478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperi686"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811379/; classtype:trojan-activity;sid:84674479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm4"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811380/; classtype:trojan-activity;sid:84674480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2amd64"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811381/; classtype:trojan-activity;sid:84674481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2mips"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811375/; classtype:trojan-activity;sid:84674475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/li7proxarm7n"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811376/; classtype:trojan-activity;sid:84674476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2armv4l"; depth:22; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811374/; classtype:trojan-activity;sid:84674474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2arm6"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811373/; classtype:trojan-activity;sid:84674473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackmipsel"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811360/; classtype:trojan-activity;sid:84674460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackaarch64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811361/; classtype:trojan-activity;sid:84674461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2i686"; depth:18; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811362/; classtype:trojan-activity;sid:84674462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2ppc"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811363/; classtype:trojan-activity;sid:84674463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2arm64"; depth:19; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811364/; classtype:trojan-activity;sid:84674464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2riscv64"; depth:21; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811365/; classtype:trojan-activity;sid:84674465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/library2armv4l"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811366/; classtype:trojan-activity;sid:84674466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i586"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811367/; classtype:trojan-activity;sid:84674467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/gofuckerv2i386"; depth:20; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811368/; classtype:trojan-activity;sid:84674468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackx64"; depth:12; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811369/; classtype:trojan-activity;sid:84674469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackarm64"; depth:14; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811370/; classtype:trojan-activity;sid:84674470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ackx86-64"; depth:15; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811371/; classtype:trojan-activity;sid:84674471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropperx86"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811372/; classtype:trojan-activity;sid:84674472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/cat.sh"; depth:13; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811359/; classtype:trojan-activity;sid:84674459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.arm4"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811345/; classtype:trojan-activity;sid:84674445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x64"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811346/; classtype:trojan-activity;sid:84674446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.mpsl"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811347/; classtype:trojan-activity;sid:84674447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.spc"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811348/; classtype:trojan-activity;sid:84674448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.x64"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811349/; classtype:trojan-activity;sid:84674449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.arm6"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811350/; classtype:trojan-activity;sid:84674450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.x86"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811351/; classtype:trojan-activity;sid:84674451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.apk"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811352/; classtype:trojan-activity;sid:84674452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.i486"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811353/; classtype:trojan-activity;sid:84674453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.mips"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811354/; classtype:trojan-activity;sid:84674454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.m68k"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811355/; classtype:trojan-activity;sid:84674455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.i686"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811356/; classtype:trojan-activity;sid:84674456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.dbg"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811357/; classtype:trojan-activity;sid:84674457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.dbg"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811358/; classtype:trojan-activity;sid:84674458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.arm7"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811342/; classtype:trojan-activity;sid:84674442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.apk"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811343/; classtype:trojan-activity;sid:84674443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.sh4"; depth:16; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811344/; classtype:trojan-activity;sid:84674444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binss/mirai.arm5"; depth:17; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811341/; classtype:trojan-activity;sid:84674441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.208.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811340/; classtype:trojan-activity;sid:84674440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm5"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811329/; classtype:trojan-activity;sid:84674429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.m68k"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811330/; classtype:trojan-activity;sid:84674430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811331/; classtype:trojan-activity;sid:84674431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.i486"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811332/; classtype:trojan-activity;sid:84674432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.sh4"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811333/; classtype:trojan-activity;sid:84674433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm4"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811334/; classtype:trojan-activity;sid:84674434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mpsl"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811335/; classtype:trojan-activity;sid:84674435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.spc"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811336/; classtype:trojan-activity;sid:84674436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm6"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811337/; classtype:trojan-activity;sid:84674437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811338/; classtype:trojan-activity;sid:84674438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.i686"; depth:11; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811339/; classtype:trojan-activity;sid:84674439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.170.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811328/; classtype:trojan-activity;sid:84674428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x86"; depth:10; endswith; nocase; http.host; content:"103.130.214.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811327/; classtype:trojan-activity;sid:84674427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.251.64.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811326/; classtype:trojan-activity;sid:84674426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811325/; classtype:trojan-activity;sid:84674425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.160.191.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811324/; classtype:trojan-activity;sid:84674424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.9.46.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811323/; classtype:trojan-activity;sid:84674423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.9.46.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811322/; classtype:trojan-activity;sid:84674422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.251.64.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811321/; classtype:trojan-activity;sid:84674421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.41.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811320/; classtype:trojan-activity;sid:84674420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.160.191.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811319/; classtype:trojan-activity;sid:84674419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.231.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811318/; classtype:trojan-activity;sid:84674418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811317/; classtype:trojan-activity;sid:84674417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811316/; classtype:trojan-activity;sid:84674416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.78.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811315/; classtype:trojan-activity;sid:84674415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.48.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3811314/; classtype:trojan-activity;sid:84674414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811313/; classtype:trojan-activity;sid:84674413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811308/; classtype:trojan-activity;sid:84674408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811309/; classtype:trojan-activity;sid:84674409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811310/; classtype:trojan-activity;sid:84674410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811311/; classtype:trojan-activity;sid:84674411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811312/; classtype:trojan-activity;sid:84674412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811306/; classtype:trojan-activity;sid:84674406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811307/; classtype:trojan-activity;sid:84674407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811305/; classtype:trojan-activity;sid:84674405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811304/; classtype:trojan-activity;sid:84674404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811300/; classtype:trojan-activity;sid:84674400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811301/; classtype:trojan-activity;sid:84674401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811302/; classtype:trojan-activity;sid:84674402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ow.sh"; depth:6; endswith; nocase; http.host; content:"216.245.140.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811303/; classtype:trojan-activity;sid:84674403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.78.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811298/; classtype:trojan-activity;sid:84674398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.47.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811299/; classtype:trojan-activity;sid:84674399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.6.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811297/; classtype:trojan-activity;sid:84674397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.6.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811296/; classtype:trojan-activity;sid:84674396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.29.184"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811295/; classtype:trojan-activity;sid:84674395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.215.97.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811294/; classtype:trojan-activity;sid:84674394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"dough-svc.balkarbelyashi.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811293/; classtype:trojan-activity;sid:84674393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fry-logic.balkarbelyashi.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811292/; classtype:trojan-activity;sid:84674392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"meat-store.balkarbelyashi.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811291/; classtype:trojan-activity;sid:84674391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.162.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811290/; classtype:trojan-activity;sid:84674390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"food-truck.balkarbelyashi.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811289/; classtype:trojan-activity;sid:84674389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.80.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811288/; classtype:trojan-activity;sid:84674388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hit-rate.hammermathemat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811287/; classtype:trojan-activity;sid:84674387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.195.99.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811286/; classtype:trojan-activity;sid:84674386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"forge-sync.hammermathemat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811285/; classtype:trojan-activity;sid:84674385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.236.65.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811284/; classtype:trojan-activity;sid:84674384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"math-hub.hammermathemat.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811283/; classtype:trojan-activity;sid:84674383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.168.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811282/; classtype:trojan-activity;sid:84674382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.139.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811281/; classtype:trojan-activity;sid:84674381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"calc-engine.hammermathemat.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811280/; classtype:trojan-activity;sid:84674380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"nail-check.hammermathemat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811279/; classtype:trojan-activity;sid:84674379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"tool-logic.hammermathemat.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811278/; classtype:trojan-activity;sid:84674378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.195.99.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811277/; classtype:trojan-activity;sid:84674377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"taste-hub.caliphsaucy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811276/; classtype:trojan-activity;sid:84674376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxyv2.sh"; depth:11; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811274/; classtype:trojan-activity;sid:84674374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811275/; classtype:trojan-activity;sid:84674375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"chef-node.caliphsaucy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811273/; classtype:trojan-activity;sid:84674373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"royal-svc.caliphsaucy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811272/; classtype:trojan-activity;sid:84674372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"palace-gate.caliphsaucy.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811271/; classtype:trojan-activity;sid:84674371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.114.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811270/; classtype:trojan-activity;sid:84674370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.69.72.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811269/; classtype:trojan-activity;sid:84674369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"hot-sauce.caliphsaucy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811268/; classtype:trojan-activity;sid:84674368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.95.82.68"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811267/; classtype:trojan-activity;sid:84674367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"spicy-api.caliphsaucy.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811266/; classtype:trojan-activity;sid:84674366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/1nzijzw.msi"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811265/; classtype:trojan-activity;sid:84674365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"shrink-io.eucharistshrink.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811264/; classtype:trojan-activity;sid:84674364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.115.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811263/; classtype:trojan-activity;sid:84674363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"altar-svc.eucharistshrink.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811262/; classtype:trojan-activity;sid:84674362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.69.72.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811261/; classtype:trojan-activity;sid:84674361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"faith-gate.eucharistshrink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811260/; classtype:trojan-activity;sid:84674360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"rite-check.eucharistshrink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811259/; classtype:trojan-activity;sid:84674359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"holy-path.eucharistshrink.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811258/; classtype:trojan-activity;sid:84674358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.115.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811257/; classtype:trojan-activity;sid:84674357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.135.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811256/; classtype:trojan-activity;sid:84674356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.10.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811255/; classtype:trojan-activity;sid:84674355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bread-wine.eucharistshrink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811254/; classtype:trojan-activity;sid:84674354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.153.144.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811253/; classtype:trojan-activity;sid:84674353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"prime-time.lookyouthful.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811252/; classtype:trojan-activity;sid:84674352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"age-logic.lookyouthful.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811251/; classtype:trojan-activity;sid:84674351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.193.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811250/; classtype:trojan-activity;sid:84674350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.28.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811249/; classtype:trojan-activity;sid:84674349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"fresh-svc.lookyouthful.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811248/; classtype:trojan-activity;sid:84674348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"glow-node.lookyouthful.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811247/; classtype:trojan-activity;sid:84674347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.153.144.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811246/; classtype:trojan-activity;sid:84674346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.10.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811245/; classtype:trojan-activity;sid:84674345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.23.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811244/; classtype:trojan-activity;sid:84674344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"face-lift.lookyouthful.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811243/; classtype:trojan-activity;sid:84674343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"skin-care.lookyouthful.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811242/; classtype:trojan-activity;sid:84674342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.116.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811241/; classtype:trojan-activity;sid:84674341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"sales-api.confoundsoldout.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811240/; classtype:trojan-activity;sid:84674340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"deal-proxy.confoundsoldout.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811239/; classtype:trojan-activity;sid:84674339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.193.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811238/; classtype:trojan-activity;sid:84674338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"stock-out.confoundsoldout.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811237/; classtype:trojan-activity;sid:84674337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.23.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811236/; classtype:trojan-activity;sid:84674336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.116.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811235/; classtype:trojan-activity;sid:84674335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"puzz-sync.confoundsoldout.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811234/; classtype:trojan-activity;sid:84674334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.234.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811233/; classtype:trojan-activity;sid:84674333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"maze-check.confoundsoldout.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811232/; classtype:trojan-activity;sid:84674332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"blur-logic.confoundsoldout.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811231/; classtype:trojan-activity;sid:84674331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.157.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811230/; classtype:trojan-activity;sid:84674330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=egyqsrbzzzlaezab"; depth:53; endswith; nocase; http.host; content:"o4v2vsml.momentumbloomera.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811229/; classtype:trojan-activity;sid:84674329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"task-mgr.edunoppress.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811228/; classtype:trojan-activity;sid:84674328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aygbsqq0c4"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811227/; classtype:trojan-activity;sid:84674327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3vrtjbxplo"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811224/; classtype:trojan-activity;sid:84674324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rh1ele5p8l"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811225/; classtype:trojan-activity;sid:84674325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3yahbbprg4"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811226/; classtype:trojan-activity;sid:84674326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rduiqsxg66"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811223/; classtype:trojan-activity;sid:84674323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/547e510g2m"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811219/; classtype:trojan-activity;sid:84674319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5u6pbsspr6"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811220/; classtype:trojan-activity;sid:84674320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rigdtn0fpm"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811221/; classtype:trojan-activity;sid:84674321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rt6l46cwdn"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811222/; classtype:trojan-activity;sid:84674322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zlr01030u5"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811218/; classtype:trojan-activity;sid:84674318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"open-book.edunoppress.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811217/; classtype:trojan-activity;sid:84674317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.88.141.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811216/; classtype:trojan-activity;sid:84674316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"edu-portal.edunoppress.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811215/; classtype:trojan-activity;sid:84674315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.105.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811214/; classtype:trojan-activity;sid:84674314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.187.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811213/; classtype:trojan-activity;sid:84674313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"class-sync.edunoppress.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811212/; classtype:trojan-activity;sid:84674312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"learn-gate.edunoppress.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811211/; classtype:trojan-activity;sid:84674311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"study-flow.edunoppress.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811210/; classtype:trojan-activity;sid:84674310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.194.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811209/; classtype:trojan-activity;sid:84674309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.244.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811208/; classtype:trojan-activity;sid:84674308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.188.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811207/; classtype:trojan-activity;sid:84674307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"re-use-svc.recycleroach.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811206/; classtype:trojan-activity;sid:84674306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"scrap-api.recycleroach.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811205/; classtype:trojan-activity;sid:84674305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"bin-monitor.recycleroach.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811204/; classtype:trojan-activity;sid:84674304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"green-node.recycleroach.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811203/; classtype:trojan-activity;sid:84674303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.253.241.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811202/; classtype:trojan-activity;sid:84674302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"waste-log.recycleroach.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811201/; classtype:trojan-activity;sid:84674301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.244.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811200/; classtype:trojan-activity;sid:84674300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.80.221.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811199/; classtype:trojan-activity;sid:84674299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"eco-cycle.recycleroach.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811198/; classtype:trojan-activity;sid:84674298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"photo-sync.digiframe.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811197/; classtype:trojan-activity;sid:84674297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.7.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811196/; classtype:trojan-activity;sid:84674296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"border-io.digiframe.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811195/; classtype:trojan-activity;sid:84674295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.98.187.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811194/; classtype:trojan-activity;sid:84674294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"edge-cache.digiframe.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811193/; classtype:trojan-activity;sid:84674293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"web-portal.digiframe.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811192/; classtype:trojan-activity;sid:84674292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"static-cdn.digiframe.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811191/; classtype:trojan-activity;sid:84674291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.31.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811189/; classtype:trojan-activity;sid:84674289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.178.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811190/; classtype:trojan-activity;sid:84674290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pixel-view.digiframe.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811188/; classtype:trojan-activity;sid:84674288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.205.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811187/; classtype:trojan-activity;sid:84674287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.58.108.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811186/; classtype:trojan-activity;sid:84674286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"thought-hub.neurogrid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811185/; classtype:trojan-activity;sid:84674285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.7.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811184/; classtype:trojan-activity;sid:84674284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"pulse-logic.neurogrid.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811183/; classtype:trojan-activity;sid:84674283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05fe317c-0981-4de2-bc8a-930d369db441/verification.google"; depth:57; endswith; nocase; http.host; content:"mind-node.neurogrid.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811182/; classtype:trojan-activity;sid:84674282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.205.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811181/; classtype:trojan-activity;sid:84674281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.31.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811180/; classtype:trojan-activity;sid:84674280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.178.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811178/; classtype:trojan-activity;sid:84674278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nerve-center.neurogrid.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811179/; classtype:trojan-activity;sid:84674279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.13.234.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811177/; classtype:trojan-activity;sid:84674277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6728144278/8egt7yc.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811176/; classtype:trojan-activity;sid:84674276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.109.236.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811175/; classtype:trojan-activity;sid:84674275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brain-scan.neurogrid.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811174/; classtype:trojan-activity;sid:84674274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mesh-cloud.technofabric.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811173/; classtype:trojan-activity;sid:84674273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.31.170.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811172/; classtype:trojan-activity;sid:84674272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.130.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811171/; classtype:trojan-activity;sid:84674271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fiber-route.technofabric.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811170/; classtype:trojan-activity;sid:84674270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dob.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811169/; classtype:trojan-activity;sid:84674269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811167/; classtype:trojan-activity;sid:84674267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get1.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811168/; classtype:trojan-activity;sid:84674268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811166/; classtype:trojan-activity;sid:84674266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.168.181.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811165/; classtype:trojan-activity;sid:84674265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"weave-sync.technofabric.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811164/; classtype:trojan-activity;sid:84674264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cloth-net.technofabric.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811163/; classtype:trojan-activity;sid:84674263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.122.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811162/; classtype:trojan-activity;sid:84674262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"step-check.logicstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811161/; classtype:trojan-activity;sid:84674261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.130.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811160/; classtype:trojan-activity;sid:84674260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"main-frame.logicstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811159/; classtype:trojan-activity;sid:84674259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/encr/random.exe"; depth:22; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811158/; classtype:trojan-activity;sid:84674258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.54.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811157/; classtype:trojan-activity;sid:84674257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.122.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811156/; classtype:trojan-activity;sid:84674256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rule-engine.logicstream.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811155/; classtype:trojan-activity;sid:84674255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"packet-flow.logicstream.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811154/; classtype:trojan-activity;sid:84674254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.226.151.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811153/; classtype:trojan-activity;sid:84674253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"code-gate.logicstream.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811152/; classtype:trojan-activity;sid:84674252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bit-stream.logicstream.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811151/; classtype:trojan-activity;sid:84674251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.81.104"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811150/; classtype:trojan-activity;sid:84674250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"anon-auth.cryptolayer.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811149/; classtype:trojan-activity;sid:84674249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.150.238"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811148/; classtype:trojan-activity;sid:84674248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.54.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811147/; classtype:trojan-activity;sid:84674247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hash-store.cryptolayer.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811146/; classtype:trojan-activity;sid:84674246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.114.139.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811145/; classtype:trojan-activity;sid:84674245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secure-key.cryptolayer.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811144/; classtype:trojan-activity;sid:84674244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.150.238"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811143/; classtype:trojan-activity;sid:84674243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.56.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811142/; classtype:trojan-activity;sid:84674242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.226.151.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811141/; classtype:trojan-activity;sid:84674241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.56.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811140/; classtype:trojan-activity;sid:84674240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.214.240.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811139/; classtype:trojan-activity;sid:84674239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811138/; classtype:trojan-activity;sid:84674238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.9.111.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811137/; classtype:trojan-activity;sid:84674237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811136/; classtype:trojan-activity;sid:84674236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811135/; classtype:trojan-activity;sid:84674235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.0.207"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811134/; classtype:trojan-activity;sid:84674234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.9.111.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811133/; classtype:trojan-activity;sid:84674233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.63.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811132/; classtype:trojan-activity;sid:84674232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.144.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811131/; classtype:trojan-activity;sid:84674231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.73.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811130/; classtype:trojan-activity;sid:84674230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.64.226"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811129/; classtype:trojan-activity;sid:84674229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811128/; classtype:trojan-activity;sid:84674228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clean"; depth:6; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811124/; classtype:trojan-activity;sid:84674224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811125/; classtype:trojan-activity;sid:84674225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811126/; classtype:trojan-activity;sid:84674226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811127/; classtype:trojan-activity;sid:84674227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"46.151.182.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811123/; classtype:trojan-activity;sid:84674223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.144.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811122/; classtype:trojan-activity;sid:84674222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.0.207"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811121/; classtype:trojan-activity;sid:84674221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.191.23.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811120/; classtype:trojan-activity;sid:84674220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.180.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811119/; classtype:trojan-activity;sid:84674219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811118/; classtype:trojan-activity;sid:84674218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.180.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811117/; classtype:trojan-activity;sid:84674217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.135.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811116/; classtype:trojan-activity;sid:84674216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.101.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811115/; classtype:trojan-activity;sid:84674215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8468794285/cv4b5nr.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811114/; classtype:trojan-activity;sid:84674214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.191.23.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811113/; classtype:trojan-activity;sid:84674213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.180.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811112/; classtype:trojan-activity;sid:84674212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.180.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811111/; classtype:trojan-activity;sid:84674211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.159.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811110/; classtype:trojan-activity;sid:84674210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.249.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811109/; classtype:trojan-activity;sid:84674209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.233.86.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811108/; classtype:trojan-activity;sid:84674208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/atencio/random.exe"; depth:25; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811107/; classtype:trojan-activity;sid:84674207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.15.88.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811106/; classtype:trojan-activity;sid:84674206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.233.86.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811105/; classtype:trojan-activity;sid:84674205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811104/; classtype:trojan-activity;sid:84674204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.77.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811103/; classtype:trojan-activity;sid:84674203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.159.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811102/; classtype:trojan-activity;sid:84674202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.115.74.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811101/; classtype:trojan-activity;sid:84674201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.47.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811100/; classtype:trojan-activity;sid:84674200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.249.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811099/; classtype:trojan-activity;sid:84674199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.15.88.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811098/; classtype:trojan-activity;sid:84674198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.91.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811097/; classtype:trojan-activity;sid:84674197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.193.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811096/; classtype:trojan-activity;sid:84674196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.115.74.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811095/; classtype:trojan-activity;sid:84674195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.222.44.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811094/; classtype:trojan-activity;sid:84674194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.26.115.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811093/; classtype:trojan-activity;sid:84674193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.229.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811092/; classtype:trojan-activity;sid:84674192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811091/; classtype:trojan-activity;sid:84674191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.76.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811090/; classtype:trojan-activity;sid:84674190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.26.115.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811089/; classtype:trojan-activity;sid:84674189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811088/; classtype:trojan-activity;sid:84674188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/securitypatch.ps1"; depth:35; endswith; nocase; http.host; content:"dcdivas.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811087/; classtype:trojan-activity;sid:84674187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.91.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811086/; classtype:trojan-activity;sid:84674186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.160.139.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811085/; classtype:trojan-activity;sid:84674185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.229.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811084/; classtype:trojan-activity;sid:84674184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811083/; classtype:trojan-activity;sid:84674183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.9.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811082/; classtype:trojan-activity;sid:84674182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.159.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811081/; classtype:trojan-activity;sid:84674181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.148.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811080/; classtype:trojan-activity;sid:84674180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/main_mips"; depth:20; endswith; nocase; http.host; content:"162.215.170.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811079/; classtype:trojan-activity;sid:84674179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86_64"; depth:11; endswith; nocase; http.host; content:"83.142.209.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811078/; classtype:trojan-activity;sid:84674178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.160.139.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811077/; classtype:trojan-activity;sid:84674177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.193.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811076/; classtype:trojan-activity;sid:84674176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.58.108.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811075/; classtype:trojan-activity;sid:84674175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.42.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811074/; classtype:trojan-activity;sid:84674174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811073/; classtype:trojan-activity;sid:84674173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.175.206.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811065/; classtype:trojan-activity;sid:84674165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811066/; classtype:trojan-activity;sid:84674166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811067/; classtype:trojan-activity;sid:84674167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.171.205.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811068/; classtype:trojan-activity;sid:84674168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.203.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811069/; classtype:trojan-activity;sid:84674169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.200.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811070/; classtype:trojan-activity;sid:84674170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.200.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811071/; classtype:trojan-activity;sid:84674171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.149.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811072/; classtype:trojan-activity;sid:84674172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.41.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811064/; classtype:trojan-activity;sid:84674164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.89.157.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811062/; classtype:trojan-activity;sid:84674162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.89.157.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811063/; classtype:trojan-activity;sid:84674163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.159.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811061/; classtype:trojan-activity;sid:84674161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.247.41.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811058/; classtype:trojan-activity;sid:84674158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811059/; classtype:trojan-activity;sid:84674159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.109.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811060/; classtype:trojan-activity;sid:84674160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.247.41.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811057/; classtype:trojan-activity;sid:84674157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811055/; classtype:trojan-activity;sid:84674155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.171.205.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811056/; classtype:trojan-activity;sid:84674156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"211.46.228.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811054/; classtype:trojan-activity;sid:84674154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.109.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811053/; classtype:trojan-activity;sid:84674153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.9.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811052/; classtype:trojan-activity;sid:84674152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811051/; classtype:trojan-activity;sid:84674151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.89.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811050/; classtype:trojan-activity;sid:84674150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.92.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811049/; classtype:trojan-activity;sid:84674149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.91.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811048/; classtype:trojan-activity;sid:84674148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.165.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811047/; classtype:trojan-activity;sid:84674147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.148.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811046/; classtype:trojan-activity;sid:84674146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.91.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811045/; classtype:trojan-activity;sid:84674145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.165.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811044/; classtype:trojan-activity;sid:84674144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.123.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811043/; classtype:trojan-activity;sid:84674143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.24.189.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811042/; classtype:trojan-activity;sid:84674142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.148.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811041/; classtype:trojan-activity;sid:84674141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.34.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811040/; classtype:trojan-activity;sid:84674140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.123.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811039/; classtype:trojan-activity;sid:84674139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.254.10.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811038/; classtype:trojan-activity;sid:84674138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.132.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811037/; classtype:trojan-activity;sid:84674137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.50.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811036/; classtype:trojan-activity;sid:84674136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.34.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811035/; classtype:trojan-activity;sid:84674135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.177.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811034/; classtype:trojan-activity;sid:84674134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.107.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811033/; classtype:trojan-activity;sid:84674133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.132.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811032/; classtype:trojan-activity;sid:84674132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.166.191.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811031/; classtype:trojan-activity;sid:84674131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.227.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811030/; classtype:trojan-activity;sid:84674130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.225.177.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811029/; classtype:trojan-activity;sid:84674129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.163.134.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811028/; classtype:trojan-activity;sid:84674128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811027/; classtype:trojan-activity;sid:84674127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.163.134.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811026/; classtype:trojan-activity;sid:84674126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.204.165.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811025/; classtype:trojan-activity;sid:84674125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.185.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811024/; classtype:trojan-activity;sid:84674124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.164.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811023/; classtype:trojan-activity;sid:84674123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.204.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811022/; classtype:trojan-activity;sid:84674122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.198.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811021/; classtype:trojan-activity;sid:84674121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.185.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811020/; classtype:trojan-activity;sid:84674120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.68.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811019/; classtype:trojan-activity;sid:84674119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.59.107.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811018/; classtype:trojan-activity;sid:84674118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1rn-dtnes_17qddgnq8xjdqjxu57jf7ov"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811016/; classtype:trojan-activity;sid:84674116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/agent/download/69cce9bcd01476be56868ba0|3f|type=vbs"; depth:56; endswith; nocase; http.host; content:"preziosamagazines.cc"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811015/; classtype:trojan-activity;sid:84674115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/agent/download/69cce9bcd01476be56868ba0|3f|type=exe"; depth:56; endswith; nocase; http.host; content:"preziosamagazines.cc"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811012/; classtype:trojan-activity;sid:84674112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_clkfx/lnk1.txt"; depth:16; endswith; nocase; http.host; content:"xx.kak.is"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811011/; classtype:trojan-activity;sid:84674111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.198.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811010/; classtype:trojan-activity;sid:84674110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.84.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811009/; classtype:trojan-activity;sid:84674109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811008/; classtype:trojan-activity;sid:84674108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.68.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811007/; classtype:trojan-activity;sid:84674107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.59.107.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811006/; classtype:trojan-activity;sid:84674106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.22.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811005/; classtype:trojan-activity;sid:84674105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.77.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811004/; classtype:trojan-activity;sid:84674104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.98.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811003/; classtype:trojan-activity;sid:84674103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t.sh"; depth:5; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811002/; classtype:trojan-activity;sid:84674102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.98.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811001/; classtype:trojan-activity;sid:84674101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.84.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811000/; classtype:trojan-activity;sid:84674100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.75.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810999/; classtype:trojan-activity;sid:84674099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.144.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810998/; classtype:trojan-activity;sid:84674098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.144.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810997/; classtype:trojan-activity;sid:84674097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.5.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810994/; classtype:trojan-activity;sid:84674094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.163.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810995/; classtype:trojan-activity;sid:84674095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810996/; classtype:trojan-activity;sid:84674096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.31.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810993/; classtype:trojan-activity;sid:84674093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.75.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810992/; classtype:trojan-activity;sid:84674092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.143.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810991/; classtype:trojan-activity;sid:84674091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.5.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810989/; classtype:trojan-activity;sid:84674089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.163.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810990/; classtype:trojan-activity;sid:84674090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.255.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810988/; classtype:trojan-activity;sid:84674088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.214.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810987/; classtype:trojan-activity;sid:84674087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.59.83.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810986/; classtype:trojan-activity;sid:84674086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.214.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810985/; classtype:trojan-activity;sid:84674085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.255.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810984/; classtype:trojan-activity;sid:84674084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.143.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810983/; classtype:trojan-activity;sid:84674083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.209.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810982/; classtype:trojan-activity;sid:84674082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.27.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810981/; classtype:trojan-activity;sid:84674081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.102.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810980/; classtype:trojan-activity;sid:84674080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.76.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810979/; classtype:trojan-activity;sid:84674079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.59.83.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810978/; classtype:trojan-activity;sid:84674078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.102.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810977/; classtype:trojan-activity;sid:84674077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.146.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810976/; classtype:trojan-activity;sid:84674076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.206.31.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810975/; classtype:trojan-activity;sid:84674075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.209.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810974/; classtype:trojan-activity;sid:84674074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.9.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810973/; classtype:trojan-activity;sid:84674073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810971/; classtype:trojan-activity;sid:84674071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.244.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810972/; classtype:trojan-activity;sid:84674072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810969/; classtype:trojan-activity;sid:84674069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810970/; classtype:trojan-activity;sid:84674070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linnn"; depth:6; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810963/; classtype:trojan-activity;sid:84674063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810964/; classtype:trojan-activity;sid:84674064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810965/; classtype:trojan-activity;sid:84674065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810966/; classtype:trojan-activity;sid:84674066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810967/; classtype:trojan-activity;sid:84674067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810968/; classtype:trojan-activity;sid:84674068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810962/; classtype:trojan-activity;sid:84674062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.252.216.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810961/; classtype:trojan-activity;sid:84674061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810960/; classtype:trojan-activity;sid:84674060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.98.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810959/; classtype:trojan-activity;sid:84674059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.177.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810958/; classtype:trojan-activity;sid:84674058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810957/; classtype:trojan-activity;sid:84674057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.46.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810956/; classtype:trojan-activity;sid:84674056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.206.31.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810955/; classtype:trojan-activity;sid:84674055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.255.29.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810954/; classtype:trojan-activity;sid:84674054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.57.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810953/; classtype:trojan-activity;sid:84674053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.192.121.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810952/; classtype:trojan-activity;sid:84674052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810951/; classtype:trojan-activity;sid:84674051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.129.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810950/; classtype:trojan-activity;sid:84674050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.252.216.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810949/; classtype:trojan-activity;sid:84674049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.146.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810948/; classtype:trojan-activity;sid:84674048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.244.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810947/; classtype:trojan-activity;sid:84674047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.9.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810946/; classtype:trojan-activity;sid:84674046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.57.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810945/; classtype:trojan-activity;sid:84674045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"156.229.118.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810944/; classtype:trojan-activity;sid:84674044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.46.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810943/; classtype:trojan-activity;sid:84674043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810941/; classtype:trojan-activity;sid:84674041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.177.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810942/; classtype:trojan-activity;sid:84674042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.98.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810940/; classtype:trojan-activity;sid:84674040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.0.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810939/; classtype:trojan-activity;sid:84674039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.192.121.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810938/; classtype:trojan-activity;sid:84674038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"91.244.71.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810937/; classtype:trojan-activity;sid:84674037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.126.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810936/; classtype:trojan-activity;sid:84674036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.95.40.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810935/; classtype:trojan-activity;sid:84674035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810933/; classtype:trojan-activity;sid:84674033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.226.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810934/; classtype:trojan-activity;sid:84674034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.241.219.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810932/; classtype:trojan-activity;sid:84674032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.0.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810931/; classtype:trojan-activity;sid:84674031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.161.249.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810930/; classtype:trojan-activity;sid:84674030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.43.127.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810929/; classtype:trojan-activity;sid:84674029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.246.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810928/; classtype:trojan-activity;sid:84674028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apt0.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810927/; classtype:trojan-activity;sid:84674027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810925/; classtype:trojan-activity;sid:84674025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810926/; classtype:trojan-activity;sid:84674026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810924/; classtype:trojan-activity;sid:84674024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810923/; classtype:trojan-activity;sid:84674023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810921/; classtype:trojan-activity;sid:84674021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810922/; classtype:trojan-activity;sid:84674022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810919/; classtype:trojan-activity;sid:84674019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.153.34.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810920/; classtype:trojan-activity;sid:84674020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.22.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810918/; classtype:trojan-activity;sid:84674018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.241.219.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810917/; classtype:trojan-activity;sid:84674017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.132.231.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810916/; classtype:trojan-activity;sid:84674016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.246.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810915/; classtype:trojan-activity;sid:84674015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.244.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810914/; classtype:trojan-activity;sid:84674014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.132.231.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810913/; classtype:trojan-activity;sid:84674013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.80.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810912/; classtype:trojan-activity;sid:84674012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.92.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810911/; classtype:trojan-activity;sid:84674011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810909/; classtype:trojan-activity;sid:84674009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.71.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810910/; classtype:trojan-activity;sid:84674010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.39.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810908/; classtype:trojan-activity;sid:84674008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.50.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810907/; classtype:trojan-activity;sid:84674007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.226.212.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810906/; classtype:trojan-activity;sid:84674006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.195.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810905/; classtype:trojan-activity;sid:84674005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.222.44.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810904/; classtype:trojan-activity;sid:84674004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.3.44.167"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810903/; classtype:trojan-activity;sid:84674003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.39.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810902/; classtype:trojan-activity;sid:84674002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.50.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810901/; classtype:trojan-activity;sid:84674001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.240.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810900/; classtype:trojan-activity;sid:84674000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.63.231.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810899/; classtype:trojan-activity;sid:84673999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.226.212.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810898/; classtype:trojan-activity;sid:84673998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.71.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810897/; classtype:trojan-activity;sid:84673997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.3.44.167"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810896/; classtype:trojan-activity;sid:84673996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3810895/; classtype:trojan-activity;sid:84673995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.244.180.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810894/; classtype:trojan-activity;sid:84673994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.238.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810892/; classtype:trojan-activity;sid:84673992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.77.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810893/; classtype:trojan-activity;sid:84673993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.200.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810891/; classtype:trojan-activity;sid:84673991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apt0.sh"; depth:8; endswith; nocase; http.host; content:"45.153.34.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810890/; classtype:trojan-activity;sid:84673990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810889/; classtype:trojan-activity;sid:84673989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810888/; classtype:trojan-activity;sid:84673988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.238.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810887/; classtype:trojan-activity;sid:84673987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.158.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810886/; classtype:trojan-activity;sid:84673986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810885/; classtype:trojan-activity;sid:84673985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.253.117.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810884/; classtype:trojan-activity;sid:84673984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.235.72.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810883/; classtype:trojan-activity;sid:84673983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.106.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810882/; classtype:trojan-activity;sid:84673982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810881/; classtype:trojan-activity;sid:84673981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.106.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810879/; classtype:trojan-activity;sid:84673979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.158.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810880/; classtype:trojan-activity;sid:84673980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810877/; classtype:trojan-activity;sid:84673977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.167.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810878/; classtype:trojan-activity;sid:84673978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.200.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810876/; classtype:trojan-activity;sid:84673976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.68.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810875/; classtype:trojan-activity;sid:84673975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.68.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810874/; classtype:trojan-activity;sid:84673974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.87.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810873/; classtype:trojan-activity;sid:84673973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.167.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810872/; classtype:trojan-activity;sid:84673972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.239.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810871/; classtype:trojan-activity;sid:84673971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.143.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810870/; classtype:trojan-activity;sid:84673970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.249.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810869/; classtype:trojan-activity;sid:84673969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.33.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810868/; classtype:trojan-activity;sid:84673968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.14.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810867/; classtype:trojan-activity;sid:84673967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.206.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810865/; classtype:trojan-activity;sid:84673965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.239.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810866/; classtype:trojan-activity;sid:84673966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.109.236.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810864/; classtype:trojan-activity;sid:84673964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.59.120.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810863/; classtype:trojan-activity;sid:84673963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.162.206.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810862/; classtype:trojan-activity;sid:84673962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.204.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810861/; classtype:trojan-activity;sid:84673961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.245.195.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810860/; classtype:trojan-activity;sid:84673960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.204.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810859/; classtype:trojan-activity;sid:84673959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"65.99.181.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810858/; classtype:trojan-activity;sid:84673958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.36.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810857/; classtype:trojan-activity;sid:84673957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.168.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810856/; classtype:trojan-activity;sid:84673956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.245.195.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810855/; classtype:trojan-activity;sid:84673955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.167.189.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810853/; classtype:trojan-activity;sid:84673953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.140.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810854/; classtype:trojan-activity;sid:84673954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.156.166.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810852/; classtype:trojan-activity;sid:84673952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.139.32.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810851/; classtype:trojan-activity;sid:84673951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.36.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810850/; classtype:trojan-activity;sid:84673950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.204.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810849/; classtype:trojan-activity;sid:84673949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dipndotsk"; depth:10; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810848/; classtype:trojan-activity;sid:84673948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.63.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810847/; classtype:trojan-activity;sid:84673947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.156.166.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810846/; classtype:trojan-activity;sid:84673946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/leetootoo/random.exe"; depth:27; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810845/; classtype:trojan-activity;sid:84673945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.239.144.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810844/; classtype:trojan-activity;sid:84673944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.139.32.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810843/; classtype:trojan-activity;sid:84673943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.204.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810842/; classtype:trojan-activity;sid:84673942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.16.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810841/; classtype:trojan-activity;sid:84673941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810840/; classtype:trojan-activity;sid:84673940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.251.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810839/; classtype:trojan-activity;sid:84673939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810838/; classtype:trojan-activity;sid:84673938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rondo.aqg.sh"; depth:13; endswith; nocase; http.host; content:"45.92.1.50"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810836/; classtype:trojan-activity;sid:84673936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.53.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810835/; classtype:trojan-activity;sid:84673935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810834/; classtype:trojan-activity;sid:84673934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.214.240.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810833/; classtype:trojan-activity;sid:84673933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.239.144.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810832/; classtype:trojan-activity;sid:84673932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810831/; classtype:trojan-activity;sid:84673931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.exe"; depth:8; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810830/; classtype:trojan-activity;sid:84673930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psd8ezaw/plugins/cred64.dll"; depth:28; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810828/; classtype:trojan-activity;sid:84673928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psd8ezaw/plugins/cred.dll"; depth:26; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810829/; classtype:trojan-activity;sid:84673929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.53.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810827/; classtype:trojan-activity;sid:84673927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.78.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810826/; classtype:trojan-activity;sid:84673926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.227.66.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810825/; classtype:trojan-activity;sid:84673925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810824/; classtype:trojan-activity;sid:84673924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.227.66.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810823/; classtype:trojan-activity;sid:84673923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dipndots"; depth:9; endswith; nocase; http.host; content:"87.121.112.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810822/; classtype:trojan-activity;sid:84673922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.78.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810821/; classtype:trojan-activity;sid:84673921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.194.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810820/; classtype:trojan-activity;sid:84673920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.191.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810819/; classtype:trojan-activity;sid:84673919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810818/; classtype:trojan-activity;sid:84673918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.238.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810816/; classtype:trojan-activity;sid:84673916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.13.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810817/; classtype:trojan-activity;sid:84673917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.194.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810815/; classtype:trojan-activity;sid:84673915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.arm5"; depth:17; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810812/; classtype:trojan-activity;sid:84673912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.mips"; depth:17; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810813/; classtype:trojan-activity;sid:84673913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.arm"; depth:16; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810814/; classtype:trojan-activity;sid:84673914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.ppc"; depth:16; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810811/; classtype:trojan-activity;sid:84673911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.arm6"; depth:17; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810807/; classtype:trojan-activity;sid:84673907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.arm7"; depth:17; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810808/; classtype:trojan-activity;sid:84673908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.x86"; depth:16; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810809/; classtype:trojan-activity;sid:84673909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/yakuza.mpsl"; depth:17; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810810/; classtype:trojan-activity;sid:84673910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.253.222.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810806/; classtype:trojan-activity;sid:84673906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810805/; classtype:trojan-activity;sid:84673905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810804/; classtype:trojan-activity;sid:84673904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.13.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810803/; classtype:trojan-activity;sid:84673903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.68.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810802/; classtype:trojan-activity;sid:84673902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.218.212.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810801/; classtype:trojan-activity;sid:84673901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.208.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810800/; classtype:trojan-activity;sid:84673900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810799/; classtype:trojan-activity;sid:84673899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.238.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810798/; classtype:trojan-activity;sid:84673898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.222.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810797/; classtype:trojan-activity;sid:84673897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.68.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810796/; classtype:trojan-activity;sid:84673896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.177.32.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810795/; classtype:trojan-activity;sid:84673895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.222.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810794/; classtype:trojan-activity;sid:84673894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.55.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810793/; classtype:trojan-activity;sid:84673893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.177.32.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810792/; classtype:trojan-activity;sid:84673892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.55.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810791/; classtype:trojan-activity;sid:84673891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.252.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810790/; classtype:trojan-activity;sid:84673890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.68.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810789/; classtype:trojan-activity;sid:84673889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.157.252.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810788/; classtype:trojan-activity;sid:84673888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5851730241/iqer4wy.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810787/; classtype:trojan-activity;sid:84673887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.68.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810786/; classtype:trojan-activity;sid:84673886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.10.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810785/; classtype:trojan-activity;sid:84673885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.208.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810784/; classtype:trojan-activity;sid:84673884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.112.189.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810783/; classtype:trojan-activity;sid:84673883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.163.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810782/; classtype:trojan-activity;sid:84673882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.112.189.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810781/; classtype:trojan-activity;sid:84673881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8405865752/bthxxmv.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810780/; classtype:trojan-activity;sid:84673880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.206.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810779/; classtype:trojan-activity;sid:84673879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.123.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810778/; classtype:trojan-activity;sid:84673878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810777/; classtype:trojan-activity;sid:84673877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.33.7"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810776/; classtype:trojan-activity;sid:84673876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.163.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810775/; classtype:trojan-activity;sid:84673875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"212.64.201.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810774/; classtype:trojan-activity;sid:84673874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"212.64.201.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810773/; classtype:trojan-activity;sid:84673873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"212.64.201.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810771/; classtype:trojan-activity;sid:84673871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"212.64.201.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810772/; classtype:trojan-activity;sid:84673872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"212.64.201.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810769/; classtype:trojan-activity;sid:84673869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"212.64.201.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810770/; classtype:trojan-activity;sid:84673870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.151.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810768/; classtype:trojan-activity;sid:84673868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"37.48.254.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810767/; classtype:trojan-activity;sid:84673867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"37.48.254.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810766/; classtype:trojan-activity;sid:84673866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.205.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810765/; classtype:trojan-activity;sid:84673865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.246.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810764/; classtype:trojan-activity;sid:84673864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.207.82.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810763/; classtype:trojan-activity;sid:84673863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.184.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810762/; classtype:trojan-activity;sid:84673862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.252.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810761/; classtype:trojan-activity;sid:84673861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.62.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810760/; classtype:trojan-activity;sid:84673860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.166.152.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810759/; classtype:trojan-activity;sid:84673859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.205.93.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810758/; classtype:trojan-activity;sid:84673858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.225.31.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810757/; classtype:trojan-activity;sid:84673857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.225.31.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810756/; classtype:trojan-activity;sid:84673856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.93.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810755/; classtype:trojan-activity;sid:84673855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ln8cw1ox1f"; depth:11; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810754/; classtype:trojan-activity;sid:84673854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.129.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810753/; classtype:trojan-activity;sid:84673853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.123.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810752/; classtype:trojan-activity;sid:84673852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.6.169.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810751/; classtype:trojan-activity;sid:84673851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.129.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810750/; classtype:trojan-activity;sid:84673850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.64.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810749/; classtype:trojan-activity;sid:84673849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.214.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810748/; classtype:trojan-activity;sid:84673848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.39.122.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810747/; classtype:trojan-activity;sid:84673847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"177.39.122.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810746/; classtype:trojan-activity;sid:84673846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810745/; classtype:trojan-activity;sid:84673845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.6.169.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810744/; classtype:trojan-activity;sid:84673844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.4.205"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810743/; classtype:trojan-activity;sid:84673843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.10.133.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810742/; classtype:trojan-activity;sid:84673842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.61.48.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810741/; classtype:trojan-activity;sid:84673841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.148.232.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810740/; classtype:trojan-activity;sid:84673840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"156.229.118.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810739/; classtype:trojan-activity;sid:84673839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.4.205"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810738/; classtype:trojan-activity;sid:84673838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.109.241.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810737/; classtype:trojan-activity;sid:84673837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.105.50.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810736/; classtype:trojan-activity;sid:84673836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.8.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810735/; classtype:trojan-activity;sid:84673835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.212.53.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810734/; classtype:trojan-activity;sid:84673834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.231.246.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810733/; classtype:trojan-activity;sid:84673833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.51.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810732/; classtype:trojan-activity;sid:84673832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.183.184.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810731/; classtype:trojan-activity;sid:84673831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.10.133.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810730/; classtype:trojan-activity;sid:84673830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.32.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810729/; classtype:trojan-activity;sid:84673829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.8.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810728/; classtype:trojan-activity;sid:84673828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.231.246.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810727/; classtype:trojan-activity;sid:84673827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.32.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810726/; classtype:trojan-activity;sid:84673826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.105.50.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810725/; classtype:trojan-activity;sid:84673825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"191.210.133.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810724/; classtype:trojan-activity;sid:84673824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.109.241.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810723/; classtype:trojan-activity;sid:84673823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.142.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810722/; classtype:trojan-activity;sid:84673822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.208.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810721/; classtype:trojan-activity;sid:84673821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.205.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810720/; classtype:trojan-activity;sid:84673820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.81.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810719/; classtype:trojan-activity;sid:84673819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.180.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810718/; classtype:trojan-activity;sid:84673818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810717/; classtype:trojan-activity;sid:84673817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.205.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810716/; classtype:trojan-activity;sid:84673816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.243.178.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810715/; classtype:trojan-activity;sid:84673815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.180.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810714/; classtype:trojan-activity;sid:84673814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.244.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810713/; classtype:trojan-activity;sid:84673813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.197.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810712/; classtype:trojan-activity;sid:84673812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810711/; classtype:trojan-activity;sid:84673811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.209.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810710/; classtype:trojan-activity;sid:84673810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.49.72"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810709/; classtype:trojan-activity;sid:84673809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.244.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810708/; classtype:trojan-activity;sid:84673808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810707/; classtype:trojan-activity;sid:84673807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810706/; classtype:trojan-activity;sid:84673806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.197.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810705/; classtype:trojan-activity;sid:84673805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.25.133.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810704/; classtype:trojan-activity;sid:84673804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.49.72"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810703/; classtype:trojan-activity;sid:84673803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.20.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810702/; classtype:trojan-activity;sid:84673802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.148.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810701/; classtype:trojan-activity;sid:84673801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.161.59.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810700/; classtype:trojan-activity;sid:84673800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.148.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810699/; classtype:trojan-activity;sid:84673799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.148.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810698/; classtype:trojan-activity;sid:84673798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.94.123.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810697/; classtype:trojan-activity;sid:84673797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.148.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810696/; classtype:trojan-activity;sid:84673796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.94.142.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810695/; classtype:trojan-activity;sid:84673795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.235.234.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810693/; classtype:trojan-activity;sid:84673793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.235.234.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810694/; classtype:trojan-activity;sid:84673794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810692/; classtype:trojan-activity;sid:84673792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.94.123.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810691/; classtype:trojan-activity;sid:84673791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.229.190.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810690/; classtype:trojan-activity;sid:84673790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810688/; classtype:trojan-activity;sid:84673788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"192.176.50.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810689/; classtype:trojan-activity;sid:84673789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.148.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810687/; classtype:trojan-activity;sid:84673787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.151.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810686/; classtype:trojan-activity;sid:84673786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"192.176.50.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810685/; classtype:trojan-activity;sid:84673785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.14.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810684/; classtype:trojan-activity;sid:84673784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.148.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810683/; classtype:trojan-activity;sid:84673783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.151.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810682/; classtype:trojan-activity;sid:84673782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.64.226"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810681/; classtype:trojan-activity;sid:84673781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.94.122.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810678/; classtype:trojan-activity;sid:84673778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.54.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810679/; classtype:trojan-activity;sid:84673779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.229.190.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810680/; classtype:trojan-activity;sid:84673780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.14.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810677/; classtype:trojan-activity;sid:84673777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.149.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810676/; classtype:trojan-activity;sid:84673776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.0.215.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810675/; classtype:trojan-activity;sid:84673775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.64.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810674/; classtype:trojan-activity;sid:84673774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wo125u1gmn/x86"; depth:15; endswith; nocase; http.host; content:"83.168.107.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810673/; classtype:trojan-activity;sid:84673773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.183.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810672/; classtype:trojan-activity;sid:84673772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.142.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810671/; classtype:trojan-activity;sid:84673771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.149.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810670/; classtype:trojan-activity;sid:84673770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.115.78.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810668/; classtype:trojan-activity;sid:84673768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.77.235.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810669/; classtype:trojan-activity;sid:84673769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.147.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810667/; classtype:trojan-activity;sid:84673767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.250.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810666/; classtype:trojan-activity;sid:84673766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.242.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810665/; classtype:trojan-activity;sid:84673765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.52.230.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810664/; classtype:trojan-activity;sid:84673764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.52.230.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810663/; classtype:trojan-activity;sid:84673763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.142.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810662/; classtype:trojan-activity;sid:84673762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.235.250.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810661/; classtype:trojan-activity;sid:84673761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.195.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810660/; classtype:trojan-activity;sid:84673760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.168.181.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810659/; classtype:trojan-activity;sid:84673759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810658/; classtype:trojan-activity;sid:84673758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.167.189.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810657/; classtype:trojan-activity;sid:84673757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.127.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810656/; classtype:trojan-activity;sid:84673756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.27.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810655/; classtype:trojan-activity;sid:84673755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.185.93.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810654/; classtype:trojan-activity;sid:84673754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.147.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810653/; classtype:trojan-activity;sid:84673753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.10.255.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810652/; classtype:trojan-activity;sid:84673752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.79.150.232"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810651/; classtype:trojan-activity;sid:84673751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.216.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810650/; classtype:trojan-activity;sid:84673750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.166.152.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810649/; classtype:trojan-activity;sid:84673749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.16.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810648/; classtype:trojan-activity;sid:84673748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.214.201"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810647/; classtype:trojan-activity;sid:84673747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.10.255.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810646/; classtype:trojan-activity;sid:84673746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.16.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810645/; classtype:trojan-activity;sid:84673745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.215.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810644/; classtype:trojan-activity;sid:84673744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.205.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810643/; classtype:trojan-activity;sid:84673743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.9.139.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810642/; classtype:trojan-activity;sid:84673742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.205.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810641/; classtype:trojan-activity;sid:84673741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.9.139.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810640/; classtype:trojan-activity;sid:84673740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.254.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810639/; classtype:trojan-activity;sid:84673739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.215.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810638/; classtype:trojan-activity;sid:84673738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.181.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810637/; classtype:trojan-activity;sid:84673737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.235.99.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810636/; classtype:trojan-activity;sid:84673736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.254.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810635/; classtype:trojan-activity;sid:84673735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.193.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810634/; classtype:trojan-activity;sid:84673734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.52.56.85"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810633/; classtype:trojan-activity;sid:84673733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.6.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810632/; classtype:trojan-activity;sid:84673732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.6.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810631/; classtype:trojan-activity;sid:84673731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.72.41.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810630/; classtype:trojan-activity;sid:84673730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.181.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810629/; classtype:trojan-activity;sid:84673729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.235.99.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810628/; classtype:trojan-activity;sid:84673728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.72.41.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810627/; classtype:trojan-activity;sid:84673727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.29.184"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810626/; classtype:trojan-activity;sid:84673726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.111.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810625/; classtype:trojan-activity;sid:84673725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810624/; classtype:trojan-activity;sid:84673724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810623/; classtype:trojan-activity;sid:84673723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810622/; classtype:trojan-activity;sid:84673722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.33.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810621/; classtype:trojan-activity;sid:84673721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.48.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810620/; classtype:trojan-activity;sid:84673720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.212.56.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810619/; classtype:trojan-activity;sid:84673719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810618/; classtype:trojan-activity;sid:84673718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.183.55.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810617/; classtype:trojan-activity;sid:84673717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.111.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810616/; classtype:trojan-activity;sid:84673716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810615/; classtype:trojan-activity;sid:84673715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.184.19"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810614/; classtype:trojan-activity;sid:84673714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.10.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810613/; classtype:trojan-activity;sid:84673713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.33.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810612/; classtype:trojan-activity;sid:84673712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.183.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810611/; classtype:trojan-activity;sid:84673711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.10.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810610/; classtype:trojan-activity;sid:84673710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.183.55.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810609/; classtype:trojan-activity;sid:84673709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.25.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810608/; classtype:trojan-activity;sid:84673708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.48.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810607/; classtype:trojan-activity;sid:84673707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.184.19"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810606/; classtype:trojan-activity;sid:84673706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.39.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810605/; classtype:trojan-activity;sid:84673705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.212.63.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810604/; classtype:trojan-activity;sid:84673704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.143.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810603/; classtype:trojan-activity;sid:84673703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8514679081/s5m3ryz.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810602/; classtype:trojan-activity;sid:84673702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.249.194.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810601/; classtype:trojan-activity;sid:84673701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"37.48.254.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810600/; classtype:trojan-activity;sid:84673700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.39.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810599/; classtype:trojan-activity;sid:84673699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.143.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810598/; classtype:trojan-activity;sid:84673698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810597/; classtype:trojan-activity;sid:84673697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.248.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810596/; classtype:trojan-activity;sid:84673696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.61.88.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810595/; classtype:trojan-activity;sid:84673695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.234.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810594/; classtype:trojan-activity;sid:84673694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.249.194.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810593/; classtype:trojan-activity;sid:84673693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810592/; classtype:trojan-activity;sid:84673692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.248.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810591/; classtype:trojan-activity;sid:84673691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.193.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810590/; classtype:trojan-activity;sid:84673690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.61.88.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810589/; classtype:trojan-activity;sid:84673689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810588/; classtype:trojan-activity;sid:84673688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.187.37.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810587/; classtype:trojan-activity;sid:84673687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.144.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810586/; classtype:trojan-activity;sid:84673686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.187.37.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810585/; classtype:trojan-activity;sid:84673685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.144.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810584/; classtype:trojan-activity;sid:84673684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.169.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810583/; classtype:trojan-activity;sid:84673683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.157.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810582/; classtype:trojan-activity;sid:84673682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.137.156.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810581/; classtype:trojan-activity;sid:84673681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.242.118"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810580/; classtype:trojan-activity;sid:84673680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.239.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810579/; classtype:trojan-activity;sid:84673679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.234.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810578/; classtype:trojan-activity;sid:84673678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.189.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810577/; classtype:trojan-activity;sid:84673677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.137.156.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810576/; classtype:trojan-activity;sid:84673676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.239.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810575/; classtype:trojan-activity;sid:84673675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.246.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810574/; classtype:trojan-activity;sid:84673674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.22.175.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810573/; classtype:trojan-activity;sid:84673673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.73.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810572/; classtype:trojan-activity;sid:84673672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.231.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810571/; classtype:trojan-activity;sid:84673671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.91.26"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810570/; classtype:trojan-activity;sid:84673670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.246.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810569/; classtype:trojan-activity;sid:84673669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.231.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810567/; classtype:trojan-activity;sid:84673667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.124.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810568/; classtype:trojan-activity;sid:84673668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.172.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810566/; classtype:trojan-activity;sid:84673666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.233.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810565/; classtype:trojan-activity;sid:84673665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"102.214.109.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810563/; classtype:trojan-activity;sid:84673663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.124.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810562/; classtype:trojan-activity;sid:84673662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810561/; classtype:trojan-activity;sid:84673661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.9.1"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810560/; classtype:trojan-activity;sid:84673660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.13.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810559/; classtype:trojan-activity;sid:84673659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.233.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810558/; classtype:trojan-activity;sid:84673658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.172.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810557/; classtype:trojan-activity;sid:84673657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/unique5/random.exe"; depth:25; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810556/; classtype:trojan-activity;sid:84673656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.9.1"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810555/; classtype:trojan-activity;sid:84673655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.214.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810554/; classtype:trojan-activity;sid:84673654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/77546367/5akgvvn.exe"; depth:27; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810552/; classtype:trojan-activity;sid:84673652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8536096438/x9ohmaz.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810553/; classtype:trojan-activity;sid:84673653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.13.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810551/; classtype:trojan-activity;sid:84673651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.21.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810550/; classtype:trojan-activity;sid:84673650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810549/; classtype:trojan-activity;sid:84673649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.170.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810548/; classtype:trojan-activity;sid:84673648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6728144278/5nhlm0r.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810547/; classtype:trojan-activity;sid:84673647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.86.71.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810546/; classtype:trojan-activity;sid:84673646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.214.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810545/; classtype:trojan-activity;sid:84673645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810544/; classtype:trojan-activity;sid:84673644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.56.146.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810543/; classtype:trojan-activity;sid:84673643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.219.74.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810542/; classtype:trojan-activity;sid:84673642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.47.19.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810541/; classtype:trojan-activity;sid:84673641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810540/; classtype:trojan-activity;sid:84673640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.153.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810539/; classtype:trojan-activity;sid:84673639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.59.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810538/; classtype:trojan-activity;sid:84673638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.157.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810537/; classtype:trojan-activity;sid:84673637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.0.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810536/; classtype:trojan-activity;sid:84673636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.92.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810535/; classtype:trojan-activity;sid:84673635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.153.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810534/; classtype:trojan-activity;sid:84673634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.163.184.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810533/; classtype:trojan-activity;sid:84673633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peinf.exe"; depth:10; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810532/; classtype:trojan-activity;sid:84673632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.47.19.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810531/; classtype:trojan-activity;sid:84673631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.103.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810530/; classtype:trojan-activity;sid:84673630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.68.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810529/; classtype:trojan-activity;sid:84673629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.252.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810528/; classtype:trojan-activity;sid:84673628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8408827406/f1srzt6.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810527/; classtype:trojan-activity;sid:84673627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.157.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810526/; classtype:trojan-activity;sid:84673626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.166.170.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810525/; classtype:trojan-activity;sid:84673625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810524/; classtype:trojan-activity;sid:84673624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.68.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810523/; classtype:trojan-activity;sid:84673623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.166.170.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810522/; classtype:trojan-activity;sid:84673622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.174.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810521/; classtype:trojan-activity;sid:84673621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.38.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810520/; classtype:trojan-activity;sid:84673620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.174.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810519/; classtype:trojan-activity;sid:84673619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.129.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810518/; classtype:trojan-activity;sid:84673618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.112.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810517/; classtype:trojan-activity;sid:84673617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/st.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810516/; classtype:trojan-activity;sid:84673616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.22.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810515/; classtype:trojan-activity;sid:84673615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.208.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810514/; classtype:trojan-activity;sid:84673614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.116.56.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810513/; classtype:trojan-activity;sid:84673613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.217.198.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810512/; classtype:trojan-activity;sid:84673612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.84.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810511/; classtype:trojan-activity;sid:84673611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.184.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810510/; classtype:trojan-activity;sid:84673610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.208.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810509/; classtype:trojan-activity;sid:84673609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.11.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810508/; classtype:trojan-activity;sid:84673608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7709864361/n1xrh0p.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810507/; classtype:trojan-activity;sid:84673607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8042875554/jv3aqju.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810506/; classtype:trojan-activity;sid:84673606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810505/; classtype:trojan-activity;sid:84673605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810504/; classtype:trojan-activity;sid:84673604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810503/; classtype:trojan-activity;sid:84673603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.194.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810502/; classtype:trojan-activity;sid:84673602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.11.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810501/; classtype:trojan-activity;sid:84673601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.252.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810500/; classtype:trojan-activity;sid:84673600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.212.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810499/; classtype:trojan-activity;sid:84673599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.116.56.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810498/; classtype:trojan-activity;sid:84673598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.73.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810497/; classtype:trojan-activity;sid:84673597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810496/; classtype:trojan-activity;sid:84673596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.194.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810495/; classtype:trojan-activity;sid:84673595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.252.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810494/; classtype:trojan-activity;sid:84673594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810493/; classtype:trojan-activity;sid:84673593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.101.92.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810492/; classtype:trojan-activity;sid:84673592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/burst.exe"; depth:20; endswith; nocase; http.host; content:"audipoint.cz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810491/; classtype:trojan-activity;sid:84673591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/patch/1117.exe"; depth:15; endswith; nocase; http.host; content:"jin.com.my"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810490/; classtype:trojan-activity;sid:84673590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.172.186.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810489/; classtype:trojan-activity;sid:84673589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi"; depth:34; endswith; nocase; http.host; content:"themaintechnician.us"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810488/; classtype:trojan-activity;sid:84673588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rsvp_invite%23903388.exe"; depth:25; endswith; nocase; http.host; content:"pub-ec081eb0fab74385a17d8d77afeeda3b.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810486/; classtype:trojan-activity;sid:84673586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"lejrmakei.net"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810487/; classtype:trojan-activity;sid:84673587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trust.apk"; depth:10; endswith; nocase; http.host; content:"app-trust-wallet.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810483/; classtype:trojan-activity;sid:84673583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"mailer-kjermjs.net"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810484/; classtype:trojan-activity;sid:84673584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webrtc_driver_20260111_x64.exe"; depth:31; endswith; nocase; http.host; content:"racing-shop-schuller.de"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810480/; classtype:trojan-activity;sid:84673580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imbosomed.deploy"; depth:17; endswith; nocase; http.host; content:"46.165.215.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810481/; classtype:trojan-activity;sid:84673581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/babka98/horinis/refs/heads/main/lykis.msi"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810482/; classtype:trojan-activity;sid:84673582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"mailer-kjermjs.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810476/; classtype:trojan-activity;sid:84673576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.206.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810477/; classtype:trojan-activity;sid:84673577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"keilo-jermailer.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810478/; classtype:trojan-activity;sid:84673578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/portable_reader_acrbat_v23_01_p2.vbs"; depth:37; endswith; nocase; http.host; content:"e0-adobemodule-pdreaderl-w002-0llx00-uv0a0acr0bt-patch-dl0.pages.dev"; depth:68; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810479/; classtype:trojan-activity;sid:84673579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/kontakt.txt"; depth:22; endswith; nocase; http.host; content:"audipoint.cz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810473/; classtype:trojan-activity;sid:84673573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/info.txt"; depth:19; endswith; nocase; http.host; content:"audipoint.cz"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810474/; classtype:trojan-activity;sid:84673574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jng2.txt"; depth:9; endswith; nocase; http.host; content:"46.165.215.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810475/; classtype:trojan-activity;sid:84673575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porcate.cmd"; depth:12; endswith; nocase; http.host; content:"46.165.215.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810471/; classtype:trojan-activity;sid:84673571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jng1.txt"; depth:9; endswith; nocase; http.host; content:"46.165.215.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810472/; classtype:trojan-activity;sid:84673572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.132.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810470/; classtype:trojan-activity;sid:84673570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.70.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810469/; classtype:trojan-activity;sid:84673569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.240.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810468/; classtype:trojan-activity;sid:84673568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.132.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810467/; classtype:trojan-activity;sid:84673567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.172.186.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810466/; classtype:trojan-activity;sid:84673566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.147.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810465/; classtype:trojan-activity;sid:84673565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.70.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810464/; classtype:trojan-activity;sid:84673564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.58.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810463/; classtype:trojan-activity;sid:84673563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.234.248.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810462/; classtype:trojan-activity;sid:84673562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810461/; classtype:trojan-activity;sid:84673561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.147.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810460/; classtype:trojan-activity;sid:84673560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.36.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810459/; classtype:trojan-activity;sid:84673559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.145.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810458/; classtype:trojan-activity;sid:84673558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.240.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810457/; classtype:trojan-activity;sid:84673557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.58.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810456/; classtype:trojan-activity;sid:84673556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.145.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810455/; classtype:trojan-activity;sid:84673555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810454/; classtype:trojan-activity;sid:84673554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.122.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810453/; classtype:trojan-activity;sid:84673553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.122.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810452/; classtype:trojan-activity;sid:84673552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.36.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810451/; classtype:trojan-activity;sid:84673551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810450/; classtype:trojan-activity;sid:84673550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810449/; classtype:trojan-activity;sid:84673549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.50.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810448/; classtype:trojan-activity;sid:84673548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips64"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810447/; classtype:trojan-activity;sid:84673547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.1.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810446/; classtype:trojan-activity;sid:84673546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.50.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810445/; classtype:trojan-activity;sid:84673545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.241.61.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810444/; classtype:trojan-activity;sid:84673544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.214.238.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810443/; classtype:trojan-activity;sid:84673543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.189.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810442/; classtype:trojan-activity;sid:84673542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.243.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810441/; classtype:trojan-activity;sid:84673541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810439/; classtype:trojan-activity;sid:84673539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.137.153.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810440/; classtype:trojan-activity;sid:84673540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.206.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810438/; classtype:trojan-activity;sid:84673538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.121.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810437/; classtype:trojan-activity;sid:84673537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/multi/bins/x86_64"; depth:18; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810435/; classtype:trojan-activity;sid:84673535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/multi/bins/arm5"; depth:16; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810436/; classtype:trojan-activity;sid:84673536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/multi/bins/mipsel"; depth:18; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810431/; classtype:trojan-activity;sid:84673531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/multi/bins/arm7"; depth:16; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810432/; classtype:trojan-activity;sid:84673532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/multi/bins/mips"; depth:16; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810433/; classtype:trojan-activity;sid:84673533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810434/; classtype:trojan-activity;sid:84673534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.sh"; depth:7; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810430/; classtype:trojan-activity;sid:84673530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810429/; classtype:trojan-activity;sid:84673529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.86.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810428/; classtype:trojan-activity;sid:84673528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810427/; classtype:trojan-activity;sid:84673527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arc"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810415/; classtype:trojan-activity;sid:84673515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.i686"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810416/; classtype:trojan-activity;sid:84673516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.sh4"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810417/; classtype:trojan-activity;sid:84673517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.x86"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810418/; classtype:trojan-activity;sid:84673518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.x86_64"; depth:15; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810419/; classtype:trojan-activity;sid:84673519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm7"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810420/; classtype:trojan-activity;sid:84673520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810421/; classtype:trojan-activity;sid:84673521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm5"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810422/; classtype:trojan-activity;sid:84673522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.m68k"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810423/; classtype:trojan-activity;sid:84673523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mpsl"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810424/; classtype:trojan-activity;sid:84673524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mips"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810425/; classtype:trojan-activity;sid:84673525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.ppc"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810426/; classtype:trojan-activity;sid:84673526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm6"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810413/; classtype:trojan-activity;sid:84673513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.spc"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810414/; classtype:trojan-activity;sid:84673514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.121.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810412/; classtype:trojan-activity;sid:84673512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm6"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810410/; classtype:trojan-activity;sid:84673510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arc"; depth:12; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810411/; classtype:trojan-activity;sid:84673511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm5"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810408/; classtype:trojan-activity;sid:84673508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.m68k"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810409/; classtype:trojan-activity;sid:84673509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.20.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810407/; classtype:trojan-activity;sid:84673507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm7"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810406/; classtype:trojan-activity;sid:84673506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc"; depth:12; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810405/; classtype:trojan-activity;sid:84673505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.spc"; depth:12; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810400/; classtype:trojan-activity;sid:84673500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mipsl"; depth:14; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810401/; classtype:trojan-activity;sid:84673501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i686"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810402/; classtype:trojan-activity;sid:84673502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc440"; depth:15; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810403/; classtype:trojan-activity;sid:84673503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810404/; classtype:trojan-activity;sid:84673504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810386/; classtype:trojan-activity;sid:84673486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_spc"; depth:9; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810387/; classtype:trojan-activity;sid:84673487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810388/; classtype:trojan-activity;sid:84673488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810389/; classtype:trojan-activity;sid:84673489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810390/; classtype:trojan-activity;sid:84673490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810391/; classtype:trojan-activity;sid:84673491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810392/; classtype:trojan-activity;sid:84673492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_32"; depth:15; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810393/; classtype:trojan-activity;sid:84673493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm"; depth:12; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810394/; classtype:trojan-activity;sid:84673494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810395/; classtype:trojan-activity;sid:84673495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_64"; depth:15; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810396/; classtype:trojan-activity;sid:84673496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.sh4"; depth:12; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810397/; classtype:trojan-activity;sid:84673497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mips"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810398/; classtype:trojan-activity;sid:84673498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.i486"; depth:13; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810399/; classtype:trojan-activity;sid:84673499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810383/; classtype:trojan-activity;sid:84673483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810384/; classtype:trojan-activity;sid:84673484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810385/; classtype:trojan-activity;sid:84673485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.243.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810382/; classtype:trojan-activity;sid:84673482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.202.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810381/; classtype:trojan-activity;sid:84673481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.137.153.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810380/; classtype:trojan-activity;sid:84673480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.231.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810379/; classtype:trojan-activity;sid:84673479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.26.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810378/; classtype:trojan-activity;sid:84673478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.20.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810377/; classtype:trojan-activity;sid:84673477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.202.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810376/; classtype:trojan-activity;sid:84673476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.80.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810375/; classtype:trojan-activity;sid:84673475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810374/; classtype:trojan-activity;sid:84673474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.134.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810373/; classtype:trojan-activity;sid:84673473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810372/; classtype:trojan-activity;sid:84673472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/gai%d0%b0%d1%85is.zip"; depth:27; endswith; nocase; http.host; content:"galaxis.fun"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810371/; classtype:trojan-activity;sid:84673471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810370/; classtype:trojan-activity;sid:84673470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.180.134.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810369/; classtype:trojan-activity;sid:84673469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810368/; classtype:trojan-activity;sid:84673468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.185.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810367/; classtype:trojan-activity;sid:84673467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.231.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810366/; classtype:trojan-activity;sid:84673466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810365/; classtype:trojan-activity;sid:84673465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810361/; classtype:trojan-activity;sid:84673461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810362/; classtype:trojan-activity;sid:84673462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810363/; classtype:trojan-activity;sid:84673463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810364/; classtype:trojan-activity;sid:84673464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810338/; classtype:trojan-activity;sid:84673438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810339/; classtype:trojan-activity;sid:84673439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810340/; classtype:trojan-activity;sid:84673440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810341/; classtype:trojan-activity;sid:84673441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810342/; classtype:trojan-activity;sid:84673442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810343/; classtype:trojan-activity;sid:84673443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810344/; classtype:trojan-activity;sid:84673444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810345/; classtype:trojan-activity;sid:84673445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810346/; classtype:trojan-activity;sid:84673446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810347/; classtype:trojan-activity;sid:84673447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810348/; classtype:trojan-activity;sid:84673448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810349/; classtype:trojan-activity;sid:84673449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810350/; classtype:trojan-activity;sid:84673450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810351/; classtype:trojan-activity;sid:84673451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810352/; classtype:trojan-activity;sid:84673452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810353/; classtype:trojan-activity;sid:84673453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810354/; classtype:trojan-activity;sid:84673454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810355/; classtype:trojan-activity;sid:84673455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810356/; classtype:trojan-activity;sid:84673456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810357/; classtype:trojan-activity;sid:84673457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810358/; classtype:trojan-activity;sid:84673458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810359/; classtype:trojan-activity;sid:84673459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810360/; classtype:trojan-activity;sid:84673460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810337/; classtype:trojan-activity;sid:84673437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810336/; classtype:trojan-activity;sid:84673436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810335/; classtype:trojan-activity;sid:84673435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.245.45.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810334/; classtype:trojan-activity;sid:84673434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.97.175"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810333/; classtype:trojan-activity;sid:84673433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.157.55.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810332/; classtype:trojan-activity;sid:84673432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.166.37.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810331/; classtype:trojan-activity;sid:84673431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.245.45.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810330/; classtype:trojan-activity;sid:84673430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.33.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810329/; classtype:trojan-activity;sid:84673429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.51.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810328/; classtype:trojan-activity;sid:84673428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.35.106"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810327/; classtype:trojan-activity;sid:84673427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810326/; classtype:trojan-activity;sid:84673426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.62.253"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810325/; classtype:trojan-activity;sid:84673425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.3.97.175"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810324/; classtype:trojan-activity;sid:84673424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.0.215.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810323/; classtype:trojan-activity;sid:84673423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.33.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810322/; classtype:trojan-activity;sid:84673422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.80.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810321/; classtype:trojan-activity;sid:84673421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810320/; classtype:trojan-activity;sid:84673420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.51.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810319/; classtype:trojan-activity;sid:84673419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.35.106"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810318/; classtype:trojan-activity;sid:84673418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.205.93.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810317/; classtype:trojan-activity;sid:84673417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7044575709/myfxfbn.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810316/; classtype:trojan-activity;sid:84673416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.6.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810315/; classtype:trojan-activity;sid:84673415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.4.64"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810314/; classtype:trojan-activity;sid:84673414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.229.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810313/; classtype:trojan-activity;sid:84673413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.94.142.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810312/; classtype:trojan-activity;sid:84673412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.93.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810311/; classtype:trojan-activity;sid:84673411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6728144278/s04rtah.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810310/; classtype:trojan-activity;sid:84673410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.6.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810309/; classtype:trojan-activity;sid:84673409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.72.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810308/; classtype:trojan-activity;sid:84673408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.4.64"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810307/; classtype:trojan-activity;sid:84673407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.72.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810306/; classtype:trojan-activity;sid:84673406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.234.248.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810305/; classtype:trojan-activity;sid:84673405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.3.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810304/; classtype:trojan-activity;sid:84673404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.183.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810303/; classtype:trojan-activity;sid:84673403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.116.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810302/; classtype:trojan-activity;sid:84673402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.243.163.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810301/; classtype:trojan-activity;sid:84673401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.116.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810300/; classtype:trojan-activity;sid:84673400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.3.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810299/; classtype:trojan-activity;sid:84673399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.78.58"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810298/; classtype:trojan-activity;sid:84673398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chrome_300_percent.pak"; depth:23; endswith; nocase; http.host; content:"fiker.cattermicoffa.sbs"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810297/; classtype:trojan-activity;sid:84673397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810296/; classtype:trojan-activity;sid:84673396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.243.163.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810295/; classtype:trojan-activity;sid:84673395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"47.160.151.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810294/; classtype:trojan-activity;sid:84673394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.148.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810293/; classtype:trojan-activity;sid:84673393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.133.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810292/; classtype:trojan-activity;sid:84673392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.117.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810291/; classtype:trojan-activity;sid:84673391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.97.200.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810290/; classtype:trojan-activity;sid:84673390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.133.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810289/; classtype:trojan-activity;sid:84673389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.221.26.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810288/; classtype:trojan-activity;sid:84673388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.97.200.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810287/; classtype:trojan-activity;sid:84673387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.4.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810286/; classtype:trojan-activity;sid:84673386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.228.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810285/; classtype:trojan-activity;sid:84673385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.212.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810284/; classtype:trojan-activity;sid:84673384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.4.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810283/; classtype:trojan-activity;sid:84673383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yd1xswrw/image-1.png"; depth:21; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810282/; classtype:trojan-activity;sid:84673382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stager_linux_$g"; depth:16; endswith; nocase; http.host; content:"52.4.142.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810281/; classtype:trojan-activity;sid:84673381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm"; depth:12; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810279/; classtype:trojan-activity;sid:84673379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm6"; depth:13; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810280/; classtype:trojan-activity;sid:84673380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810277/; classtype:trojan-activity;sid:84673377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm5"; depth:13; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810278/; classtype:trojan-activity;sid:84673378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mipsel"; depth:15; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810276/; classtype:trojan-activity;sid:84673376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.30.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810275/; classtype:trojan-activity;sid:84673375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810274/; classtype:trojan-activity;sid:84673374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.228.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810273/; classtype:trojan-activity;sid:84673373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.212.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810272/; classtype:trojan-activity;sid:84673372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.177.108.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810271/; classtype:trojan-activity;sid:84673371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810270/; classtype:trojan-activity;sid:84673370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810269/; classtype:trojan-activity;sid:84673369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.165.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810268/; classtype:trojan-activity;sid:84673368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810267/; classtype:trojan-activity;sid:84673367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810266/; classtype:trojan-activity;sid:84673366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.214.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810265/; classtype:trojan-activity;sid:84673365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810264/; classtype:trojan-activity;sid:84673364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.127.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810263/; classtype:trojan-activity;sid:84673363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810262/; classtype:trojan-activity;sid:84673362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.62.253"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810261/; classtype:trojan-activity;sid:84673361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.99.207.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810260/; classtype:trojan-activity;sid:84673360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.6.173"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810259/; classtype:trojan-activity;sid:84673359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.180.80.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810258/; classtype:trojan-activity;sid:84673358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.214.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810257/; classtype:trojan-activity;sid:84673357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.0.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810256/; classtype:trojan-activity;sid:84673356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.127.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810255/; classtype:trojan-activity;sid:84673355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.99.207.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810254/; classtype:trojan-activity;sid:84673354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.23.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810253/; classtype:trojan-activity;sid:84673353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.136.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810252/; classtype:trojan-activity;sid:84673352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.23.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810251/; classtype:trojan-activity;sid:84673351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.91.119"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810250/; classtype:trojan-activity;sid:84673350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810249/; classtype:trojan-activity;sid:84673349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.199.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810248/; classtype:trojan-activity;sid:84673348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.199.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810247/; classtype:trojan-activity;sid:84673347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.226.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810246/; classtype:trojan-activity;sid:84673346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.10.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810245/; classtype:trojan-activity;sid:84673345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.101.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810244/; classtype:trojan-activity;sid:84673344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.226.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810243/; classtype:trojan-activity;sid:84673343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810242/; classtype:trojan-activity;sid:84673342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.101.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810241/; classtype:trojan-activity;sid:84673341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810240/; classtype:trojan-activity;sid:84673340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.183.105.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810239/; classtype:trojan-activity;sid:84673339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.201.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810238/; classtype:trojan-activity;sid:84673338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.91.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810237/; classtype:trojan-activity;sid:84673337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.201.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810236/; classtype:trojan-activity;sid:84673336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.190.184.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810235/; classtype:trojan-activity;sid:84673335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.12.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810234/; classtype:trojan-activity;sid:84673334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810233/; classtype:trojan-activity;sid:84673333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.154.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810232/; classtype:trojan-activity;sid:84673332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.91.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810231/; classtype:trojan-activity;sid:84673331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.12.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810230/; classtype:trojan-activity;sid:84673330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810223/; classtype:trojan-activity;sid:84673323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810224/; classtype:trojan-activity;sid:84673324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810225/; classtype:trojan-activity;sid:84673325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810226/; classtype:trojan-activity;sid:84673326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810227/; classtype:trojan-activity;sid:84673327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810228/; classtype:trojan-activity;sid:84673328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810229/; classtype:trojan-activity;sid:84673329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810222/; classtype:trojan-activity;sid:84673322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810219/; classtype:trojan-activity;sid:84673319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810220/; classtype:trojan-activity;sid:84673320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"77.110.125.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810221/; classtype:trojan-activity;sid:84673321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.195.127.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810218/; classtype:trojan-activity;sid:84673318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.188.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810217/; classtype:trojan-activity;sid:84673317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.188.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810216/; classtype:trojan-activity;sid:84673316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.117.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810215/; classtype:trojan-activity;sid:84673315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.165.93"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810214/; classtype:trojan-activity;sid:84673314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/efewefwewfew342234423234feweefwwefewefweffewwefewf.php|3f|file=333.exe"; depth:185; endswith; nocase; http.host; content:"microservisetrue.vip"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810213/; classtype:trojan-activity;sid:84673313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/efewefwewfew342234423234feweefwwefewefweffewwefewf.php|3f|file=amp.exe"; depth:185; endswith; nocase; http.host; content:"microservisetrue.vip"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810212/; classtype:trojan-activity;sid:84673312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.192.244.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810211/; classtype:trojan-activity;sid:84673311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/|3f|kiddionsmodmenu"; depth:24; endswith; nocase; http.host; content:"dl.armour-inc-down.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810210/; classtype:trojan-activity;sid:84673310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.26.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810209/; classtype:trojan-activity;sid:84673309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.192.244.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810208/; classtype:trojan-activity;sid:84673308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.59.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810207/; classtype:trojan-activity;sid:84673307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.255.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810206/; classtype:trojan-activity;sid:84673306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.255.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810205/; classtype:trojan-activity;sid:84673305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.185.93.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810204/; classtype:trojan-activity;sid:84673304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.232.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810203/; classtype:trojan-activity;sid:84673303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.218.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810202/; classtype:trojan-activity;sid:84673302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810197/; classtype:trojan-activity;sid:84673297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lenin-huaylla/snaptivity/refs/heads/main/assets/software_scirophoria.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810198/; classtype:trojan-activity;sid:84673298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemin500/igaming-platform/raw/refs/heads/main/services/wallet/platform_igaming_v2.2-alpha.2.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810199/; classtype:trojan-activity;sid:84673299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.185.93.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810200/; classtype:trojan-activity;sid:84673300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmedhesham712/session-dualsense-mod/raw/refs/heads/main/lib/vigemclient/include/session_dualsense_mod_2.7-beta.1.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810201/; classtype:trojan-activity;sid:84673301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devwarly/c64commander/raw/refs/heads/main/tenorist/commander-c-v2.7-beta.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810195/; classtype:trojan-activity;sid:84673295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpaymh/python-sorting-algorithms-visualizer/raw/refs/heads/master/dist/python-sorting-algorithms-visualizer/pyqt5/qt5/plugins/generic/sorting_visualizer_python_algorithms_2.1.zip"; depth:180; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810196/; classtype:trojan-activity;sid:84673296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmedhesham712/session-dualsense-mod/refs/heads/main/lib/vigemclient/include/session_dualsense_mod_2.7-beta.1.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810190/; classtype:trojan-activity;sid:84673290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpaymh/python-sorting-algorithms-visualizer/refs/heads/master/dist/python-sorting-algorithms-visualizer/pyqt5/qt5/plugins/generic/sorting_visualizer_python_algorithms_2.1.zip"; depth:176; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810191/; classtype:trojan-activity;sid:84673291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arcanpp88/kick-tg-rewards/refs/heads/main/backend-python/rem/lib/site-packages/pip/_vendor/urllib3/packages/rewards_kick_tg_wanderingness.zip"; depth:142; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810192/; classtype:trojan-activity;sid:84673292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lenin-huaylla/snaptivity/raw/refs/heads/main/assets/software_scirophoria.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810193/; classtype:trojan-activity;sid:84673293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kemin500/igaming-platform/refs/heads/main/services/wallet/platform_igaming_v2.2-alpha.2.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810194/; classtype:trojan-activity;sid:84673294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/engabdallahd/wildflover/raw/refs/heads/main/src/i18n/software_1.4-beta.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810188/; classtype:trojan-activity;sid:84673288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nahoom1/huayu-rm-d1078-lirc-config-and-kodi-keymaps/refs/heads/main/byzantian/huay-kodi-keymaps-lir-and-r-config-v2.8.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810189/; classtype:trojan-activity;sid:84673289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chinnaganesh/level-xp-system/refs/heads/master/docs/level-xp-system-v1.9-beta.5.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810182/; classtype:trojan-activity;sid:84673282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/engabdallahd/wildflover/refs/heads/main/src/i18n/software_1.4-beta.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810183/; classtype:trojan-activity;sid:84673283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpaymh/exitlag/refs/heads/master/aracservis/exit_lag_iliococcygeal.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810184/; classtype:trojan-activity;sid:84673284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpaymh/exitlag/raw/refs/heads/master/aracservis/exit_lag_iliococcygeal.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810185/; classtype:trojan-activity;sid:84673285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arcanpp88/kick-tg-rewards/raw/refs/heads/main/backend-python/rem/lib/site-packages/pip/_vendor/urllib3/packages/rewards_kick_tg_wanderingness.zip"; depth:146; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810186/; classtype:trojan-activity;sid:84673286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nahoom1/huayu-rm-d1078-lirc-config-and-kodi-keymaps/raw/refs/heads/main/byzantian/huay-kodi-keymaps-lir-and-r-config-v2.8.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810187/; classtype:trojan-activity;sid:84673287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chinnaganesh/level-xp-system/raw/refs/heads/master/docs/level-xp-system-v1.9-beta.5.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810181/; classtype:trojan-activity;sid:84673281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zedkali/sfb---survival-fps-booster/refs/heads/main/orthopinacoid/booster-sf-fp-survival-3.7.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810180/; classtype:trojan-activity;sid:84673280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufianayad/eight_puzzle_app/refs/heads/main/ios/runner.xcodeproj/project.xcworkspace/xcshareddata/puzzle-app-eight-draughtswoman.zip"; depth:134; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810176/; classtype:trojan-activity;sid:84673276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josiasgq/fps-advanced/raw/refs/heads/main/shader/advanced_fps_v1.0-beta.1.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810177/; classtype:trojan-activity;sid:84673277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ginola5/syronss-lol-auto-assistant/refs/heads/main/src/assistant-auto-syronss-lol-v1.6.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810178/; classtype:trojan-activity;sid:84673278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devwarly/c64commander/refs/heads/main/tenorist/commander-c-v2.7-beta.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810179/; classtype:trojan-activity;sid:84673279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufianayad/eight_puzzle_app/raw/refs/heads/main/ios/runner.xcodeproj/project.xcworkspace/xcshareddata/puzzle-app-eight-draughtswoman.zip"; depth:138; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810175/; classtype:trojan-activity;sid:84673275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josiasgq/fps-advanced/refs/heads/main/shader/advanced_fps_v1.0-beta.1.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810170/; classtype:trojan-activity;sid:84673270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ginola5/syronss-lol-auto-assistant/raw/refs/heads/main/src/assistant-auto-syronss-lol-v1.6.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810171/; classtype:trojan-activity;sid:84673271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devwarly/c64commander/raw/refs/heads/main/tenorist/c_commander_v1.0.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810172/; classtype:trojan-activity;sid:84673272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avireddevil/vibestrym-assets/raw/refs/heads/main/frontend/public/assets_vibestrym_v1.9.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810173/; classtype:trojan-activity;sid:84673273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dev-bit-cyber/fgctool/refs/heads/master/synchrone/fg-ctool-psalmy.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810174/; classtype:trojan-activity;sid:84673274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devwarly/c64commander/refs/heads/main/tenorist/c_commander_v1.0.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810164/; classtype:trojan-activity;sid:84673264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zedkali/sfb---survival-fps-booster/raw/refs/heads/main/orthopinacoid/booster-sf-fp-survival-3.7.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810165/; classtype:trojan-activity;sid:84673265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dev-bit-cyber/fgctool/raw/refs/heads/master/synchrone/fg-ctool-psalmy.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810166/; classtype:trojan-activity;sid:84673266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.148.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810167/; classtype:trojan-activity;sid:84673267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avireddevil/vibestrym-assets/refs/heads/main/frontend/public/assets_vibestrym_v1.9.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810168/; classtype:trojan-activity;sid:84673268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabor996/leesin/raw/refs/heads/main/_includes/sin-lee-2.0.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810169/; classtype:trojan-activity;sid:84673269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabor996/leesin/refs/heads/main/_includes/sin-lee-2.0.zip"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810161/; classtype:trojan-activity;sid:84673261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crackorcode/minecode-mcp/refs/heads/main/example/crystal_dimension/data/crystal/worldgen/minecode_mcp_2.5.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810162/; classtype:trojan-activity;sid:84673262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crackorcode/minecode-mcp/raw/refs/heads/main/example/crystal_dimension/data/crystal/worldgen/minecode_mcp_2.5.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810163/; classtype:trojan-activity;sid:84673263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiuf345/mobi/raw/refs/heads/main/deco/63.txt"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810160/; classtype:trojan-activity;sid:84673260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiuf345/mobi/refs/heads/main/deco/63.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810159/; classtype:trojan-activity;sid:84673259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/070789-juanitutus/amazegaming/raw/refs/heads/main/colpeurysis/amaze-gaming-v1.1.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810158/; classtype:trojan-activity;sid:84673258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/controller-for-disabled/refs/heads/main/honda/for_disabled_controller_2.1.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810155/; classtype:trojan-activity;sid:84673255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/petersonnjuguna.github.io/raw/refs/heads/main/tinware/github-io-petersonnjuguna-v3.5.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810156/; classtype:trojan-activity;sid:84673256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.218.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810157/; classtype:trojan-activity;sid:84673257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/donsdons1983/nextgen-potato-gaming/refs/heads/main/adelphophagy/gaming_potato_nextgen_3.7.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810144/; classtype:trojan-activity;sid:84673244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/petersonnjuguna.github.io/raw/refs/heads/main/tinware/github_petersonnjuguna_io_2.5.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810145/; classtype:trojan-activity;sid:84673245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/070789-juanitutus/amazegaming/refs/heads/main/colpeurysis/gaming_amaze_1.1.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810146/; classtype:trojan-activity;sid:84673246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/070789-juanitutus/amazegaming/raw/refs/heads/main/colpeurysis/gaming_amaze_1.1.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810147/; classtype:trojan-activity;sid:84673247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/donsdons1983/nextgen-potato-gaming/raw/refs/heads/main/adelphophagy/gaming_potato_nextgen_3.7.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810148/; classtype:trojan-activity;sid:84673248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/controller-for-disabled/raw/refs/heads/main/honda/controller-disabled-for-v2.1.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810149/; classtype:trojan-activity;sid:84673249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/petersonnjuguna.github.io/refs/heads/main/tinware/github-io-petersonnjuguna-v3.5.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810150/; classtype:trojan-activity;sid:84673250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/petersonnjuguna.github.io/refs/heads/main/tinware/github_petersonnjuguna_io_2.5.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810151/; classtype:trojan-activity;sid:84673251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/controller-for-disabled/refs/heads/main/honda/controller-disabled-for-v2.1.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810152/; classtype:trojan-activity;sid:84673252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/070789-juanitutus/amazegaming/refs/heads/main/colpeurysis/amaze-gaming-v1.1.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810153/; classtype:trojan-activity;sid:84673253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petersonnjuguna/controller-for-disabled/raw/refs/heads/main/honda/for_disabled_controller_2.1.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810154/; classtype:trojan-activity;sid:84673254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hulett77/valorant-efi-driver-cheat-hack/raw/refs/heads/main/driver/driver/valoran_ef_drive_cheat_hack_3.6-beta.5.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810143/; classtype:trojan-activity;sid:84673243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hulett77/valorant-efi-driver-cheat-hack/refs/heads/main/driver/driver/valoran_ef_drive_cheat_hack_3.6-beta.5.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810142/; classtype:trojan-activity;sid:84673242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.27.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810141/; classtype:trojan-activity;sid:84673241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reagan567/kinoite-bluebuild/refs/heads/main/files/system/usr/lib/kinoite_bluebuild_v3.9-alpha.1.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810140/; classtype:trojan-activity;sid:84673240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/cursorball/raw/refs/heads/main/codiales/software_v1.7.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810129/; classtype:trojan-activity;sid:84673229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/cursorball/raw/refs/heads/main/codiales/software-3.6.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810130/; classtype:trojan-activity;sid:84673230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/christ893/wholesaleshop_system/raw/refs/heads/main/assets/wholesaleshop_system_v2.1.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810131/; classtype:trojan-activity;sid:84673231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/christ893/utkeeper99/raw/refs/heads/main/utkeeper/libs/utkeeper-v2.6.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810132/; classtype:trojan-activity;sid:84673232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/cursorball/refs/heads/main/codiales/software-3.6.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810133/; classtype:trojan-activity;sid:84673233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/christ893/wholesaleshop_system/refs/heads/main/assets/wholesaleshop_system_v2.1.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810134/; classtype:trojan-activity;sid:84673234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/christ893/utkeeper99/refs/heads/main/utkeeper/libs/utkeeper-v2.6.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810135/; classtype:trojan-activity;sid:84673235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/cursorball/refs/heads/main/codiales/software-3.8.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810136/; classtype:trojan-activity;sid:84673236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reagan567/kinoite-bluebuild/raw/refs/heads/main/files/system/usr/lib/kinoite_bluebuild_v3.9-alpha.1.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810137/; classtype:trojan-activity;sid:84673237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/cursorball/raw/refs/heads/main/codiales/software-3.8.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810138/; classtype:trojan-activity;sid:84673238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/desafio-sudoku/raw/refs/heads/main/components/desafio-sudoku-v3.9.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810139/; classtype:trojan-activity;sid:84673239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilofelipe32/cursorball/refs/heads/main/codiales/software_v1.7.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810128/; classtype:trojan-activity;sid:84673228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.159.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810127/; classtype:trojan-activity;sid:84673227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deka214/bangklotski/raw/refs/heads/main/images/g-klotski-ban-2.3.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810126/; classtype:trojan-activity;sid:84673226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deka214/instapy-quickstart/refs/heads/master/installation/linux/instapy-quickstart-v2.7.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810123/; classtype:trojan-activity;sid:84673223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deka214/bangklotski/refs/heads/main/images/g-klotski-ban-2.3.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810124/; classtype:trojan-activity;sid:84673224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deka214/instapy-quickstart/raw/refs/heads/master/installation/linux/instapy-quickstart-v2.7.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810125/; classtype:trojan-activity;sid:84673225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gomerpromiscuous139/yimmenu/refs/heads/main/tarumari/menu-yim-1.0.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810122/; classtype:trojan-activity;sid:84673222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gomerpromiscuous139/yimmenu/raw/refs/heads/main/tarumari/menu-yim-1.0.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810121/; classtype:trojan-activity;sid:84673221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.27.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810120/; classtype:trojan-activity;sid:84673220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khannely/derrxt/-/raw/main/u7q7r23u7669.exe"; depth:44; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810119/; classtype:trojan-activity;sid:84673219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.101.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810118/; classtype:trojan-activity;sid:84673218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/qkqwyyhd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810117/; classtype:trojan-activity;sid:84673217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.225.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810116/; classtype:trojan-activity;sid:84673216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=dombuqdvogwkjdmp"; depth:53; endswith; nocase; http.host; content:"q55at0cm.apexharvestor.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810115/; classtype:trojan-activity;sid:84673215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khannely/derrxt/-/raw/main/259uzds8poxh.exe"; depth:44; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810114/; classtype:trojan-activity;sid:84673214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.159.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810113/; classtype:trojan-activity;sid:84673213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/masschens/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810112/; classtype:trojan-activity;sid:84673212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/masschens/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810111/; classtype:trojan-activity;sid:84673211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.150.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810110/; classtype:trojan-activity;sid:84673210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.87.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810109/; classtype:trojan-activity;sid:84673209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.150.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810108/; classtype:trojan-activity;sid:84673208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_spc"; depth:9; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810106/; classtype:trojan-activity;sid:84673206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810107/; classtype:trojan-activity;sid:84673207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810105/; classtype:trojan-activity;sid:84673205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810094/; classtype:trojan-activity;sid:84673194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810095/; classtype:trojan-activity;sid:84673195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810096/; classtype:trojan-activity;sid:84673196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810097/; classtype:trojan-activity;sid:84673197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810098/; classtype:trojan-activity;sid:84673198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810099/; classtype:trojan-activity;sid:84673199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810100/; classtype:trojan-activity;sid:84673200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810101/; classtype:trojan-activity;sid:84673201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810102/; classtype:trojan-activity;sid:84673202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810103/; classtype:trojan-activity;sid:84673203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810104/; classtype:trojan-activity;sid:84673204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810093/; classtype:trojan-activity;sid:84673193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810091/; classtype:trojan-activity;sid:84673191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"91.92.243.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810092/; classtype:trojan-activity;sid:84673192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.87.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810090/; classtype:trojan-activity;sid:84673190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.225.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810089/; classtype:trojan-activity;sid:84673189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.146.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810088/; classtype:trojan-activity;sid:84673188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6334661508/txzjq0t.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810087/; classtype:trojan-activity;sid:84673187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810086/; classtype:trojan-activity;sid:84673186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.146.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810085/; classtype:trojan-activity;sid:84673185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.144.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810084/; classtype:trojan-activity;sid:84673184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.59.83.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810083/; classtype:trojan-activity;sid:84673183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810082/; classtype:trojan-activity;sid:84673182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.47.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810081/; classtype:trojan-activity;sid:84673181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.78.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810080/; classtype:trojan-activity;sid:84673180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.144.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810079/; classtype:trojan-activity;sid:84673179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=zrcpkqwoadvcntfb"; depth:53; endswith; nocase; http.host; content:"ui2rn7ei.apexharvestor.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810078/; classtype:trojan-activity;sid:84673178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"force-field.infodynamics.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810077/; classtype:trojan-activity;sid:84673177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"range-extend.signalvector.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810076/; classtype:trojan-activity;sid:84673176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ping-gate.signalvector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810075/; classtype:trojan-activity;sid:84673175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.59.83.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810074/; classtype:trojan-activity;sid:84673174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.78.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810073/; classtype:trojan-activity;sid:84673173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.47.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810072/; classtype:trojan-activity;sid:84673172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-form.signalvector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810071/; classtype:trojan-activity;sid:84673171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tower-sync.signalvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810070/; classtype:trojan-activity;sid:84673170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"radio-freq.signalvector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810069/; classtype:trojan-activity;sid:84673169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.243.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810068/; classtype:trojan-activity;sid:84673168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"beam-target.signalvector.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810067/; classtype:trojan-activity;sid:84673167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.191.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810066/; classtype:trojan-activity;sid:84673166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"raster-api.pixelengine.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810065/; classtype:trojan-activity;sid:84673165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8408827406/a6ueo3h.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810064/; classtype:trojan-activity;sid:84673164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"draw-logic.pixelengine.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810063/; classtype:trojan-activity;sid:84673163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"frame-buffer.pixelengine.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810062/; classtype:trojan-activity;sid:84673162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.54.85.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810061/; classtype:trojan-activity;sid:84673161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6728144278/mjtrglj.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810060/; classtype:trojan-activity;sid:84673160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"color-map.pixelengine.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810059/; classtype:trojan-activity;sid:84673159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"image-proc.pixelengine.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810058/; classtype:trojan-activity;sid:84673158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7942715918/md78wa4.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810057/; classtype:trojan-activity;sid:84673157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"drift-core.nanostream.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810056/; classtype:trojan-activity;sid:84673156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.191.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810055/; classtype:trojan-activity;sid:84673155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.206.207.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810054/; classtype:trojan-activity;sid:84673154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"24.54.85.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810053/; classtype:trojan-activity;sid:84673153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pulse-svc.nanostream.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810052/; classtype:trojan-activity;sid:84673152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fast-track.nanostream.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810051/; classtype:trojan-activity;sid:84673151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"small-packet.nanostream.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810050/; classtype:trojan-activity;sid:84673150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.227.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810049/; classtype:trojan-activity;sid:84673149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.227.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810048/; classtype:trojan-activity;sid:84673148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rapid-io.nanostream.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810047/; classtype:trojan-activity;sid:84673147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.62.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810046/; classtype:trojan-activity;sid:84673146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.92.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810045/; classtype:trojan-activity;sid:84673145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"micro-bit.nanostream.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810044/; classtype:trojan-activity;sid:84673144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zone-portal.cyberlattice.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810043/; classtype:trojan-activity;sid:84673143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.40.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810042/; classtype:trojan-activity;sid:84673142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.103.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810041/; classtype:trojan-activity;sid:84673141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"link-vault.cyberlattice.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810040/; classtype:trojan-activity;sid:84673140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"net-fiber.cyberlattice.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810039/; classtype:trojan-activity;sid:84673139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shield-base.cyberlattice.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810038/; classtype:trojan-activity;sid:84673138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.81.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810037/; classtype:trojan-activity;sid:84673137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"grid-secure.cyberlattice.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810036/; classtype:trojan-activity;sid:84673136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.92.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810035/; classtype:trojan-activity;sid:84673135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mesh-gate.cyberlattice.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810034/; classtype:trojan-activity;sid:84673134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.162.40.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810033/; classtype:trojan-activity;sid:84673133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pool-manager.datacascade.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810032/; classtype:trojan-activity;sid:84673132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"level-check.datacascade.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810031/; classtype:trojan-activity;sid:84673131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.254.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810030/; classtype:trojan-activity;sid:84673130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tier-access.datacascade.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810029/; classtype:trojan-activity;sid:84673129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.12.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810028/; classtype:trojan-activity;sid:84673128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bulk-logic.datacascade.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810027/; classtype:trojan-activity;sid:84673127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.183.98.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810026/; classtype:trojan-activity;sid:84673126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stream-view.datacascade.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810025/; classtype:trojan-activity;sid:84673125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810020/; classtype:trojan-activity;sid:84673120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810021/; classtype:trojan-activity;sid:84673121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810022/; classtype:trojan-activity;sid:84673122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810023/; classtype:trojan-activity;sid:84673123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"87.121.84.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810024/; classtype:trojan-activity;sid:84673124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flow-drop.datacascade.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810019/; classtype:trojan-activity;sid:84673119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.81.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810018/; classtype:trojan-activity;sid:84673118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vector-node.infovector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810017/; classtype:trojan-activity;sid:84673117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.243.227.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810016/; classtype:trojan-activity;sid:84673116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trace-sync.infovector.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810015/; classtype:trojan-activity;sid:84673115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.53.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810014/; classtype:trojan-activity;sid:84673114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.206.11.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810012/; classtype:trojan-activity;sid:84673112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.254.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810013/; classtype:trojan-activity;sid:84673113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.53.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810011/; classtype:trojan-activity;sid:84673111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"route-api.infovector.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810010/; classtype:trojan-activity;sid:84673110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.12.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810009/; classtype:trojan-activity;sid:84673109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.119.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810006/; classtype:trojan-activity;sid:84673106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.86.229.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810007/; classtype:trojan-activity;sid:84673107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.183.98.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810008/; classtype:trojan-activity;sid:84673108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"data-relay.infovector.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810005/; classtype:trojan-activity;sid:84673105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"path-finder.infovector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810004/; classtype:trojan-activity;sid:84673104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"info-point.infovector.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810003/; classtype:trojan-activity;sid:84673103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dlnhov4.granulatetouch.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810002/; classtype:trojan-activity;sid:84673102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"daem-gate.granulatetouch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810001/; classtype:trojan-activity;sid:84673101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"177.86.229.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809999/; classtype:trojan-activity;sid:84673099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.119.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3810000/; classtype:trojan-activity;sid:84673100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wildcircuit.granulatetouch.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809998/; classtype:trojan-activity;sid:84673098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.51.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809997/; classtype:trojan-activity;sid:84673097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.26.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809996/; classtype:trojan-activity;sid:84673096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rnonito-watch.granulatetouch.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809995/; classtype:trojan-activity;sid:84673095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hyper-14b.granulatetouch.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809994/; classtype:trojan-activity;sid:84673094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dqkgif.granulatetouch.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809993/; classtype:trojan-activity;sid:84673093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/td5qn5i.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809992/; classtype:trojan-activity;sid:84673092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.190.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809991/; classtype:trojan-activity;sid:84673091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cast-spar.coddlcaught.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809990/; classtype:trojan-activity;sid:84673090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.71.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809989/; classtype:trojan-activity;sid:84673089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1333144962/ixvwehf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809988/; classtype:trojan-activity;sid:84673088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"snapshotgeyser.coddlcaught.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809987/; classtype:trojan-activity;sid:84673087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.159.32.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809986/; classtype:trojan-activity;sid:84673086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.26.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809985/; classtype:trojan-activity;sid:84673085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mode14-node.coddlcaught.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809984/; classtype:trojan-activity;sid:84673084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.92.180.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809983/; classtype:trojan-activity;sid:84673083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.64.81.186"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809982/; classtype:trojan-activity;sid:84673082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shie1d-leaf.coddlcaught.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809981/; classtype:trojan-activity;sid:84673081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"24zog.coddlcaught.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809980/; classtype:trojan-activity;sid:84673080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.126.86.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809979/; classtype:trojan-activity;sid:84673079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.126.86.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809978/; classtype:trojan-activity;sid:84673078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1zr0j_pct-7bfsqhxpncoapzchvc8jh2a"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809976/; classtype:trojan-activity;sid:84673076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"foredeliv.coddlcaught.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809977/; classtype:trojan-activity;sid:84673077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1k2ptdvgzuxdmp-8arwnlnzy77kt_2kvm"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809975/; classtype:trojan-activity;sid:84673075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/image5656.png"; depth:30; endswith; nocase; http.host; content:"allsydevs.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809974/; classtype:trojan-activity;sid:84673074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_x86_64"; depth:72; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809963/; classtype:trojan-activity;sid:84673063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_arm"; depth:69; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809964/; classtype:trojan-activity;sid:84673064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_x86"; depth:69; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809965/; classtype:trojan-activity;sid:84673065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_ppc"; depth:69; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809966/; classtype:trojan-activity;sid:84673066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_arm6"; depth:70; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809967/; classtype:trojan-activity;sid:84673067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_m68k"; depth:70; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809968/; classtype:trojan-activity;sid:84673068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_arm7"; depth:70; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809969/; classtype:trojan-activity;sid:84673069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_mips"; depth:70; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809970/; classtype:trojan-activity;sid:84673070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_mpsl"; depth:70; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809971/; classtype:trojan-activity;sid:84673071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_arm5"; depth:70; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809972/; classtype:trojan-activity;sid:84673072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b1d84ec23f2ecff0163a3ca8cdf98ef6ebb47003b3693e2c7acf0e0edefb1f_sh4"; depth:69; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809973/; classtype:trojan-activity;sid:84673073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.159.32.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809962/; classtype:trojan-activity;sid:84673062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"storagefreig.glassterrible.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809961/; classtype:trojan-activity;sid:84673061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.190.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809960/; classtype:trojan-activity;sid:84673060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.101.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809959/; classtype:trojan-activity;sid:84673059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msirump24th.png"; depth:26; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809958/; classtype:trojan-activity;sid:84673058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_150816yunewrdp.png"; depth:23; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809957/; classtype:trojan-activity;sid:84673057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_051917takooo.png"; depth:21; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809956/; classtype:trojan-activity;sid:84673056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.203.210.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809955/; classtype:trojan-activity;sid:84673055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_174605yufreshstart.png"; depth:27; endswith; nocase; http.host; content:"teslasuit.to"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809954/; classtype:trojan-activity;sid:84673054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dcemqhbbvlwcqxiuycql69.bin"; depth:27; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809947/; classtype:trojan-activity;sid:84673047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njpyuxifcb214.bin"; depth:18; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809948/; classtype:trojan-activity;sid:84673048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blun.mso"; depth:9; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809949/; classtype:trojan-activity;sid:84673049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seetuhhnqufcf34.bin"; depth:20; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809950/; classtype:trojan-activity;sid:84673050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tegeticula.xsn"; depth:15; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809951/; classtype:trojan-activity;sid:84673051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nailalaa.rar"; depth:13; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809952/; classtype:trojan-activity;sid:84673052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alodificat.pcz"; depth:15; endswith; nocase; http.host; content:"192.3.177.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809953/; classtype:trojan-activity;sid:84673053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zwjk9ew.glassterrible.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809946/; classtype:trojan-activity;sid:84673046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.92.180.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809945/; classtype:trojan-activity;sid:84673045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secure-spool.glassterrible.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809944/; classtype:trojan-activity;sid:84673044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"matri-insp.glassterrible.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809943/; classtype:trojan-activity;sid:84673043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=2billi|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=%27"; depth:168; endswith; nocase; http.host; content:"stajestetice.top"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809942/; classtype:trojan-activity;sid:84673042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.226.161.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809941/; classtype:trojan-activity;sid:84673041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qxynmyj10.bin"; depth:14; endswith; nocase; http.host; content:"192.227.128.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809939/; classtype:trojan-activity;sid:84673039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proto-voy4.glassterrible.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809940/; classtype:trojan-activity;sid:84673040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.137.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809938/; classtype:trojan-activity;sid:84673038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.209.73.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809937/; classtype:trojan-activity;sid:84673037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"7kutx52w.glassterrible.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809936/; classtype:trojan-activity;sid:84673036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809935/; classtype:trojan-activity;sid:84673035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr.sh"; depth:7; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809933/; classtype:trojan-activity;sid:84673033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mpsl"; depth:13; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809934/; classtype:trojan-activity;sid:84673034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"datarea.dropaway.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809932/; classtype:trojan-activity;sid:84673032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.99.231"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809931/; classtype:trojan-activity;sid:84673031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.71.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809930/; classtype:trojan-activity;sid:84673030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ijnjw.dropaway.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809929/; classtype:trojan-activity;sid:84673029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.209.73.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809928/; classtype:trojan-activity;sid:84673028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.226.161.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809927/; classtype:trojan-activity;sid:84673027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.137.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809926/; classtype:trojan-activity;sid:84673026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qnde.dropaway.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809925/; classtype:trojan-activity;sid:84673025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vrr80sq.dropaway.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809924/; classtype:trojan-activity;sid:84673024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.157.70.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809923/; classtype:trojan-activity;sid:84673023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"threaopti.dropaway.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809922/; classtype:trojan-activity;sid:84673022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7453936223/kaq8pq5.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809921/; classtype:trojan-activity;sid:84673021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/mr/random.exe"; depth:20; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809920/; classtype:trojan-activity;sid:84673020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zte"; depth:4; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809919/; classtype:trojan-activity;sid:84673019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lg"; depth:3; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809918/; classtype:trojan-activity;sid:84673018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goahead"; depth:8; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809915/; classtype:trojan-activity;sid:84673015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gpon443"; depth:8; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809916/; classtype:trojan-activity;sid:84673016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huawei"; depth:7; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809917/; classtype:trojan-activity;sid:84673017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thinkphp"; depth:9; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809909/; classtype:trojan-activity;sid:84673009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aws"; depth:4; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809910/; classtype:trojan-activity;sid:84673010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zyxel"; depth:6; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809911/; classtype:trojan-activity;sid:84673011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realtek"; depth:8; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809912/; classtype:trojan-activity;sid:84673012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hnap"; depth:5; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809913/; classtype:trojan-activity;sid:84673013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pulse"; depth:6; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809914/; classtype:trojan-activity;sid:84673014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaws"; depth:5; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809908/; classtype:trojan-activity;sid:84673008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yarn"; depth:5; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809907/; classtype:trojan-activity;sid:84673007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.94.188.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809906/; classtype:trojan-activity;sid:84673006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809905/; classtype:trojan-activity;sid:84673005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809892/; classtype:trojan-activity;sid:84672992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809893/; classtype:trojan-activity;sid:84672993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809894/; classtype:trojan-activity;sid:84672994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809895/; classtype:trojan-activity;sid:84672995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809896/; classtype:trojan-activity;sid:84672996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809897/; classtype:trojan-activity;sid:84672997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809898/; classtype:trojan-activity;sid:84672998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809899/; classtype:trojan-activity;sid:84672999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809900/; classtype:trojan-activity;sid:84673000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809901/; classtype:trojan-activity;sid:84673001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809902/; classtype:trojan-activity;sid:84673002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809903/; classtype:trojan-activity;sid:84673003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809904/; classtype:trojan-activity;sid:84673004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.231.159.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809891/; classtype:trojan-activity;sid:84672991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809888/; classtype:trojan-activity;sid:84672988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809889/; classtype:trojan-activity;sid:84672989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809890/; classtype:trojan-activity;sid:84672990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dr1v5-frame.dropaway.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809887/; classtype:trojan-activity;sid:84672987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809880/; classtype:trojan-activity;sid:84672980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809881/; classtype:trojan-activity;sid:84672981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809882/; classtype:trojan-activity;sid:84672982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809883/; classtype:trojan-activity;sid:84672983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809884/; classtype:trojan-activity;sid:84672984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809885/; classtype:trojan-activity;sid:84672985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809886/; classtype:trojan-activity;sid:84672986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.251.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809879/; classtype:trojan-activity;sid:84672979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.195.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809878/; classtype:trojan-activity;sid:84672978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.211.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809877/; classtype:trojan-activity;sid:84672977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"5hsg8.sewdarken.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809876/; classtype:trojan-activity;sid:84672976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.99.231"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809875/; classtype:trojan-activity;sid:84672975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.68.28.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809874/; classtype:trojan-activity;sid:84672974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.214.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809873/; classtype:trojan-activity;sid:84672973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"9lftebnr.sewdarken.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809872/; classtype:trojan-activity;sid:84672972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809871/; classtype:trojan-activity;sid:84672971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809870/; classtype:trojan-activity;sid:84672970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.100.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809869/; classtype:trojan-activity;sid:84672969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.157.70.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809867/; classtype:trojan-activity;sid:84672967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.94.188.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809868/; classtype:trojan-activity;sid:84672968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.73.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809865/; classtype:trojan-activity;sid:84672965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"geo-d4ta.sewdarken.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809866/; classtype:trojan-activity;sid:84672966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.146.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809864/; classtype:trojan-activity;sid:84672964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.104.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809862/; classtype:trojan-activity;sid:84672962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.251.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809863/; classtype:trojan-activity;sid:84672963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.100.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809861/; classtype:trojan-activity;sid:84672961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nbjc.sewdarken.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809860/; classtype:trojan-activity;sid:84672960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.211.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809858/; classtype:trojan-activity;sid:84672958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.119.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809859/; classtype:trojan-activity;sid:84672959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.52.56.85"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809857/; classtype:trojan-activity;sid:84672957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"finalvault.sewdarken.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809856/; classtype:trojan-activity;sid:84672956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.112.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809855/; classtype:trojan-activity;sid:84672955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_ampgg.sh"; depth:13; endswith; nocase; http.host; content:"ampgg.bossjy.cc.cd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809854/; classtype:trojan-activity;sid:84672954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.39.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809852/; classtype:trojan-activity;sid:84672952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.212.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809853/; classtype:trojan-activity;sid:84672953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.73.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809851/; classtype:trojan-activity;sid:84672951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumline0al.sewdarken.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809850/; classtype:trojan-activity;sid:84672950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.15.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809849/; classtype:trojan-activity;sid:84672949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"d3pl-lab.movementsheptun.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809848/; classtype:trojan-activity;sid:84672948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.32.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809847/; classtype:trojan-activity;sid:84672947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hfx03k.movementsheptun.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809846/; classtype:trojan-activity;sid:84672946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.75.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809845/; classtype:trojan-activity;sid:84672945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.75.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809844/; classtype:trojan-activity;sid:84672944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.146.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809843/; classtype:trojan-activity;sid:84672943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sp4rk3-trace.movementsheptun.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809842/; classtype:trojan-activity;sid:84672942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.206.207.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809841/; classtype:trojan-activity;sid:84672941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809840/; classtype:trojan-activity;sid:84672940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.24.142.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809839/; classtype:trojan-activity;sid:84672939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arn3i.movementsheptun.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809838/; classtype:trojan-activity;sid:84672938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.15.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809836/; classtype:trojan-activity;sid:84672936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.39.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809837/; classtype:trojan-activity;sid:84672937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fvbtyoj.movementsheptun.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809835/; classtype:trojan-activity;sid:84672935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"relay-chain.movementsheptun.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809834/; classtype:trojan-activity;sid:84672934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.225.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809833/; classtype:trojan-activity;sid:84672933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.135.131.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809831/; classtype:trojan-activity;sid:84672931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.4.253"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809832/; classtype:trojan-activity;sid:84672932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809830/; classtype:trojan-activity;sid:84672930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"9sis.demolishtunis.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809829/; classtype:trojan-activity;sid:84672929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.235.62.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809828/; classtype:trojan-activity;sid:84672928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"jjczes4.demolishtunis.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809827/; classtype:trojan-activity;sid:84672927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809826/; classtype:trojan-activity;sid:84672926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809825/; classtype:trojan-activity;sid:84672925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.183.25.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809824/; classtype:trojan-activity;sid:84672924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"m15t7-sync.demolishtunis.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809823/; classtype:trojan-activity;sid:84672923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.33.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809822/; classtype:trojan-activity;sid:84672922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"binaryassay.demolishtunis.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809821/; classtype:trojan-activity;sid:84672921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"talforgeal2.demolishtunis.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809820/; classtype:trojan-activity;sid:84672920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.135.131.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809819/; classtype:trojan-activity;sid:84672919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dynfluxal.demolishtunis.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809818/; classtype:trojan-activity;sid:84672918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.227.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809817/; classtype:trojan-activity;sid:84672917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lo98.barondecont.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809816/; classtype:trojan-activity;sid:84672916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcoss/dl/pptv(pplive)_forap_1084_9993.exe"; depth:42; endswith; nocase; http.host; content:"ossapp.suning.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809815/; classtype:trojan-activity;sid:84672915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/taptapsend.apk"; depth:15; endswith; nocase; http.host; content:"www.telecomsa.xyz"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809814/; classtype:trojan-activity;sid:84672914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/ueditor/php/upload/file/20250114/x1/ref-cli%20v1.0.3.exe"; depth:62; endswith; nocase; http.host; content:"m.hy-union.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809813/; classtype:trojan-activity;sid:84672913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.33.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809812/; classtype:trojan-activity;sid:84672912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/taptapsend.apk"; depth:15; endswith; nocase; http.host; content:"telecomsa.xyz"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809811/; classtype:trojan-activity;sid:84672911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"jem-mialwe.org"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809808/; classtype:trojan-activity;sid:84672908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/triggerfinder_dz7.exe"; depth:22; endswith; nocase; http.host; content:"dz7shop.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809809/; classtype:trojan-activity;sid:84672909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/screenconnect.clientsetup.msi"; depth:30; endswith; nocase; http.host; content:"pub-563376bbe356408a8c67e226123a6095.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809810/; classtype:trojan-activity;sid:84672910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final-payload/ligolo_172.28.16.169.exe"; depth:39; endswith; nocase; http.host; content:"marcuswelbyclinic.click"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809805/; classtype:trojan-activity;sid:84672905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"keilo-jermailer.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809806/; classtype:trojan-activity;sid:84672906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ligolo_172.28.16.169.exe"; depth:25; endswith; nocase; http.host; content:"marcuswelbyclinic.click"; depth:23; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809807/; classtype:trojan-activity;sid:84672907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"lejrmakei.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809804/; classtype:trojan-activity;sid:84672904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sprucethorn.barondecont.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809803/; classtype:trojan-activity;sid:84672903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.183.25.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809802/; classtype:trojan-activity;sid:84672902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.79.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809801/; classtype:trojan-activity;sid:84672901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"h4rb-loop.barondecont.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809800/; classtype:trojan-activity;sid:84672900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"crirn4-point.barondecont.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809799/; classtype:trojan-activity;sid:84672899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.79.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809798/; classtype:trojan-activity;sid:84672898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.94.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809797/; classtype:trojan-activity;sid:84672897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"calmion.barondecont.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809796/; classtype:trojan-activity;sid:84672896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.227.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809795/; classtype:trojan-activity;sid:84672895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qobavx3.barondecont.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809794/; classtype:trojan-activity;sid:84672894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8301037712/kjhnixp.bat"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809793/; classtype:trojan-activity;sid:84672893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.244.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809792/; classtype:trojan-activity;sid:84672892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"neo-d3v.vivatwoman.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809791/; classtype:trojan-activity;sid:84672891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.69.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809790/; classtype:trojan-activity;sid:84672890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.23.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809789/; classtype:trojan-activity;sid:84672889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"norvenix2.vivatwoman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809788/; classtype:trojan-activity;sid:84672888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.52.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809787/; classtype:trojan-activity;sid:84672887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumnexen7.vivatwoman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809786/; classtype:trojan-activity;sid:84672886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"6jamieya.vivatwoman.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809785/; classtype:trojan-activity;sid:84672885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.106.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809784/; classtype:trojan-activity;sid:84672884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solcresten2.vivatwoman.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809783/; classtype:trojan-activity;sid:84672883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.68.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809782/; classtype:trojan-activity;sid:84672882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.94.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809781/; classtype:trojan-activity;sid:84672881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809780/; classtype:trojan-activity;sid:84672880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wild-mount.vivatwoman.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809779/; classtype:trojan-activity;sid:84672879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.52.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809778/; classtype:trojan-activity;sid:84672878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kxep42pp.driveaway.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809777/; classtype:trojan-activity;sid:84672877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"choru5-hinge.driveaway.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809776/; classtype:trojan-activity;sid:84672876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.106.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809775/; classtype:trojan-activity;sid:84672875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.79.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809774/; classtype:trojan-activity;sid:84672874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"compilpow.driveaway.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809773/; classtype:trojan-activity;sid:84672873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.68.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809772/; classtype:trojan-activity;sid:84672872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nppw50at.driveaway.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809771/; classtype:trojan-activity;sid:84672871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wzovragk.driveaway.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809770/; classtype:trojan-activity;sid:84672870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"soft-glob.driveaway.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809769/; classtype:trojan-activity;sid:84672869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"loud-cloud.brillwhistleb.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809768/; classtype:trojan-activity;sid:84672868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.208.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809767/; classtype:trojan-activity;sid:84672867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googlechrome_1.1.1_new.exe"; depth:27; endswith; nocase; http.host; content:"emacra.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809766/; classtype:trojan-activity;sid:84672866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wind-flow.brillwhistleb.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809765/; classtype:trojan-activity;sid:84672865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alert-svc.brillwhistleb.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809764/; classtype:trojan-activity;sid:84672864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.252.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809763/; classtype:trojan-activity;sid:84672863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"signal-box.brillwhistleb.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809762/; classtype:trojan-activity;sid:84672862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.21.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809761/; classtype:trojan-activity;sid:84672861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tune-api.brillwhistleb.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809760/; classtype:trojan-activity;sid:84672860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"high-note.brillwhistleb.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809759/; classtype:trojan-activity;sid:84672859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.79.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809758/; classtype:trojan-activity;sid:84672858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yield-hub.combinekabisia.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809757/; classtype:trojan-activity;sid:84672857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.2.210"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809756/; classtype:trojan-activity;sid:84672856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"crop-trace.combinekabisia.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809755/; classtype:trojan-activity;sid:84672855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.142.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809753/; classtype:trojan-activity;sid:84672853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.252.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809754/; classtype:trojan-activity;sid:84672854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"harvest-api.combinekabisia.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809751/; classtype:trojan-activity;sid:84672851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"field-scan.combinekabisia.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809752/; classtype:trojan-activity;sid:84672852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"grain-store.combinekabisia.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809750/; classtype:trojan-activity;sid:84672850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.24.63.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809749/; classtype:trojan-activity;sid:84672849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php|3f|a=dl|7c|26|7c|token=fcdd5b796fbf5cb5614da7aaa4773fb404771c4821e4b8d30305ed8df58a2188|7c|26|7c|src=trindade.pe.gov.br|7c|26|7c|mode=cloudflare"; depth:159; endswith; nocase; http.host; content:"mybiggestjoy.bond"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809748/; classtype:trojan-activity;sid:84672848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809744/; classtype:trojan-activity;sid:84672844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.x86_64"; depth:12; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809745/; classtype:trojan-activity;sid:84672845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.x86"; depth:9; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809746/; classtype:trojan-activity;sid:84672846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.mipsle"; depth:12; endswith; nocase; http.host; content:"159.253.120.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809747/; classtype:trojan-activity;sid:84672847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809732/; classtype:trojan-activity;sid:84672832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809733/; classtype:trojan-activity;sid:84672833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809734/; classtype:trojan-activity;sid:84672834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm5"; depth:10; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809735/; classtype:trojan-activity;sid:84672835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.169.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809736/; classtype:trojan-activity;sid:84672836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.powerpc"; depth:13; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809737/; classtype:trojan-activity;sid:84672837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.mipsel-uclibc"; depth:19; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809738/; classtype:trojan-activity;sid:84672838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.mipsel"; depth:12; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809739/; classtype:trojan-activity;sid:84672839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809740/; classtype:trojan-activity;sid:84672840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_201258.png"; depth:15; endswith; nocase; http.host; content:"winston1.rf.gd"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809741/; classtype:trojan-activity;sid:84672841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809742/; classtype:trojan-activity;sid:84672842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.mips-uclibc"; depth:17; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809743/; classtype:trojan-activity;sid:84672843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809731/; classtype:trojan-activity;sid:84672831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.42.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809730/; classtype:trojan-activity;sid:84672830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809728/; classtype:trojan-activity;sid:84672828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809729/; classtype:trojan-activity;sid:84672829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_215835.png"; depth:15; endswith; nocase; http.host; content:"winston1.rf.gd"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809727/; classtype:trojan-activity;sid:84672827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_143439.png"; depth:15; endswith; nocase; http.host; content:"winston1.rf.gd"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809726/; classtype:trojan-activity;sid:84672826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809714/; classtype:trojan-activity;sid:84672814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809715/; classtype:trojan-activity;sid:84672815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809716/; classtype:trojan-activity;sid:84672816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809717/; classtype:trojan-activity;sid:84672817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809718/; classtype:trojan-activity;sid:84672818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm4"; depth:10; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809719/; classtype:trojan-activity;sid:84672819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.mips"; depth:10; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809720/; classtype:trojan-activity;sid:84672820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809721/; classtype:trojan-activity;sid:84672821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"82.23.183.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809722/; classtype:trojan-activity;sid:84672822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm7"; depth:10; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809723/; classtype:trojan-activity;sid:84672823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm6"; depth:10; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809724/; classtype:trojan-activity;sid:84672824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.aarch64"; depth:13; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809725/; classtype:trojan-activity;sid:84672825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v5/client32.ini"; depth:20; endswith; nocase; http.host; content:"my-xarid.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809712/; classtype:trojan-activity;sid:84672812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/updater"; depth:11; endswith; nocase; http.host; content:"103.79.79.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809713/; classtype:trojan-activity;sid:84672813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v5/nsm.lic"; depth:15; endswith; nocase; http.host; content:"my-xarid.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809711/; classtype:trojan-activity;sid:84672811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"farm-logic.combinekabisia.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809710/; classtype:trojan-activity;sid:84672810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.124.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809709/; classtype:trojan-activity;sid:84672809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.83.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809708/; classtype:trojan-activity;sid:84672808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.21.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809707/; classtype:trojan-activity;sid:84672807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"root-source.maknothplacenta.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809706/; classtype:trojan-activity;sid:84672806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.142.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809705/; classtype:trojan-activity;sid:84672805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.146.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809704/; classtype:trojan-activity;sid:84672804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"health-node.maknothplacenta.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809703/; classtype:trojan-activity;sid:84672803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.81.240"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809702/; classtype:trojan-activity;sid:84672802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"organ-sync.maknothplacenta.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809701/; classtype:trojan-activity;sid:84672801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cell-logic.maknothplacenta.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809700/; classtype:trojan-activity;sid:84672800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"life-cycle.maknothplacenta.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809699/; classtype:trojan-activity;sid:84672799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.83.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809698/; classtype:trojan-activity;sid:84672798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.124.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809697/; classtype:trojan-activity;sid:84672797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bio-record.maknothplacenta.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809696/; classtype:trojan-activity;sid:84672796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.91.119"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809695/; classtype:trojan-activity;sid:84672795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809694/; classtype:trojan-activity;sid:84672794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-form.lohsmacknon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809693/; classtype:trojan-activity;sid:84672793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.24.63.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809692/; classtype:trojan-activity;sid:84672792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"audio-path.lohsmacknon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809691/; classtype:trojan-activity;sid:84672791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"noise-gate.lohsmacknon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809690/; classtype:trojan-activity;sid:84672790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.97.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809689/; classtype:trojan-activity;sid:84672789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"echo-relay.lohsmacknon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809688/; classtype:trojan-activity;sid:84672788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bass-boost.lohsmacknon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809687/; classtype:trojan-activity;sid:84672787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.61.38.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809686/; classtype:trojan-activity;sid:84672786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809685/; classtype:trojan-activity;sid:84672785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.108.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809684/; classtype:trojan-activity;sid:84672784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809683/; classtype:trojan-activity;sid:84672783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sound-check.lohsmacknon.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809682/; classtype:trojan-activity;sid:84672782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.208.67.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809681/; classtype:trojan-activity;sid:84672781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"def-system.fighttrapper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809679/; classtype:trojan-activity;sid:84672779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.208.67.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809680/; classtype:trojan-activity;sid:84672780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"target-api.fighttrapper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809678/; classtype:trojan-activity;sid:84672778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.184.247.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809677/; classtype:trojan-activity;sid:84672777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secure-hit.fighttrapper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809676/; classtype:trojan-activity;sid:84672776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"catch-node.fighttrapper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809675/; classtype:trojan-activity;sid:84672775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.61.38.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809674/; classtype:trojan-activity;sid:84672774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809673/; classtype:trojan-activity;sid:84672773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.184.247.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809672/; classtype:trojan-activity;sid:84672772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cage-match.fighttrapper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809671/; classtype:trojan-activity;sid:84672771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.35.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809670/; classtype:trojan-activity;sid:84672770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.169.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809669/; classtype:trojan-activity;sid:84672769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"action-log.fighttrapper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809668/; classtype:trojan-activity;sid:84672768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.102.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809667/; classtype:trojan-activity;sid:84672767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"video-drop.cameoinfusion.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809666/; classtype:trojan-activity;sid:84672766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"blend-master.cameoinfusion.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809665/; classtype:trojan-activity;sid:84672765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.146.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809664/; classtype:trojan-activity;sid:84672764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.106.58.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809663/; classtype:trojan-activity;sid:84672763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"color-mix.cameoinfusion.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809662/; classtype:trojan-activity;sid:84672762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.61.159.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809661/; classtype:trojan-activity;sid:84672761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.65.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809660/; classtype:trojan-activity;sid:84672760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.102.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809659/; classtype:trojan-activity;sid:84672759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"style-sync.cameoinfusion.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809658/; classtype:trojan-activity;sid:84672758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809657/; classtype:trojan-activity;sid:84672757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.37.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809656/; classtype:trojan-activity;sid:84672756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"art-portal.cameoinfusion.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809655/; classtype:trojan-activity;sid:84672755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"small-frame.cameoinfusion.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809654/; classtype:trojan-activity;sid:84672754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"silk-route.industtarant.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809653/; classtype:trojan-activity;sid:84672753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.65.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809652/; classtype:trojan-activity;sid:84672752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.91.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809651/; classtype:trojan-activity;sid:84672751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"venom-dev.industtarant.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809650/; classtype:trojan-activity;sid:84672750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"heavy-link.industtarant.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809649/; classtype:trojan-activity;sid:84672749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.61.159.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809648/; classtype:trojan-activity;sid:84672748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.37.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809647/; classtype:trojan-activity;sid:84672747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"factory-io.industtarant.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809646/; classtype:trojan-activity;sid:84672746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"web-crawl.industtarant.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809645/; classtype:trojan-activity;sid:84672745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.186.103"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809644/; classtype:trojan-activity;sid:84672744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spider-net.industtarant.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809643/; classtype:trojan-activity;sid:84672743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"skin-proxy.dervishpeel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809642/; classtype:trojan-activity;sid:84672742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.208.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809641/; classtype:trojan-activity;sid:84672741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.51.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809640/; classtype:trojan-activity;sid:84672740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rotate-node.dervishpeel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809639/; classtype:trojan-activity;sid:84672739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.132.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809638/; classtype:trojan-activity;sid:84672738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.24.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809637/; classtype:trojan-activity;sid:84672737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"core-wrap.dervishpeel.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809636/; classtype:trojan-activity;sid:84672736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.186.103"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809635/; classtype:trojan-activity;sid:84672735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"outer-shell.dervishpeel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809634/; classtype:trojan-activity;sid:84672734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.211.211.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809633/; classtype:trojan-activity;sid:84672733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.87.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809631/; classtype:trojan-activity;sid:84672731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"layer-check.dervishpeel.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809632/; classtype:trojan-activity;sid:84672732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.4.9.144"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809629/; classtype:trojan-activity;sid:84672729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.38.106.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809630/; classtype:trojan-activity;sid:84672730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.180.80.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809628/; classtype:trojan-activity;sid:84672728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809627/; classtype:trojan-activity;sid:84672727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.87.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809626/; classtype:trojan-activity;sid:84672726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.204.242"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809618/; classtype:trojan-activity;sid:84672718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.114.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809619/; classtype:trojan-activity;sid:84672719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.254.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809620/; classtype:trojan-activity;sid:84672720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.158.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809621/; classtype:trojan-activity;sid:84672721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.253.116"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809622/; classtype:trojan-activity;sid:84672722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.190.185.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809623/; classtype:trojan-activity;sid:84672723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.236.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809624/; classtype:trojan-activity;sid:84672724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.236.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809625/; classtype:trojan-activity;sid:84672725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.236.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809613/; classtype:trojan-activity;sid:84672713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.117.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809614/; classtype:trojan-activity;sid:84672714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809615/; classtype:trojan-activity;sid:84672715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.244.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809616/; classtype:trojan-activity;sid:84672716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.232.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809617/; classtype:trojan-activity;sid:84672717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.55.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809612/; classtype:trojan-activity;sid:84672712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.38.106.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809611/; classtype:trojan-activity;sid:84672711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.158.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809609/; classtype:trojan-activity;sid:84672709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.4.9.144"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809610/; classtype:trojan-activity;sid:84672710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.25.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809598/; classtype:trojan-activity;sid:84672698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.152.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809599/; classtype:trojan-activity;sid:84672699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.108.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809600/; classtype:trojan-activity;sid:84672700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.52.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809601/; classtype:trojan-activity;sid:84672701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.52.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809602/; classtype:trojan-activity;sid:84672702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.104.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809603/; classtype:trojan-activity;sid:84672703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"195.46.162.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809604/; classtype:trojan-activity;sid:84672704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.104.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809605/; classtype:trojan-activity;sid:84672705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.35.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809606/; classtype:trojan-activity;sid:84672706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.50.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809607/; classtype:trojan-activity;sid:84672707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.236.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809608/; classtype:trojan-activity;sid:84672708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spin-cycle.dervishpeel.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809597/; classtype:trojan-activity;sid:84672697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.211.211.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809596/; classtype:trojan-activity;sid:84672696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.208.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809595/; classtype:trojan-activity;sid:84672695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.251.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809594/; classtype:trojan-activity;sid:84672694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"source-log.needwatka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809593/; classtype:trojan-activity;sid:84672693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.js"; depth:9; endswith; nocase; http.host; content:"1k8v3k3.online"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809592/; classtype:trojan-activity;sid:84672692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.155.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809591/; classtype:trojan-activity;sid:84672691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hydro-svc.needwatka.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809590/; classtype:trojan-activity;sid:84672690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.51.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809589/; classtype:trojan-activity;sid:84672689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.235.227.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809588/; classtype:trojan-activity;sid:84672688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pump-ctrl.needwatka.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809587/; classtype:trojan-activity;sid:84672687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"well-point.needwatka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809586/; classtype:trojan-activity;sid:84672686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.62.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809585/; classtype:trojan-activity;sid:84672685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/shares/rkgb/files/0ca73971-de65-44a4-bf2e-121e9a077133"; depth:59; endswith; nocase; http.host; content:"dropmb.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809584/; classtype:trojan-activity;sid:84672684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"liquid-api.needwatka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809583/; classtype:trojan-activity;sid:84672683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.155.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809582/; classtype:trojan-activity;sid:84672682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.251.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809581/; classtype:trojan-activity;sid:84672681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"water-flow.needwatka.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809580/; classtype:trojan-activity;sid:84672680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.143.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809579/; classtype:trojan-activity;sid:84672679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"site-connect.fetterland.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809578/; classtype:trojan-activity;sid:84672678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fence-logic.fetterland.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809577/; classtype:trojan-activity;sid:84672677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rwbhgsqs.msi"; depth:18; endswith; nocase; http.host; content:"dfopetroleum.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809576/; classtype:trojan-activity;sid:84672676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/file/get|3f|filekey=3bc1fri2tmhg1ry2vtfsjd5qrhm25soto4juqch1r9oa_ulucj5oqmoeqgc"; depth:84; endswith; nocase; http.host; content:"2012.filemail.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809575/; classtype:trojan-activity;sid:84672675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/binas.txt"; depth:15; endswith; nocase; http.host; content:"dfopetroleum.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809573/; classtype:trojan-activity;sid:84672673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"soil-monitor.fetterland.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809574/; classtype:trojan-activity;sid:84672674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.195.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809572/; classtype:trojan-activity;sid:84672672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"land-mark.fetterland.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809571/; classtype:trojan-activity;sid:84672671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"area-scanner.fetterland.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809570/; classtype:trojan-activity;sid:84672670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809569/; classtype:trojan-activity;sid:84672669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"border-gate.fetterland.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809568/; classtype:trojan-activity;sid:84672668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"robot-api.mechaforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809567/; classtype:trojan-activity;sid:84672667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.245.62.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809566/; classtype:trojan-activity;sid:84672666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"steel-core.mechaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809565/; classtype:trojan-activity;sid:84672665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.195.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809564/; classtype:trojan-activity;sid:84672664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.224.208.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809563/; classtype:trojan-activity;sid:84672663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"auto-build.mechaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809562/; classtype:trojan-activity;sid:84672662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"power-plant.mechaforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809561/; classtype:trojan-activity;sid:84672661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.120.250.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809560/; classtype:trojan-activity;sid:84672660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"iron-works.mechaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809559/; classtype:trojan-activity;sid:84672659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.190.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809558/; classtype:trojan-activity;sid:84672658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"heavy-duty.mechaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809557/; classtype:trojan-activity;sid:84672657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.28.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809556/; classtype:trojan-activity;sid:84672656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pilot-svc.aerovector.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809555/; classtype:trojan-activity;sid:84672655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alt-logic.aerovector.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809554/; classtype:trojan-activity;sid:84672654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.0.211"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809553/; classtype:trojan-activity;sid:84672653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wing-span.aerovector.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809552/; classtype:trojan-activity;sid:84672652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.190.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809551/; classtype:trojan-activity;sid:84672651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sky-route.aerovector.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809550/; classtype:trojan-activity;sid:84672650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809549/; classtype:trojan-activity;sid:84672649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"air-traffic.aerovector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809548/; classtype:trojan-activity;sid:84672648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.28.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809547/; classtype:trojan-activity;sid:84672647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flight-path.aerovector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809546/; classtype:trojan-activity;sid:84672646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.28.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809545/; classtype:trojan-activity;sid:84672645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.51.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809544/; classtype:trojan-activity;sid:84672644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.61.244.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809543/; classtype:trojan-activity;sid:84672643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.50.148.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809542/; classtype:trojan-activity;sid:84672642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"point-edge.digisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809541/; classtype:trojan-activity;sid:84672641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"static-cdn.digisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809540/; classtype:trojan-activity;sid:84672640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"web-portal.digisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809539/; classtype:trojan-activity;sid:84672639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"info-orbit.digisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809538/; classtype:trojan-activity;sid:84672638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.3.28.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809537/; classtype:trojan-activity;sid:84672637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cloud-ring.digisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809536/; classtype:trojan-activity;sid:84672636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.61.244.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809535/; classtype:trojan-activity;sid:84672635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"data-field.digisphere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809534/; classtype:trojan-activity;sid:84672634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.50.148.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809533/; classtype:trojan-activity;sid:84672633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"light-logic.quantacircuit.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809532/; classtype:trojan-activity;sid:84672632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809531/; classtype:trojan-activity;sid:84672631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fast-track.quantacircuit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809530/; classtype:trojan-activity;sid:84672630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qubit-sync.quantacircuit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809529/; classtype:trojan-activity;sid:84672629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809528/; classtype:trojan-activity;sid:84672628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.211.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809527/; classtype:trojan-activity;sid:84672627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809526/; classtype:trojan-activity;sid:84672626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"packet-flow.quantacircuit.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809525/; classtype:trojan-activity;sid:84672625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"speed-test.quantacircuit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809524/; classtype:trojan-activity;sid:84672624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.254.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809522/; classtype:trojan-activity;sid:84672622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809523/; classtype:trojan-activity;sid:84672623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.26.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809521/; classtype:trojan-activity;sid:84672621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.14.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809520/; classtype:trojan-activity;sid:84672620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bit-stream.quantacircuit.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809519/; classtype:trojan-activity;sid:84672619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809518/; classtype:trojan-activity;sid:84672618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mind-node.neurovector.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809517/; classtype:trojan-activity;sid:84672617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brain-scan.neurovector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809516/; classtype:trojan-activity;sid:84672616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.211.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809515/; classtype:trojan-activity;sid:84672615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"thought-hub.neurovector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809514/; classtype:trojan-activity;sid:84672614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"impulse-api.neurovector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809513/; classtype:trojan-activity;sid:84672613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nerve-center.neurovector.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809511/; classtype:trojan-activity;sid:84672611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809512/; classtype:trojan-activity;sid:84672612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809509/; classtype:trojan-activity;sid:84672609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.229.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809510/; classtype:trojan-activity;sid:84672610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.229.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809508/; classtype:trojan-activity;sid:84672608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"synapse-log.neurovector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809507/; classtype:trojan-activity;sid:84672607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"outer-shell.technosphere.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809506/; classtype:trojan-activity;sid:84672606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.154.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809505/; classtype:trojan-activity;sid:84672605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.6.243.195"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809504/; classtype:trojan-activity;sid:84672604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809503/; classtype:trojan-activity;sid:84672603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-layer.technosphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809502/; classtype:trojan-activity;sid:84672602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.30.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809501/; classtype:trojan-activity;sid:84672601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"world-view.technosphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809500/; classtype:trojan-activity;sid:84672600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.254.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809499/; classtype:trojan-activity;sid:84672599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809498/; classtype:trojan-activity;sid:84672598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"eco-monitor.technosphere.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809497/; classtype:trojan-activity;sid:84672597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.20.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809496/; classtype:trojan-activity;sid:84672596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"urban-hub.technosphere.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809495/; classtype:trojan-activity;sid:84672595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.35.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809494/; classtype:trojan-activity;sid:84672594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809493/; classtype:trojan-activity;sid:84672593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"global-net.technosphere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809492/; classtype:trojan-activity;sid:84672592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brain-base.logicmatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809491/; classtype:trojan-activity;sid:84672591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"decision-svc.logicmatrix.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809490/; classtype:trojan-activity;sid:84672590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809489/; classtype:trojan-activity;sid:84672589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"process-io.logicmatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809488/; classtype:trojan-activity;sid:84672588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.238.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809487/; classtype:trojan-activity;sid:84672587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.20.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809486/; classtype:trojan-activity;sid:84672586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"truth-table.logicmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809485/; classtype:trojan-activity;sid:84672585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.251.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809484/; classtype:trojan-activity;sid:84672584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.113.153.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809483/; classtype:trojan-activity;sid:84672583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rule-engine.logicmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809482/; classtype:trojan-activity;sid:84672582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"main-frame.logicmatrix.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809481/; classtype:trojan-activity;sid:84672581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.127.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809480/; classtype:trojan-activity;sid:84672580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809479/; classtype:trojan-activity;sid:84672579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"enc-tunnel.cryptovault.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809478/; classtype:trojan-activity;sid:84672578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809477/; classtype:trojan-activity;sid:84672577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.164.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809476/; classtype:trojan-activity;sid:84672576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hash-store.cryptovault.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809475/; classtype:trojan-activity;sid:84672575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.187.126.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809474/; classtype:trojan-activity;sid:84672574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"anon-auth.cryptovault.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809473/; classtype:trojan-activity;sid:84672573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.251.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809472/; classtype:trojan-activity;sid:84672572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.219.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809471/; classtype:trojan-activity;sid:84672571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.210.216.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809470/; classtype:trojan-activity;sid:84672570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secret-api.cryptovault.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809469/; classtype:trojan-activity;sid:84672569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.254.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809468/; classtype:trojan-activity;sid:84672568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.125.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809467/; classtype:trojan-activity;sid:84672567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lock-box.cryptovault.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809466/; classtype:trojan-activity;sid:84672566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.164.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809465/; classtype:trojan-activity;sid:84672565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.58.229.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809464/; classtype:trojan-activity;sid:84672564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secure-key.cryptovault.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809463/; classtype:trojan-activity;sid:84672563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.236.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809462/; classtype:trojan-activity;sid:84672562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"chip-set.infocircuit.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809461/; classtype:trojan-activity;sid:84672561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.251.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809460/; classtype:trojan-activity;sid:84672560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"board-mgr.infocircuit.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809459/; classtype:trojan-activity;sid:84672559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.113.153.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809458/; classtype:trojan-activity;sid:84672558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.167.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809456/; classtype:trojan-activity;sid:84672556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.105.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809457/; classtype:trojan-activity;sid:84672557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"volt-check.infocircuit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809455/; classtype:trojan-activity;sid:84672555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.254.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809454/; classtype:trojan-activity;sid:84672554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bus-bridge.infocircuit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809453/; classtype:trojan-activity;sid:84672553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.251.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809452/; classtype:trojan-activity;sid:84672552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.25.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809451/; classtype:trojan-activity;sid:84672551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.127.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809449/; classtype:trojan-activity;sid:84672549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wire-sync.infocircuit.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809450/; classtype:trojan-activity;sid:84672550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"logic-gate.infocircuit.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809448/; classtype:trojan-activity;sid:84672548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.236.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809447/; classtype:trojan-activity;sid:84672547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"broad-cast.signalforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809446/; classtype:trojan-activity;sid:84672546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.167.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809445/; classtype:trojan-activity;sid:84672545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809444/; classtype:trojan-activity;sid:84672544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.186.121.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809443/; classtype:trojan-activity;sid:84672543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"191.210.133.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809442/; classtype:trojan-activity;sid:84672542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809441/; classtype:trojan-activity;sid:84672541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ping-gate.signalforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809440/; classtype:trojan-activity;sid:84672540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tower-sync.signalforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809439/; classtype:trojan-activity;sid:84672539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.127.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809438/; classtype:trojan-activity;sid:84672538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"beam-relay.signalforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809437/; classtype:trojan-activity;sid:84672537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.29.39.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809436/; classtype:trojan-activity;sid:84672536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-form.signalforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809435/; classtype:trojan-activity;sid:84672535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.233.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809434/; classtype:trojan-activity;sid:84672534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"radio-freq.signalforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809433/; classtype:trojan-activity;sid:84672533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.186.121.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809432/; classtype:trojan-activity;sid:84672532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.159.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809431/; classtype:trojan-activity;sid:84672531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809430/; classtype:trojan-activity;sid:84672530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"raster-node.pixelmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809429/; classtype:trojan-activity;sid:84672529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.72.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809428/; classtype:trojan-activity;sid:84672528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"display-svc.pixelmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809427/; classtype:trojan-activity;sid:84672527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.115.168.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809426/; classtype:trojan-activity;sid:84672526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.169.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809425/; classtype:trojan-activity;sid:84672525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"video-buffer.pixelmatrix.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809424/; classtype:trojan-activity;sid:84672524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.26.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809423/; classtype:trojan-activity;sid:84672523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.245.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809422/; classtype:trojan-activity;sid:84672522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"image-stack.pixelmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809421/; classtype:trojan-activity;sid:84672521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.29.39.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809420/; classtype:trojan-activity;sid:84672520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.159.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809419/; classtype:trojan-activity;sid:84672519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"render-grid.pixelmatrix.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809418/; classtype:trojan-activity;sid:84672518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.248.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809417/; classtype:trojan-activity;sid:84672517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.26.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809416/; classtype:trojan-activity;sid:84672516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"color-bit.pixelmatrix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809415/; classtype:trojan-activity;sid:84672515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.115.168.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809414/; classtype:trojan-activity;sid:84672514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"scan-core.nanovector.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809413/; classtype:trojan-activity;sid:84672513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"particle-api.nanovector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809412/; classtype:trojan-activity;sid:84672512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8405865752/5eyh7vf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809411/; classtype:trojan-activity;sid:84672511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.201.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809410/; classtype:trojan-activity;sid:84672510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"small-unit.nanovector.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809409/; classtype:trojan-activity;sid:84672509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.245.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809408/; classtype:trojan-activity;sid:84672508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"precision-io.nanovector.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809407/; classtype:trojan-activity;sid:84672507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.179.235.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809406/; classtype:trojan-activity;sid:84672506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.37.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809405/; classtype:trojan-activity;sid:84672505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"atom-trace.nanovector.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809404/; classtype:trojan-activity;sid:84672504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.31.170.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809403/; classtype:trojan-activity;sid:84672503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809402/; classtype:trojan-activity;sid:84672502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"micro-scale.nanovector.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809401/; classtype:trojan-activity;sid:84672501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809400/; classtype:trojan-activity;sid:84672500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.201.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809399/; classtype:trojan-activity;sid:84672499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809398/; classtype:trojan-activity;sid:84672498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.37.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809397/; classtype:trojan-activity;sid:84672497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ping-gate.signalcrest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809396/; classtype:trojan-activity;sid:84672496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"broad-cast.signalcrest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809395/; classtype:trojan-activity;sid:84672495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"range-extend.signalcrest.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809394/; classtype:trojan-activity;sid:84672494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809393/; classtype:trojan-activity;sid:84672493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tower-sync.signalcrest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809392/; classtype:trojan-activity;sid:84672492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.0.60.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809391/; classtype:trojan-activity;sid:84672491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.122.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809390/; classtype:trojan-activity;sid:84672490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.204.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809388/; classtype:trojan-activity;sid:84672488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.122.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809389/; classtype:trojan-activity;sid:84672489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"radio-freq.signalcrest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809387/; classtype:trojan-activity;sid:84672487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.254.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809386/; classtype:trojan-activity;sid:84672486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-crest.signalcrest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809385/; classtype:trojan-activity;sid:84672485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6560547276/zazsfyd.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809384/; classtype:trojan-activity;sid:84672484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.220.151.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809383/; classtype:trojan-activity;sid:84672483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-stack.datacrest.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809382/; classtype:trojan-activity;sid:84672482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.180.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809381/; classtype:trojan-activity;sid:84672481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.204.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809380/; classtype:trojan-activity;sid:84672480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.225.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809379/; classtype:trojan-activity;sid:84672479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.85.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809377/; classtype:trojan-activity;sid:84672477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.167.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809378/; classtype:trojan-activity;sid:84672478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"base-record.datacrest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809376/; classtype:trojan-activity;sid:84672476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.199.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809375/; classtype:trojan-activity;sid:84672475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"info-summit.datacrest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809374/; classtype:trojan-activity;sid:84672474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.0.60.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809373/; classtype:trojan-activity;sid:84672473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809372/; classtype:trojan-activity;sid:84672472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bulk-export.datacrest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809371/; classtype:trojan-activity;sid:84672471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.32.199.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809370/; classtype:trojan-activity;sid:84672470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"archive-top.datacrest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809369/; classtype:trojan-activity;sid:84672469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.228.132.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809367/; classtype:trojan-activity;sid:84672467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.220.151.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809368/; classtype:trojan-activity;sid:84672468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"high-ridge.datacrest.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809366/; classtype:trojan-activity;sid:84672466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.85.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809365/; classtype:trojan-activity;sid:84672465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"enc-tunnel.cyberhaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809364/; classtype:trojan-activity;sid:84672464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809360/; classtype:trojan-activity;sid:84672460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809361/; classtype:trojan-activity;sid:84672461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809362/; classtype:trojan-activity;sid:84672462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809363/; classtype:trojan-activity;sid:84672463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809356/; classtype:trojan-activity;sid:84672456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809357/; classtype:trojan-activity;sid:84672457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809358/; classtype:trojan-activity;sid:84672458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809359/; classtype:trojan-activity;sid:84672459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"92.112.124.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809355/; classtype:trojan-activity;sid:84672455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.199.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809354/; classtype:trojan-activity;sid:84672454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"anon-relay.cyberhaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809353/; classtype:trojan-activity;sid:84672453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809347/; classtype:trojan-activity;sid:84672447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809348/; classtype:trojan-activity;sid:84672448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809349/; classtype:trojan-activity;sid:84672449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809350/; classtype:trojan-activity;sid:84672450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809351/; classtype:trojan-activity;sid:84672451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809352/; classtype:trojan-activity;sid:84672452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secure-vault.cyberhaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809346/; classtype:trojan-activity;sid:84672446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.167.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809345/; classtype:trojan-activity;sid:84672445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.32.199.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809344/; classtype:trojan-activity;sid:84672444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"threat-log.cyberhaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809343/; classtype:trojan-activity;sid:84672443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809342/; classtype:trojan-activity;sid:84672442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.235.227.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809341/; classtype:trojan-activity;sid:84672441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mesh-proxy.cyberhaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809340/; classtype:trojan-activity;sid:84672440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.159.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809339/; classtype:trojan-activity;sid:84672439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ghost-shell.cyberhaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809338/; classtype:trojan-activity;sid:84672438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7359455182/wugqxvn.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809337/; classtype:trojan-activity;sid:84672437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bio-sensor.neurobloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809336/; classtype:trojan-activity;sid:84672436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809335/; classtype:trojan-activity;sid:84672435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pulse-logic.neurobloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809334/; classtype:trojan-activity;sid:84672434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nerve-center.neurobloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809333/; classtype:trojan-activity;sid:84672433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809332/; classtype:trojan-activity;sid:84672432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"thought-api.neurobloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809331/; classtype:trojan-activity;sid:84672431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.159.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809330/; classtype:trojan-activity;sid:84672430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809329/; classtype:trojan-activity;sid:84672429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.241.51.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809328/; classtype:trojan-activity;sid:84672428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brain-scan.neurobloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809327/; classtype:trojan-activity;sid:84672427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"synapse-net.neurobloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809326/; classtype:trojan-activity;sid:84672426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bit-stream.quantaflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809325/; classtype:trojan-activity;sid:84672425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"packet-flow.quantaflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809324/; classtype:trojan-activity;sid:84672424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.231.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809323/; classtype:trojan-activity;sid:84672423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.68.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809322/; classtype:trojan-activity;sid:84672422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"speed-test.quantaflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809321/; classtype:trojan-activity;sid:84672421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.241.51.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809320/; classtype:trojan-activity;sid:84672420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"logic-gate.quantaflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809319/; classtype:trojan-activity;sid:84672419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"atom-split.quantaflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809318/; classtype:trojan-activity;sid:84672418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.64.184.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809317/; classtype:trojan-activity;sid:84672417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.254.164.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809316/; classtype:trojan-activity;sid:84672416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"micro-pulse.quantaflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809315/; classtype:trojan-activity;sid:84672415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pilot-auth.astrahaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809314/; classtype:trojan-activity;sid:84672414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.167.175.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809313/; classtype:trojan-activity;sid:84672413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"void-storage.astrahaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809312/; classtype:trojan-activity;sid:84672412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cosmic-link.astrahaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809311/; classtype:trojan-activity;sid:84672411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.223.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809310/; classtype:trojan-activity;sid:84672410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.125.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809309/; classtype:trojan-activity;sid:84672409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809308/; classtype:trojan-activity;sid:84672408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.163.187.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809307/; classtype:trojan-activity;sid:84672407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"star-map.astrahaven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809306/; classtype:trojan-activity;sid:84672406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.231.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809305/; classtype:trojan-activity;sid:84672405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.117.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809304/; classtype:trojan-activity;sid:84672404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"deep-sky.astrahaven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809303/; classtype:trojan-activity;sid:84672403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809302/; classtype:trojan-activity;sid:84672402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.231.163.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809301/; classtype:trojan-activity;sid:84672401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"safe-ship.astrahaven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809300/; classtype:trojan-activity;sid:84672400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"launch-pad.orbitforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809299/; classtype:trojan-activity;sid:84672399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krypton-1.21.11.jar"; depth:20; endswith; nocase; http.host; content:"kryptonmc.lovable.app"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809298/; classtype:trojan-activity;sid:84672398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.167.175.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809297/; classtype:trojan-activity;sid:84672397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gravity-io.orbitforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809296/; classtype:trojan-activity;sid:84672396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spin-control.orbitforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809295/; classtype:trojan-activity;sid:84672395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809294/; classtype:trojan-activity;sid:84672394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"round-trip.orbitforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809293/; classtype:trojan-activity;sid:84672393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.231.163.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809292/; classtype:trojan-activity;sid:84672392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cycle-monitor.orbitforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809291/; classtype:trojan-activity;sid:84672391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"path-finder.orbitforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809290/; classtype:trojan-activity;sid:84672390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.223.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809289/; classtype:trojan-activity;sid:84672389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"glow-portal.luminflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809288/; classtype:trojan-activity;sid:84672388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"light-trace.luminflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809287/; classtype:trojan-activity;sid:84672387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"photo-sync.luminflux.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809286/; classtype:trojan-activity;sid:84672386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.90.92"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809285/; classtype:trojan-activity;sid:84672385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.254.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809284/; classtype:trojan-activity;sid:84672384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"optic-hub.luminflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809283/; classtype:trojan-activity;sid:84672383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.98.97.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809282/; classtype:trojan-activity;sid:84672382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.11.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809281/; classtype:trojan-activity;sid:84672381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.94.101.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809280/; classtype:trojan-activity;sid:84672380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-length.luminflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809279/; classtype:trojan-activity;sid:84672379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.98.97.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809278/; classtype:trojan-activity;sid:84672378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bright-beam.luminflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809277/; classtype:trojan-activity;sid:84672377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"smelt-logic.novaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809276/; classtype:trojan-activity;sid:84672376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"plasma-node.novaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809275/; classtype:trojan-activity;sid:84672375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809274/; classtype:trojan-activity;sid:84672374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.11.123"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809273/; classtype:trojan-activity;sid:84672373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"blast-zone.novaforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809272/; classtype:trojan-activity;sid:84672372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.236.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809271/; classtype:trojan-activity;sid:84672371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"heavy-metal.novaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809270/; classtype:trojan-activity;sid:84672370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fusion-core.novaforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809269/; classtype:trojan-activity;sid:84672369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.1.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809268/; classtype:trojan-activity;sid:84672368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.180.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809267/; classtype:trojan-activity;sid:84672367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.208.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809266/; classtype:trojan-activity;sid:84672366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"star-build.novaforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809265/; classtype:trojan-activity;sid:84672365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"polygon-svc.vertexbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809264/; classtype:trojan-activity;sid:84672364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.90.92"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809263/; classtype:trojan-activity;sid:84672363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"top-level.vertexbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809262/; classtype:trojan-activity;sid:84672362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.208.145.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809261/; classtype:trojan-activity;sid:84672361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spatial-api.vertexbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809260/; classtype:trojan-activity;sid:84672360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"render-farm.vertexbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809259/; classtype:trojan-activity;sid:84672359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.208.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809258/; classtype:trojan-activity;sid:84672358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.252.179.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809257/; classtype:trojan-activity;sid:84672357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"growth-engine.vertexbloom.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809256/; classtype:trojan-activity;sid:84672356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.226.161.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809255/; classtype:trojan-activity;sid:84672355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"peak-point.vertexbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809254/; classtype:trojan-activity;sid:84672354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.52.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809253/; classtype:trojan-activity;sid:84672353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.180.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809252/; classtype:trojan-activity;sid:84672352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vale-gra.prefixwag.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809251/; classtype:trojan-activity;sid:84672351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.208.145.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809250/; classtype:trojan-activity;sid:84672350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.222.144.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809249/; classtype:trojan-activity;sid:84672349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"devsig.prefixwag.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809248/; classtype:trojan-activity;sid:84672348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.58.23.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809247/; classtype:trojan-activity;sid:84672347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.127.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809246/; classtype:trojan-activity;sid:84672346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vgtp5o.manchustill.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809245/; classtype:trojan-activity;sid:84672345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.182.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809244/; classtype:trojan-activity;sid:84672344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.180.248.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809243/; classtype:trojan-activity;sid:84672343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qz65lmfc.manchustill.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809242/; classtype:trojan-activity;sid:84672342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.222.144.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809241/; classtype:trojan-activity;sid:84672341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"formalpod.premiumtos.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809240/; classtype:trojan-activity;sid:84672340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.52.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809239/; classtype:trojan-activity;sid:84672339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vaulvoc.premiumtos.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809238/; classtype:trojan-activity;sid:84672338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.182.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809236/; classtype:trojan-activity;sid:84672336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.172.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809237/; classtype:trojan-activity;sid:84672337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cata1og-forge.batkascript.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809235/; classtype:trojan-activity;sid:84672335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.83.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809234/; classtype:trojan-activity;sid:84672334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.58.23.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809233/; classtype:trojan-activity;sid:84672333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.177.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809232/; classtype:trojan-activity;sid:84672332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"xxhq.batkascript.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809231/; classtype:trojan-activity;sid:84672331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.182.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809230/; classtype:trojan-activity;sid:84672330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"partnerrelay.beltfloor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809229/; classtype:trojan-activity;sid:84672329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.183.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809228/; classtype:trojan-activity;sid:84672328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"value9-mesh.beltfloor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809227/; classtype:trojan-activity;sid:84672327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.112.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809226/; classtype:trojan-activity;sid:84672326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.182.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809225/; classtype:trojan-activity;sid:84672325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.189.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809224/; classtype:trojan-activity;sid:84672324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lum-markal.radiatebeef.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809223/; classtype:trojan-activity;sid:84672323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.236.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809222/; classtype:trojan-activity;sid:84672322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.83.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809221/; classtype:trojan-activity;sid:84672321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mer-lithen.radiatebeef.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809220/; classtype:trojan-activity;sid:84672320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"load-spark.chernomofnothes.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809219/; classtype:trojan-activity;sid:84672319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kvvfusu.chernomofnothes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809218/; classtype:trojan-activity;sid:84672318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.110.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809217/; classtype:trojan-activity;sid:84672317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"voicefjo.paleontraglan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809216/; classtype:trojan-activity;sid:84672316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.112.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809215/; classtype:trojan-activity;sid:84672315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.180.183.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809214/; classtype:trojan-activity;sid:84672314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.189.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809213/; classtype:trojan-activity;sid:84672313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.55.14.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809212/; classtype:trojan-activity;sid:84672312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809211/; classtype:trojan-activity;sid:84672311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"honestsort.paleontraglan.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809210/; classtype:trojan-activity;sid:84672310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.26.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809209/; classtype:trojan-activity;sid:84672309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rne4d7-zone.cuffsorbsky.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809208/; classtype:trojan-activity;sid:84672308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809207/; classtype:trojan-activity;sid:84672307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"loosesnow.cuffsorbsky.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809206/; classtype:trojan-activity;sid:84672306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"st4b1l-span.cuffsorbsky.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809205/; classtype:trojan-activity;sid:84672305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809204/; classtype:trojan-activity;sid:84672304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8hrs4f4vh/plugins/cred.dll"; depth:28; endswith; nocase; http.host; content:"158.94.210.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809202/; classtype:trojan-activity;sid:84672302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8hrs4f4vh/plugins/cred64.dll"; depth:30; endswith; nocase; http.host; content:"158.94.210.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809203/; classtype:trojan-activity;sid:84672303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8hrs4f4vh/plugins/vnc.exe"; depth:27; endswith; nocase; http.host; content:"158.94.210.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809201/; classtype:trojan-activity;sid:84672301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.216.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809200/; classtype:trojan-activity;sid:84672300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bundstar.cuffsorbsky.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809199/; classtype:trojan-activity;sid:84672299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yfjgi.cuffsorbsky.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809198/; classtype:trojan-activity;sid:84672298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809197/; classtype:trojan-activity;sid:84672297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809196/; classtype:trojan-activity;sid:84672296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"scarlet-tra.cuffsorbsky.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809195/; classtype:trojan-activity;sid:84672295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.235.45.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809194/; classtype:trojan-activity;sid:84672294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gentle5-crest.codcomparable.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809193/; classtype:trojan-activity;sid:84672293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"j30k.codcomparable.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809192/; classtype:trojan-activity;sid:84672292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809191/; classtype:trojan-activity;sid:84672291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"theor-spool.codcomparable.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809190/; classtype:trojan-activity;sid:84672290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.40.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809189/; classtype:trojan-activity;sid:84672289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.211.208.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809188/; classtype:trojan-activity;sid:84672288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sp0o-forge.codcomparable.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809187/; classtype:trojan-activity;sid:84672287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809186/; classtype:trojan-activity;sid:84672286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"c0nvoy5-field.codcomparable.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809185/; classtype:trojan-activity;sid:84672285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mipsrouter"; depth:29; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809184/; classtype:trojan-activity;sid:84672284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809183/; classtype:trojan-activity;sid:84672283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.232.64.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809180/; classtype:trojan-activity;sid:84672280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.armv4l"; depth:25; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809181/; classtype:trojan-activity;sid:84672281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.aarch64"; depth:26; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809182/; classtype:trojan-activity;sid:84672282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_i486"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809178/; classtype:trojan-activity;sid:84672278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809179/; classtype:trojan-activity;sid:84672279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809167/; classtype:trojan-activity;sid:84672267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_aarch64"; depth:13; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809168/; classtype:trojan-activity;sid:84672268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809169/; classtype:trojan-activity;sid:84672269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809170/; classtype:trojan-activity;sid:84672270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809171/; classtype:trojan-activity;sid:84672271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809172/; classtype:trojan-activity;sid:84672272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips64"; depth:12; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809173/; classtype:trojan-activity;sid:84672273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809174/; classtype:trojan-activity;sid:84672274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809175/; classtype:trojan-activity;sid:84672275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809176/; classtype:trojan-activity;sid:84672276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_i686"; depth:10; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809177/; classtype:trojan-activity;sid:84672277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809165/; classtype:trojan-activity;sid:84672265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809166/; classtype:trojan-activity;sid:84672266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"py28ionr.prefixwag.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809164/; classtype:trojan-activity;sid:84672264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.95.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809163/; classtype:trojan-activity;sid:84672263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ledge5-switch.prefixwag.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809162/; classtype:trojan-activity;sid:84672262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"4csbzg.prefixwag.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809161/; classtype:trojan-activity;sid:84672261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"csbtxwz.prefixwag.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809160/; classtype:trojan-activity;sid:84672260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ashduasdoasdoasd/localhostc2/raw/refs/heads/main/realc2/hi-malwareresearcher/runtimebroker.exe"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809158/; classtype:trojan-activity;sid:84672258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ashduasdoasdoasd/localhostc2/refs/heads/main/realc2/hi-malwareresearcher/runtimebroker.exe"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809159/; classtype:trojan-activity;sid:84672259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.14.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809157/; classtype:trojan-activity;sid:84672257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zenvaleex.prefixwag.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809156/; classtype:trojan-activity;sid:84672256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.48.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809155/; classtype:trojan-activity;sid:84672255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumnexum1.prefixwag.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809154/; classtype:trojan-activity;sid:84672254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zennex8ar.manchustill.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809153/; classtype:trojan-activity;sid:84672253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tokcheck.manchustill.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809152/; classtype:trojan-activity;sid:84672252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.61.157.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809151/; classtype:trojan-activity;sid:84672251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"veobw.manchustill.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809150/; classtype:trojan-activity;sid:84672250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.14.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809149/; classtype:trojan-activity;sid:84672249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"targettest.manchustill.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809148/; classtype:trojan-activity;sid:84672248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.apk"; depth:10; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809146/; classtype:trojan-activity;sid:84672246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.dbg"; depth:10; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809147/; classtype:trojan-activity;sid:84672247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vxfxox7r.manchustill.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809145/; classtype:trojan-activity;sid:84672245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nigger.go"; depth:10; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809144/; classtype:trojan-activity;sid:84672244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809143/; classtype:trojan-activity;sid:84672243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.234.181.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809142/; classtype:trojan-activity;sid:84672242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"b4nn-mount.manchustill.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809141/; classtype:trojan-activity;sid:84672241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809138/; classtype:trojan-activity;sid:84672238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809139/; classtype:trojan-activity;sid:84672239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm4"; depth:10; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809140/; classtype:trojan-activity;sid:84672240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809134/; classtype:trojan-activity;sid:84672234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809135/; classtype:trojan-activity;sid:84672235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809136/; classtype:trojan-activity;sid:84672236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809137/; classtype:trojan-activity;sid:84672237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.armv7l"; depth:25; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809132/; classtype:trojan-activity;sid:84672232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i486"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809133/; classtype:trojan-activity;sid:84672233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809119/; classtype:trojan-activity;sid:84672219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.armv5l"; depth:25; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809120/; classtype:trojan-activity;sid:84672220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.armv6l"; depth:25; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809121/; classtype:trojan-activity;sid:84672221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809122/; classtype:trojan-activity;sid:84672222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809123/; classtype:trojan-activity;sid:84672223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809124/; classtype:trojan-activity;sid:84672224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809125/; classtype:trojan-activity;sid:84672225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mipsel"; depth:25; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809126/; classtype:trojan-activity;sid:84672226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809127/; classtype:trojan-activity;sid:84672227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.powerpc"; depth:26; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809128/; classtype:trojan-activity;sid:84672228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809129/; classtype:trojan-activity;sid:84672229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sparc"; depth:24; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809130/; classtype:trojan-activity;sid:84672230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809131/; classtype:trojan-activity;sid:84672231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-cu1tur.premiumtos.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809118/; classtype:trojan-activity;sid:84672218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809116/; classtype:trojan-activity;sid:84672216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809117/; classtype:trojan-activity;sid:84672217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809113/; classtype:trojan-activity;sid:84672213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809114/; classtype:trojan-activity;sid:84672214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809115/; classtype:trojan-activity;sid:84672215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.240.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809107/; classtype:trojan-activity;sid:84672207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809108/; classtype:trojan-activity;sid:84672208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809109/; classtype:trojan-activity;sid:84672209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809110/; classtype:trojan-activity;sid:84672210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809111/; classtype:trojan-activity;sid:84672211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809112/; classtype:trojan-activity;sid:84672212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809103/; classtype:trojan-activity;sid:84672203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809104/; classtype:trojan-activity;sid:84672204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809105/; classtype:trojan-activity;sid:84672205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809106/; classtype:trojan-activity;sid:84672206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.252.179.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809102/; classtype:trojan-activity;sid:84672202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809101/; classtype:trojan-activity;sid:84672201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809092/; classtype:trojan-activity;sid:84672192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809093/; classtype:trojan-activity;sid:84672193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i486"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809094/; classtype:trojan-activity;sid:84672194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809095/; classtype:trojan-activity;sid:84672195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809096/; classtype:trojan-activity;sid:84672196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809097/; classtype:trojan-activity;sid:84672197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809098/; classtype:trojan-activity;sid:84672198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809099/; classtype:trojan-activity;sid:84672199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809100/; classtype:trojan-activity;sid:84672200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809086/; classtype:trojan-activity;sid:84672186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809087/; classtype:trojan-activity;sid:84672187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x86"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809088/; classtype:trojan-activity;sid:84672188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809089/; classtype:trojan-activity;sid:84672189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809090/; classtype:trojan-activity;sid:84672190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809091/; classtype:trojan-activity;sid:84672191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"markpeak.premiumtos.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809085/; classtype:trojan-activity;sid:84672185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i486"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809084/; classtype:trojan-activity;sid:84672184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/glqchoiding.zip"; depth:16; endswith; nocase; http.host; content:"dingdong-1399351730.cos.ap-hongkong.myqcloud.com"; depth:48; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809083/; classtype:trojan-activity;sid:84672183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.217.89.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809082/; classtype:trojan-activity;sid:84672182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pu1s-trail.premiumtos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809081/; classtype:trojan-activity;sid:84672181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809073/; classtype:trojan-activity;sid:84672173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.arm"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809074/; classtype:trojan-activity;sid:84672174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.x86"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809075/; classtype:trojan-activity;sid:84672175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.m68k"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809076/; classtype:trojan-activity;sid:84672176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809077/; classtype:trojan-activity;sid:84672177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809078/; classtype:trojan-activity;sid:84672178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.mpsl"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809079/; classtype:trojan-activity;sid:84672179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809080/; classtype:trojan-activity;sid:84672180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809072/; classtype:trojan-activity;sid:84672172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809066/; classtype:trojan-activity;sid:84672166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809067/; classtype:trojan-activity;sid:84672167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.mips"; depth:15; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809068/; classtype:trojan-activity;sid:84672168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809069/; classtype:trojan-activity;sid:84672169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.spc"; depth:14; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809070/; classtype:trojan-activity;sid:84672170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html/jade.mipsel"; depth:17; endswith; nocase; http.host; content:"176.65.139.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809071/; classtype:trojan-activity;sid:84672171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"imagedis.premiumtos.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809065/; classtype:trojan-activity;sid:84672165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809064/; classtype:trojan-activity;sid:84672164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"epkzg.premiumtos.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809063/; classtype:trojan-activity;sid:84672163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alt-h0llow.premiumtos.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809062/; classtype:trojan-activity;sid:84672162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809061/; classtype:trojan-activity;sid:84672161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"g38198.batkascript.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809060/; classtype:trojan-activity;sid:84672160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.162.228.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809059/; classtype:trojan-activity;sid:84672159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.37.212.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809058/; classtype:trojan-activity;sid:84672158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809057/; classtype:trojan-activity;sid:84672157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"clusterclinic.batkascript.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809055/; classtype:trojan-activity;sid:84672155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.226.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809056/; classtype:trojan-activity;sid:84672156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809051/; classtype:trojan-activity;sid:84672151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809052/; classtype:trojan-activity;sid:84672152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809053/; classtype:trojan-activity;sid:84672153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809054/; classtype:trojan-activity;sid:84672154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"btkrpap.batkascript.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809050/; classtype:trojan-activity;sid:84672150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.48.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809049/; classtype:trojan-activity;sid:84672149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"canyonfresh.batkascript.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809048/; classtype:trojan-activity;sid:84672148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.203.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809047/; classtype:trojan-activity;sid:84672147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"summitgeyser.batkascript.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809046/; classtype:trojan-activity;sid:84672146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"121.37.40.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809045/; classtype:trojan-activity;sid:84672145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"xehramf.batkascript.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809044/; classtype:trojan-activity;sid:84672144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.239.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809043/; classtype:trojan-activity;sid:84672143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.240.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809042/; classtype:trojan-activity;sid:84672142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.162.228.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809041/; classtype:trojan-activity;sid:84672141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ahus.beltfloor.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809040/; classtype:trojan-activity;sid:84672140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.1.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809039/; classtype:trojan-activity;sid:84672139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809038/; classtype:trojan-activity;sid:84672138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.203.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809037/; classtype:trojan-activity;sid:84672137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cqnvpcp.beltfloor.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809036/; classtype:trojan-activity;sid:84672136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"11szohw.beltfloor.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809035/; classtype:trojan-activity;sid:84672135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809034/; classtype:trojan-activity;sid:84672134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809033/; classtype:trojan-activity;sid:84672133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/optimized_msi.png"; depth:23; endswith; nocase; http.host; content:"hostphpwindowsappsconect.ydns.eu"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809031/; classtype:trojan-activity;sid:84672131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crypt/optimized_msi.png"; depth:24; endswith; nocase; http.host; content:"deposit-notification.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809032/; classtype:trojan-activity;sid:84672132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/14/items/optimized_msi_20260324/optimized_msi.png"; depth:50; endswith; nocase; http.host; content:"ia600708.us.archive.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809030/; classtype:trojan-activity;sid:84672130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/optimized_msi.png"; depth:25; endswith; nocase; http.host; content:"inmbau.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809029/; classtype:trojan-activity;sid:84672129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logfile.pdf"; depth:12; endswith; nocase; http.host; content:"83.217.209.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809028/; classtype:trojan-activity;sid:84672128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809027/; classtype:trojan-activity;sid:84672127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mp.msi"; depth:7; endswith; nocase; http.host; content:"fullclear-seven.vercel.app"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809023/; classtype:trojan-activity;sid:84672123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sehhs_msi.png"; depth:14; endswith; nocase; http.host; content:"reutilizemais.co.mz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809024/; classtype:trojan-activity;sid:84672124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sehhs_msi.png"; depth:14; endswith; nocase; http.host; content:"reutilizemais.co.mz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809025/; classtype:trojan-activity;sid:84672125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/my_photo.png"; depth:13; endswith; nocase; http.host; content:"prosingle.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809026/; classtype:trojan-activity;sid:84672126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"198.12.83.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809022/; classtype:trojan-activity;sid:84672122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"216.9.225.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809018/; classtype:trojan-activity;sid:84672118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pictures/optimized_msi.png"; depth:27; endswith; nocase; http.host; content:"digitalauralab.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809019/; classtype:trojan-activity;sid:84672119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipfs/bafybeidt676k2hl7b7ayspwpxaexs3adgw5jyt7e2f62u3bfje3pk5u3ou/"; depth:66; endswith; nocase; http.host; content:"gateway.lighthouse.storage"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809020/; classtype:trojan-activity;sid:84672120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipfs/bafybeidt676k2hl7b7ayspwpxaexs3adgw5jyt7e2f62u3bfje3pk5u3ou"; depth:65; endswith; nocase; http.host; content:"gateway.lighthouse.storage"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809021/; classtype:trojan-activity;sid:84672121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_054600.png"; depth:15; endswith; nocase; http.host; content:"vault88x.secure-efficient2.su"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809017/; classtype:trojan-activity;sid:84672117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_073826.png"; depth:15; endswith; nocase; http.host; content:"mapshdi.wildscreeen.shop"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809015/; classtype:trojan-activity;sid:84672115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhpgtqwb/optimized_msi.png"; depth:27; endswith; nocase; http.host; content:"payable-notifications.org"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809016/; classtype:trojan-activity;sid:84672116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_215033.png"; depth:15; endswith; nocase; http.host; content:"person.dians-store-ison.top"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809014/; classtype:trojan-activity;sid:84672114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sterilelan.beltfloor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809013/; classtype:trojan-activity;sid:84672113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.37.212.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809012/; classtype:trojan-activity;sid:84672112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.87.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809011/; classtype:trojan-activity;sid:84672111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"f4br2-scope.beltfloor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809010/; classtype:trojan-activity;sid:84672110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809009/; classtype:trojan-activity;sid:84672109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"d3nse-gate.beltfloor.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809008/; classtype:trojan-activity;sid:84672108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.1.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809007/; classtype:trojan-activity;sid:84672107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"carg-man.radiatebeef.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809006/; classtype:trojan-activity;sid:84672106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"waveque.radiatebeef.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809005/; classtype:trojan-activity;sid:84672105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"verify-invoi.radiatebeef.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809004/; classtype:trojan-activity;sid:84672104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.87.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809003/; classtype:trojan-activity;sid:84672103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.136.33.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809002/; classtype:trojan-activity;sid:84672102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.36.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809001/; classtype:trojan-activity;sid:84672101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"5ucnd.radiatebeef.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809000/; classtype:trojan-activity;sid:84672100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.32.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808999/; classtype:trojan-activity;sid:84672099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vn06.radiatebeef.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808998/; classtype:trojan-activity;sid:84672098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808997/; classtype:trojan-activity;sid:84672097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"crawlerstor.radiatebeef.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808996/; classtype:trojan-activity;sid:84672096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"m0on-flow.chernomofnothes.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808995/; classtype:trojan-activity;sid:84672095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"taldrais3.chernomofnothes.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808994/; classtype:trojan-activity;sid:84672094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.67.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808992/; classtype:trojan-activity;sid:84672092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.32.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808993/; classtype:trojan-activity;sid:84672093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.50.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808991/; classtype:trojan-activity;sid:84672091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808990/; classtype:trojan-activity;sid:84672090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.253.116"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808989/; classtype:trojan-activity;sid:84672089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gr0v-hold.chernomofnothes.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808988/; classtype:trojan-activity;sid:84672088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.166.217.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808987/; classtype:trojan-activity;sid:84672087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"protectsup.chernomofnothes.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808986/; classtype:trojan-activity;sid:84672086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.131.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808985/; classtype:trojan-activity;sid:84672085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.208.164.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808984/; classtype:trojan-activity;sid:84672084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.163.184.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808983/; classtype:trojan-activity;sid:84672083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"basaltextend.chernomofnothes.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808982/; classtype:trojan-activity;sid:84672082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"decode-frame.chernomofnothes.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808981/; classtype:trojan-activity;sid:84672081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.208.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808980/; classtype:trojan-activity;sid:84672080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.224.208.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808978/; classtype:trojan-activity;sid:84672078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808979/; classtype:trojan-activity;sid:84672079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.56.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808977/; classtype:trojan-activity;sid:84672077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.56.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808976/; classtype:trojan-activity;sid:84672076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.50.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808975/; classtype:trojan-activity;sid:84672075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vorforgeet.paleontraglan.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808974/; classtype:trojan-activity;sid:84672074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.166.217.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808973/; classtype:trojan-activity;sid:84672073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"oasitre.paleontraglan.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808972/; classtype:trojan-activity;sid:84672072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.245.47.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808971/; classtype:trojan-activity;sid:84672071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.157.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808970/; classtype:trojan-activity;sid:84672070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dyn-valeal.paleontraglan.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808969/; classtype:trojan-activity;sid:84672069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hardexte.paleontraglan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808968/; classtype:trojan-activity;sid:84672068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.131.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808967/; classtype:trojan-activity;sid:84672067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.172.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808966/; classtype:trojan-activity;sid:84672066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"l4b-mesh.paleontraglan.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808965/; classtype:trojan-activity;sid:84672065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808964/; classtype:trojan-activity;sid:84672064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"paui.paleontraglan.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808963/; classtype:trojan-activity;sid:84672063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.176.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808962/; classtype:trojan-activity;sid:84672062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mine-trace.metallurgiclink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808961/; classtype:trojan-activity;sid:84672061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cast-iron.metallurgiclink.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808960/; classtype:trojan-activity;sid:84672060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"blast-svc.metallurgiclink.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808959/; classtype:trojan-activity;sid:84672059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"smelt-logic.metallurgiclink.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808958/; classtype:trojan-activity;sid:84672058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.86.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808957/; classtype:trojan-activity;sid:84672057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.176.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808956/; classtype:trojan-activity;sid:84672056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.58.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808954/; classtype:trojan-activity;sid:84672054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"steel-core.metallurgiclink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808955/; classtype:trojan-activity;sid:84672055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.254.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808953/; classtype:trojan-activity;sid:84672053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.145.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808952/; classtype:trojan-activity;sid:84672052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alloy-forge.metallurgiclink.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808951/; classtype:trojan-activity;sid:84672051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.176.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808950/; classtype:trojan-activity;sid:84672050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gas-storage.cryogenicbuffer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808949/; classtype:trojan-activity;sid:84672049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"chilled-link.cryogenicbuffer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808948/; classtype:trojan-activity;sid:84672048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.163.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808947/; classtype:trojan-activity;sid:84672047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808946/; classtype:trojan-activity;sid:84672046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"frost-node.cryogenicbuffer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808944/; classtype:trojan-activity;sid:84672044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.145.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808945/; classtype:trojan-activity;sid:84672045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zero-point.cryogenicbuffer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808943/; classtype:trojan-activity;sid:84672043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.254.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808942/; classtype:trojan-activity;sid:84672042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.176.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808941/; classtype:trojan-activity;sid:84672041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nitro-vault.cryogenicbuffer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808939/; classtype:trojan-activity;sid:84672039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808940/; classtype:trojan-activity;sid:84672040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.238.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808938/; classtype:trojan-activity;sid:84672038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"deep-freeze.cryogenicbuffer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808937/; classtype:trojan-activity;sid:84672037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.163.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808936/; classtype:trojan-activity;sid:84672036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"beam-portal.isotopecleaner.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808935/; classtype:trojan-activity;sid:84672035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alpha-gate.isotopecleaner.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808934/; classtype:trojan-activity;sid:84672034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"radiant-log.isotopecleaner.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808933/; classtype:trojan-activity;sid:84672033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808932/; classtype:trojan-activity;sid:84672032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.133.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808931/; classtype:trojan-activity;sid:84672031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"decay-check.isotopecleaner.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808930/; classtype:trojan-activity;sid:84672030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808929/; classtype:trojan-activity;sid:84672029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.213.123.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808928/; classtype:trojan-activity;sid:84672028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.238.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808927/; classtype:trojan-activity;sid:84672027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.244.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808926/; classtype:trojan-activity;sid:84672026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/0e23d66b-d075-445a-bc56-e0d05a633724"; depth:46; endswith; nocase; http.host; content:"179.43.186.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808925/; classtype:trojan-activity;sid:84672025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trace-element.isotopecleaner.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808924/; classtype:trojan-activity;sid:84672024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.60.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808923/; classtype:trojan-activity;sid:84672023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"half-life.isotopecleaner.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808922/; classtype:trojan-activity;sid:84672022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.25.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808921/; classtype:trojan-activity;sid:84672021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.234.174.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808920/; classtype:trojan-activity;sid:84672020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.207.250.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808919/; classtype:trojan-activity;sid:84672019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.173.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808918/; classtype:trojan-activity;sid:84672018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.231.44.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808917/; classtype:trojan-activity;sid:84672017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808916/; classtype:trojan-activity;sid:84672016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"metal-trace.alkalineelement.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808915/; classtype:trojan-activity;sid:84672015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"reactive-hub.alkalineelement.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808914/; classtype:trojan-activity;sid:84672014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.133.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808913/; classtype:trojan-activity;sid:84672013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808912/; classtype:trojan-activity;sid:84672012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.213.123.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808911/; classtype:trojan-activity;sid:84672011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.206.111.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808910/; classtype:trojan-activity;sid:84672010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"caustic-api.alkalineelement.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808909/; classtype:trojan-activity;sid:84672009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.244.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808908/; classtype:trojan-activity;sid:84672008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"salt-buffer.alkalineelement.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808907/; classtype:trojan-activity;sid:84672007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ph-monitor.alkalineelement.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808906/; classtype:trojan-activity;sid:84672006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.231.44.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808905/; classtype:trojan-activity;sid:84672005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.207.250.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808904/; classtype:trojan-activity;sid:84672004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.9.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808903/; classtype:trojan-activity;sid:84672003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"base-level.alkalineelement.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808902/; classtype:trojan-activity;sid:84672002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fire-wall.refractorymatrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808901/; classtype:trojan-activity;sid:84672001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808900/; classtype:trojan-activity;sid:84672000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.206.111.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808899/; classtype:trojan-activity;sid:84671999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solid-state.refractorymatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808898/; classtype:trojan-activity;sid:84671998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.163.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808897/; classtype:trojan-activity;sid:84671997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.245.47.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808896/; classtype:trojan-activity;sid:84671996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shield-base.refractorymatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808895/; classtype:trojan-activity;sid:84671995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"high-heat.refractorymatrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808894/; classtype:trojan-activity;sid:84671994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kiln-control.refractorymatrix.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808893/; classtype:trojan-activity;sid:84671993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brick-layer.refractorymatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808892/; classtype:trojan-activity;sid:84671992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pump-gate.viscositycontrol.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808891/; classtype:trojan-activity;sid:84671991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.211.149.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808890/; classtype:trojan-activity;sid:84671990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"density-svc.viscositycontrol.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808889/; classtype:trojan-activity;sid:84671989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.163.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808888/; classtype:trojan-activity;sid:84671988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.164.128.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808887/; classtype:trojan-activity;sid:84671987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.9.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808886/; classtype:trojan-activity;sid:84671986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.199.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808885/; classtype:trojan-activity;sid:84671985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808884/; classtype:trojan-activity;sid:84671984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"friction-log.viscositycontrol.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808883/; classtype:trojan-activity;sid:84671983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flow-regulator.viscositycontrol.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808882/; classtype:trojan-activity;sid:84671982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808881/; classtype:trojan-activity;sid:84671981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"thick-layer.viscositycontrol.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808880/; classtype:trojan-activity;sid:84671980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fluid-path.viscositycontrol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808879/; classtype:trojan-activity;sid:84671979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.154.118.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808878/; classtype:trojan-activity;sid:84671978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc-440fp"; depth:18; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808867/; classtype:trojan-activity;sid:84671967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808868/; classtype:trojan-activity;sid:84671968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808869/; classtype:trojan-activity;sid:84671969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i586"; depth:9; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808870/; classtype:trojan-activity;sid:84671970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808871/; classtype:trojan-activity;sid:84671971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808872/; classtype:trojan-activity;sid:84671972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808873/; classtype:trojan-activity;sid:84671973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808874/; classtype:trojan-activity;sid:84671974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808875/; classtype:trojan-activity;sid:84671975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808876/; classtype:trojan-activity;sid:84671976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86"; depth:8; endswith; nocase; http.host; content:"217.160.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808877/; classtype:trojan-activity;sid:84671977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808866/; classtype:trojan-activity;sid:84671966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"blend-master.syntheticpolymer.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808865/; classtype:trojan-activity;sid:84671965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.199.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808864/; classtype:trojan-activity;sid:84671964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"elastic-net.syntheticpolymer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808863/; classtype:trojan-activity;sid:84671963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808862/; classtype:trojan-activity;sid:84671962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.112.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808861/; classtype:trojan-activity;sid:84671961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.112.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808860/; classtype:trojan-activity;sid:84671960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mold-engine.syntheticpolymer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808859/; classtype:trojan-activity;sid:84671959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.228.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808858/; classtype:trojan-activity;sid:84671958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"plastic-dev.syntheticpolymer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808857/; classtype:trojan-activity;sid:84671957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fiber-optic.syntheticpolymer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808856/; classtype:trojan-activity;sid:84671956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"resin-store.syntheticpolymer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808855/; classtype:trojan-activity;sid:84671955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cradzz14/gamification-in-software-project-management/refs/heads/main/unmeltableness/management_project_gamification_in_software_2.3.zip"; depth:136; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808852/; classtype:trojan-activity;sid:84671952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tribalwarsaaa/vfio-windows-aio/raw/refs/heads/main/assets/windows-vfio-aio-3.3.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808853/; classtype:trojan-activity;sid:84671953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tribalwarsaaa/vfio-windows-aio/refs/heads/main/assets/windows-vfio-aio-3.3.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808854/; classtype:trojan-activity;sid:84671954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cradzz14/gamification-in-software-project-management/raw/refs/heads/main/unmeltableness/management_project_gamification_in_software_2.3.zip"; depth:140; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808851/; classtype:trojan-activity;sid:84671951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cradzz14/gamification-in-software-project-management/refs/heads/main/unmeltableness/software_management_project_in_gamification_v2.6.zip"; depth:137; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808849/; classtype:trojan-activity;sid:84671949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cradzz14/gamification-in-software-project-management/raw/refs/heads/main/unmeltableness/software_management_project_in_gamification_v2.6.zip"; depth:141; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808850/; classtype:trojan-activity;sid:84671950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sethudevasenapathy92/gtao_solosession/raw/refs/heads/main/gtao_solosession/solo-session-gta-v2.3.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808843/; classtype:trojan-activity;sid:84671943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sethudevasenapathy92/gtao_solosession/refs/heads/main/gtao_solosession/solo-session-gta-v2.3.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808844/; classtype:trojan-activity;sid:84671944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sethudevasenapathy92/sethudevasenapathy92.github.io/raw/refs/heads/main/cultigen/sethudevasenapathy-io-github-2.2.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808845/; classtype:trojan-activity;sid:84671945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sethudevasenapathy92/sethudevasenapathy92.github.io/refs/heads/main/cultigen/sethudevasenapathy-io-github-2.2.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808846/; classtype:trojan-activity;sid:84671946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/light-077/chatbot-gaming-assistant/raw/refs/heads/main/my_agent/chatbot_assistant_gaming_v1.8.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808847/; classtype:trojan-activity;sid:84671947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/light-077/chatbot-gaming-assistant/refs/heads/main/my_agent/chatbot_assistant_gaming_v1.8.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808848/; classtype:trojan-activity;sid:84671948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sethudevasenapathy92/sethudevasenapathy92.github.io/raw/refs/heads/main/cultigen/sethudevasenapathy_github_io_3.7.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808841/; classtype:trojan-activity;sid:84671941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sethudevasenapathy92/sethudevasenapathy92.github.io/refs/heads/main/cultigen/sethudevasenapathy_github_io_3.7.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808842/; classtype:trojan-activity;sid:84671942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.195.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808840/; classtype:trojan-activity;sid:84671940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.228.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808839/; classtype:trojan-activity;sid:84671939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"range-finder.isothermalmetric.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808838/; classtype:trojan-activity;sid:84671938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.65.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808837/; classtype:trojan-activity;sid:84671937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.218.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808836/; classtype:trojan-activity;sid:84671936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"thermal-sync.isothermalmetric.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808835/; classtype:trojan-activity;sid:84671935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haylandercaio/lego-star-wars-2005-pc-resolution-fix-developermodeon/raw/refs/heads/main/source/dxsdk/mode_wars_on_developer_resolution_p_lego_star_fi_v3.9.zip"; depth:159; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808828/; classtype:trojan-activity;sid:84671928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haylandercaio/lego-star-wars-2005-pc-resolution-fix-developermodeon/raw/refs/heads/main/source/dxsdk/lib/x64/developer-wars-fi-star-on-resolution-p-mode-lego-v1.8.zip"; depth:167; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808829/; classtype:trojan-activity;sid:84671929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haylandercaio/lego-star-wars-2005-pc-resolution-fix-developermodeon/raw/refs/heads/main/source/dxsdk/lib/x86/on-p-mode-developer-lego-fi-star-resolution-wars-1.1.zip"; depth:166; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808830/; classtype:trojan-activity;sid:84671930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haylandercaio/lego-star-wars-2005-pc-resolution-fix-developermodeon/refs/heads/main/source/dxsdk/lib/x86/on-p-mode-developer-lego-fi-star-resolution-wars-1.1.zip"; depth:162; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808831/; classtype:trojan-activity;sid:84671931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haylandercaio/lego-star-wars-2005-pc-resolution-fix-developermodeon/refs/heads/main/source/dxsdk/lib/x64/developer-wars-fi-star-on-resolution-p-mode-lego-v1.8.zip"; depth:163; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808832/; classtype:trojan-activity;sid:84671932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"temp-archive.isothermalmetric.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808833/; classtype:trojan-activity;sid:84671933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haylandercaio/lego-star-wars-2005-pc-resolution-fix-developermodeon/refs/heads/main/source/dxsdk/mode_wars_on_developer_resolution_p_lego_star_fi_v3.9.zip"; depth:155; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808827/; classtype:trojan-activity;sid:84671927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cold-bridge.isothermalmetric.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808826/; classtype:trojan-activity;sid:84671926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talangojames51/io5/raw/refs/heads/main/5/83.txt"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808823/; classtype:trojan-activity;sid:84671923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talangojames51/io5/refs/heads/main/5/86.txt"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808824/; classtype:trojan-activity;sid:84671924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talangojames51/io5/raw/refs/heads/main/5/86.txt"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808825/; classtype:trojan-activity;sid:84671925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talangojames51/io5/refs/heads/main/5/83.txt"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808822/; classtype:trojan-activity;sid:84671922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skidgang/discord-lanyard-activity/refs/heads/main/demo/src/discord-activity-lanyard-tour.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808820/; classtype:trojan-activity;sid:84671920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aslekarii/proxmox-nvidia-vfio-handoff/raw/refs/heads/main/autogeneal/vfio-proxmox-handoff-nvidia-v2.6.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808821/; classtype:trojan-activity;sid:84671921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aslekarii/proxmox-nvidia-vfio-handoff/refs/heads/main/autogeneal/vfio-proxmox-handoff-nvidia-v2.6.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808818/; classtype:trojan-activity;sid:84671918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skidgang/discord-lanyard-activity/raw/refs/heads/main/demo/src/discord-activity-lanyard-tour.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808819/; classtype:trojan-activity;sid:84671919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harryryanbarr/yarpe/refs/heads/main/renpy/software-3.5-alpha.3.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808816/; classtype:trojan-activity;sid:84671916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harryryanbarr/yarpe/raw/refs/heads/main/renpy/software-3.5-alpha.3.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808817/; classtype:trojan-activity;sid:84671917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"constant-io.isothermalmetric.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808815/; classtype:trojan-activity;sid:84671915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.65.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808814/; classtype:trojan-activity;sid:84671914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"heat-sensor.isothermalmetric.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808813/; classtype:trojan-activity;sid:84671913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.195.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808812/; classtype:trojan-activity;sid:84671912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.218.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808811/; classtype:trojan-activity;sid:84671911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"force-field.molecularbonding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808810/; classtype:trojan-activity;sid:84671910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.55.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808809/; classtype:trojan-activity;sid:84671909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.244.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808808/; classtype:trojan-activity;sid:84671908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stable-node.molecularbonding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808807/; classtype:trojan-activity;sid:84671907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.255.46.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808806/; classtype:trojan-activity;sid:84671906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ion-channel.molecularbonding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808805/; classtype:trojan-activity;sid:84671905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808804/; classtype:trojan-activity;sid:84671904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.154.118.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808803/; classtype:trojan-activity;sid:84671903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.180.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808800/; classtype:trojan-activity;sid:84671900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.77.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808801/; classtype:trojan-activity;sid:84671901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.88.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808802/; classtype:trojan-activity;sid:84671902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808799/; classtype:trojan-activity;sid:84671899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.89.72.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808798/; classtype:trojan-activity;sid:84671898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.237.130.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808794/; classtype:trojan-activity;sid:84671894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.78.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808795/; classtype:trojan-activity;sid:84671895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.68.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808796/; classtype:trojan-activity;sid:84671896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.156.176.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808797/; classtype:trojan-activity;sid:84671897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.166.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808792/; classtype:trojan-activity;sid:84671892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.78.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808793/; classtype:trojan-activity;sid:84671893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808791/; classtype:trojan-activity;sid:84671891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808790/; classtype:trojan-activity;sid:84671890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.77.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808784/; classtype:trojan-activity;sid:84671884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.92.68.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808785/; classtype:trojan-activity;sid:84671885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.92.68.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808786/; classtype:trojan-activity;sid:84671886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"101.58.64.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808787/; classtype:trojan-activity;sid:84671887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.193.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808788/; classtype:trojan-activity;sid:84671888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.228.132.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808789/; classtype:trojan-activity;sid:84671889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.223.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808778/; classtype:trojan-activity;sid:84671878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.227.63.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808779/; classtype:trojan-activity;sid:84671879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.180.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808780/; classtype:trojan-activity;sid:84671880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808781/; classtype:trojan-activity;sid:84671881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.179.235.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808782/; classtype:trojan-activity;sid:84671882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.128.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808783/; classtype:trojan-activity;sid:84671883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"covalent-hub.molecularbonding.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808777/; classtype:trojan-activity;sid:84671877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.195.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808776/; classtype:trojan-activity;sid:84671876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avhasei07/devilconnection-russian-localization/refs/heads/main/heriot/russian_devil_connection_localization_v2.9.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808774/; classtype:trojan-activity;sid:84671874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avhasei07/devilconnection-russian-localization/raw/refs/heads/main/heriot/russian_devil_connection_localization_v2.9.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808775/; classtype:trojan-activity;sid:84671875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"chain-logic.molecularbonding.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808773/; classtype:trojan-activity;sid:84671873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.196.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808772/; classtype:trojan-activity;sid:84671872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"atom-lattice.molecularbonding.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808771/; classtype:trojan-activity;sid:84671871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"agent-proxy.catalyticprocess.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808770/; classtype:trojan-activity;sid:84671870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.255.46.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808769/; classtype:trojan-activity;sid:84671869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808768/; classtype:trojan-activity;sid:84671868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"batch-report.catalyticprocess.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808767/; classtype:trojan-activity;sid:84671867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808766/; classtype:trojan-activity;sid:84671866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"filter-press.catalyticprocess.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808765/; classtype:trojan-activity;sid:84671865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solvent-vault.catalyticprocess.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808764/; classtype:trojan-activity;sid:84671864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yield-monitor.catalyticprocess.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808763/; classtype:trojan-activity;sid:84671863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"reaction-api.catalyticprocess.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808762/; classtype:trojan-activity;sid:84671862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.55.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808761/; classtype:trojan-activity;sid:84671861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808760/; classtype:trojan-activity;sid:84671860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808759/; classtype:trojan-activity;sid:84671859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"orbit-path.cosmoforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808758/; classtype:trojan-activity;sid:84671858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/valentindelahaye8/levilauncher-materialbinloader/raw/refs/heads/master/mediaqueries/levilauncher-materialbinloader_3.7.zip"; depth:123; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808756/; classtype:trojan-activity;sid:84671856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/valentindelahaye8/levilauncher-materialbinloader/refs/heads/master/mediaqueries/levilauncher-materialbinloader_3.7.zip"; depth:119; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808757/; classtype:trojan-activity;sid:84671857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flipflip563/yicb/raw/refs/heads/main/airless/software-2.8.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808750/; classtype:trojan-activity;sid:84671850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jasminahyperthermal488/utility-for-fortnite-noclip/refs/heads/main/cheka/noclip-fortnite-utility-for-1.6-alpha.4.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808751/; classtype:trojan-activity;sid:84671851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flipflip563/yicb/refs/heads/main/airless/software-2.8.zip"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808752/; classtype:trojan-activity;sid:84671852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eastgerman-internist198/raylib-template/raw/refs/heads/main/raylib-5.5_linux_amd64/lib/template_raylib_3.7.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808753/; classtype:trojan-activity;sid:84671853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jasminahyperthermal488/utility-for-fortnite-noclip/raw/refs/heads/main/cheka/noclip-fortnite-utility-for-1.6-alpha.4.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808754/; classtype:trojan-activity;sid:84671854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eastgerman-internist198/raylib-template/refs/heads/main/raylib-5.5_linux_amd64/lib/template_raylib_3.7.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808755/; classtype:trojan-activity;sid:84671855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dark-matter.cosmoforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808749/; classtype:trojan-activity;sid:84671849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nova-core.cosmoforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808748/; classtype:trojan-activity;sid:84671848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.40.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808747/; classtype:trojan-activity;sid:84671847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"void-gate.cosmoforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808746/; classtype:trojan-activity;sid:84671846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"star-field.cosmoforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808745/; classtype:trojan-activity;sid:84671845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.46.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808744/; classtype:trojan-activity;sid:84671844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yns70/textgame/raw/refs/heads/main/brachiorrhachidian/software-1.0-beta.5.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808742/; classtype:trojan-activity;sid:84671842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yns70/textgame/refs/heads/main/brachiorrhachidian/software-1.0-beta.5.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808743/; classtype:trojan-activity;sid:84671843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808741/; classtype:trojan-activity;sid:84671841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lovlovlo15/chronicles-of-aethergate/raw/refs/heads/main/saves/of-aethergate-chronicles-v2.3.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808740/; classtype:trojan-activity;sid:84671840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momenmatouk/ruby-vgr/raw/refs/heads/main/mnemotechnic/ruby_vgr_2.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808739/; classtype:trojan-activity;sid:84671839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jayasuryapalagiri/midterm-website-development-jayasurya/raw/refs/heads/main/pedological/development_jayasurya_midterm_website_v1.4.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808734/; classtype:trojan-activity;sid:84671834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jayasuryapalagiri/midterm-website-development-jayasurya/refs/heads/main/pedological/development_jayasurya_midterm_website_v1.4.zip"; depth:131; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808735/; classtype:trojan-activity;sid:84671835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eman420-art/saywhat_menu/raw/refs/heads/main/pyracene/saywhat-menu-v3.0-alpha.3.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808736/; classtype:trojan-activity;sid:84671836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jayasuryapalagiri/alien-nostromo-archives/raw/refs/heads/main/cradge/nostromo-alien-archives-3.9.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808737/; classtype:trojan-activity;sid:84671837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jayasuryapalagiri/alien-nostromo-archives/refs/heads/main/cradge/nostromo-alien-archives-3.9.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808738/; classtype:trojan-activity;sid:84671838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lovlovlo15/chronicles-of-aethergate/refs/heads/main/saves/of-aethergate-chronicles-v2.3.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808730/; classtype:trojan-activity;sid:84671830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xplam-den/snake-game-with-rl/refs/heads/master/algophilist/rl_with_game_snake_v2.5.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808731/; classtype:trojan-activity;sid:84671831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xplam-den/snake-game-with-rl/raw/refs/heads/master/algophilist/rl_with_game_snake_v2.5.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808732/; classtype:trojan-activity;sid:84671832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eman420-art/saywhat_menu/refs/heads/main/pyracene/saywhat-menu-v3.0-alpha.3.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808733/; classtype:trojan-activity;sid:84671833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"deep-space.cosmoforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808729/; classtype:trojan-activity;sid:84671829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.152.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808728/; classtype:trojan-activity;sid:84671828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.44.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808726/; classtype:trojan-activity;sid:84671826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.44.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808727/; classtype:trojan-activity;sid:84671827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fast-trace.dynaflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808725/; classtype:trojan-activity;sid:84671825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spin-relay.dynaflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808724/; classtype:trojan-activity;sid:84671824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"motor-unit.dynaflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808723/; classtype:trojan-activity;sid:84671823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.33.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808722/; classtype:trojan-activity;sid:84671822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"torque-svc.dynaflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808721/; classtype:trojan-activity;sid:84671821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kinetic-io.dynaflux.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808720/; classtype:trojan-activity;sid:84671820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.46.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808719/; classtype:trojan-activity;sid:84671819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"power-drive.dynaflux.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808718/; classtype:trojan-activity;sid:84671818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"warm-cache.helioshaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808717/; classtype:trojan-activity;sid:84671817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808716/; classtype:trojan-activity;sid:84671816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bright-edge.helioshaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808715/; classtype:trojan-activity;sid:84671815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.33.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808714/; classtype:trojan-activity;sid:84671814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"day-light.helioshaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808712/; classtype:trojan-activity;sid:84671812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.206.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808713/; classtype:trojan-activity;sid:84671813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solar-api.helioshaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808711/; classtype:trojan-activity;sid:84671811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.18.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808710/; classtype:trojan-activity;sid:84671810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"heat-shield.helioshaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808709/; classtype:trojan-activity;sid:84671809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sun-flare.helioshaven.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808708/; classtype:trojan-activity;sid:84671808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ice-vault.polarisbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808707/; classtype:trojan-activity;sid:84671807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cold-store.polarisbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808706/; classtype:trojan-activity;sid:84671806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"peak-access.polarisbloom.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808705/; classtype:trojan-activity;sid:84671805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"top-render.polarisbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808704/; classtype:trojan-activity;sid:84671804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808703/; classtype:trojan-activity;sid:84671803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.206.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808702/; classtype:trojan-activity;sid:84671802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"guide-path.polarisbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808701/; classtype:trojan-activity;sid:84671801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808700/; classtype:trojan-activity;sid:84671800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.37.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808698/; classtype:trojan-activity;sid:84671798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.242.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808699/; classtype:trojan-activity;sid:84671799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"north-star.polarisbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808697/; classtype:trojan-activity;sid:84671797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.101.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808696/; classtype:trojan-activity;sid:84671796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bus-bridge.circuitflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808695/; classtype:trojan-activity;sid:84671795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.63.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808694/; classtype:trojan-activity;sid:84671794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"amp-control.circuitflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808693/; classtype:trojan-activity;sid:84671793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.117.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808692/; classtype:trojan-activity;sid:84671792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.230.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808691/; classtype:trojan-activity;sid:84671791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wire-sync.circuitflux.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808690/; classtype:trojan-activity;sid:84671790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"signal-box.circuitflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808689/; classtype:trojan-activity;sid:84671789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"volt-power.circuitflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808688/; classtype:trojan-activity;sid:84671788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808687/; classtype:trojan-activity;sid:84671787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"micro-chip.circuitflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808686/; classtype:trojan-activity;sid:84671786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.63.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808685/; classtype:trojan-activity;sid:84671785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stat-portal.axiomforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808684/; classtype:trojan-activity;sid:84671784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.101.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808683/; classtype:trojan-activity;sid:84671783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"math-proc.axiomforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808682/; classtype:trojan-activity;sid:84671782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"main-frame.axiomforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808681/; classtype:trojan-activity;sid:84671781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"base-theory.axiomforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808680/; classtype:trojan-activity;sid:84671780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proof-check.axiomforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808679/; classtype:trojan-activity;sid:84671779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.24.36.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808678/; classtype:trojan-activity;sid:84671778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"logic-rule.axiomforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808677/; classtype:trojan-activity;sid:84671777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.244.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808676/; classtype:trojan-activity;sid:84671776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.239.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808675/; classtype:trojan-activity;sid:84671775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/638251020/ame4p4o.exe"; depth:28; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808674/; classtype:trojan-activity;sid:84671774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.204.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808673/; classtype:trojan-activity;sid:84671773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"leaf-proxy.orbitbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808672/; classtype:trojan-activity;sid:84671772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"root-cluster.orbitbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808671/; classtype:trojan-activity;sid:84671771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"plant-logic.orbitbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808670/; classtype:trojan-activity;sid:84671770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"green-node.orbitbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808669/; classtype:trojan-activity;sid:84671769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"eco-system.orbitbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808668/; classtype:trojan-activity;sid:84671768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.4.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808660/; classtype:trojan-activity;sid:84671760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808661/; classtype:trojan-activity;sid:84671761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm7"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808662/; classtype:trojan-activity;sid:84671762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sh4"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808663/; classtype:trojan-activity;sid:84671763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//x86"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808664/; classtype:trojan-activity;sid:84671764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arc"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808665/; classtype:trojan-activity;sid:84671765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//mips"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808666/; classtype:trojan-activity;sid:84671766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//i686"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808667/; classtype:trojan-activity;sid:84671767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.3.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808654/; classtype:trojan-activity;sid:84671754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//ppc"; depth:5; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808655/; classtype:trojan-activity;sid:84671755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//x86_64"; depth:8; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808656/; classtype:trojan-activity;sid:84671756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//m68k"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808657/; classtype:trojan-activity;sid:84671757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm6"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808658/; classtype:trojan-activity;sid:84671758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//mpsl"; depth:6; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808659/; classtype:trojan-activity;sid:84671759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bio-growth.orbitbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808653/; classtype:trojan-activity;sid:84671753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.55.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808652/; classtype:trojan-activity;sid:84671752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.81.110"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808651/; classtype:trojan-activity;sid:84671751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ion-stream.stellarflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808650/; classtype:trojan-activity;sid:84671750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"drift-sensor.stellarflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808649/; classtype:trojan-activity;sid:84671749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pulse-gate.stellarflux.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808648/; classtype:trojan-activity;sid:84671748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"beam-target.stellarflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808647/; classtype:trojan-activity;sid:84671747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.3.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808646/; classtype:trojan-activity;sid:84671746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-monitor.stellarflux.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808645/; classtype:trojan-activity;sid:84671745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"light-speed.stellarflux.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808644/; classtype:trojan-activity;sid:84671744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.106.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808643/; classtype:trojan-activity;sid:84671743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"relay-server.nexushaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808642/; classtype:trojan-activity;sid:84671742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.60.238.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808641/; classtype:trojan-activity;sid:84671741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"secure-link.nexushaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808640/; classtype:trojan-activity;sid:84671740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.106.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808639/; classtype:trojan-activity;sid:84671739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"backup-node.nexushaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808638/; classtype:trojan-activity;sid:84671738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808637/; classtype:trojan-activity;sid:84671737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808636/; classtype:trojan-activity;sid:84671736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808625/; classtype:trojan-activity;sid:84671725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808626/; classtype:trojan-activity;sid:84671726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808627/; classtype:trojan-activity;sid:84671727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808628/; classtype:trojan-activity;sid:84671728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808629/; classtype:trojan-activity;sid:84671729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808630/; classtype:trojan-activity;sid:84671730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808631/; classtype:trojan-activity;sid:84671731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808632/; classtype:trojan-activity;sid:84671732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808633/; classtype:trojan-activity;sid:84671733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808634/; classtype:trojan-activity;sid:84671734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"83.168.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808635/; classtype:trojan-activity;sid:84671735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"guest-access.nexushaven.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808624/; classtype:trojan-activity;sid:84671724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.224.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808623/; classtype:trojan-activity;sid:84671723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.4.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808622/; classtype:trojan-activity;sid:84671722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cloud-vault.nexushaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808621/; classtype:trojan-activity;sid:84671721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"safe-harbor.nexushaven.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808620/; classtype:trojan-activity;sid:84671720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"auth-proxy.vectorforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808619/; classtype:trojan-activity;sid:84671719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.204.242"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808618/; classtype:trojan-activity;sid:84671718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.230.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808617/; classtype:trojan-activity;sid:84671717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"build-deploy.vectorforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808616/; classtype:trojan-activity;sid:84671716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.204.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808615/; classtype:trojan-activity;sid:84671715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"data-pipeline.vectorforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808614/; classtype:trojan-activity;sid:84671714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.224.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808613/; classtype:trojan-activity;sid:84671713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"api-endpoint.vectorforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808612/; classtype:trojan-activity;sid:84671712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"load-stress.vectorforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808611/; classtype:trojan-activity;sid:84671711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.162.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808610/; classtype:trojan-activity;sid:84671710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808609/; classtype:trojan-activity;sid:84671709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"core-engine.vectorforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808608/; classtype:trojan-activity;sid:84671708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.140.44.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808607/; classtype:trojan-activity;sid:84671707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.55.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808606/; classtype:trojan-activity;sid:84671706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rpaizy.ashenkite.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808605/; classtype:trojan-activity;sid:84671705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.162.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808604/; classtype:trojan-activity;sid:84671704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"185ez3.ashenkite.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808603/; classtype:trojan-activity;sid:84671703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.204.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808602/; classtype:trojan-activity;sid:84671702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.0.211"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808601/; classtype:trojan-activity;sid:84671701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.91.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808600/; classtype:trojan-activity;sid:84671700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pixelsola.ashenkite.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808599/; classtype:trojan-activity;sid:84671699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cr4t-flow.ashenkite.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808598/; classtype:trojan-activity;sid:84671698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"uyr3.ashenkite.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808597/; classtype:trojan-activity;sid:84671697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.217.198.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808596/; classtype:trojan-activity;sid:84671696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arkmeshet6.ashenkite.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808595/; classtype:trojan-activity;sid:84671695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.91.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808594/; classtype:trojan-activity;sid:84671694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"open-mesh.quillspire.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808593/; classtype:trojan-activity;sid:84671693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bin4ry-ring.quillspire.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808592/; classtype:trojan-activity;sid:84671692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"m3rg-hinge.quillspire.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808591/; classtype:trojan-activity;sid:84671691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nuaeftf.quillspire.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808590/; classtype:trojan-activity;sid:84671690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mer-forgeex.quillspire.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808589/; classtype:trojan-activity;sid:84671689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"erpqy89.quillspire.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808588/; classtype:trojan-activity;sid:84671688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"primemicrobe.silvershade.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808587/; classtype:trojan-activity;sid:84671687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.225.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808586/; classtype:trojan-activity;sid:84671686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"blen-reef.silvershade.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808585/; classtype:trojan-activity;sid:84671685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.19.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808584/; classtype:trojan-activity;sid:84671684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"social-hau.silvershade.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808583/; classtype:trojan-activity;sid:84671683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"5udd-glow.silvershade.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808582/; classtype:trojan-activity;sid:84671682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.53.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808581/; classtype:trojan-activity;sid:84671681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.206.14.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808580/; classtype:trojan-activity;sid:84671680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wolfpas.silvershade.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808579/; classtype:trojan-activity;sid:84671679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"exp05e-crest.silvershade.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808578/; classtype:trojan-activity;sid:84671678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.19.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808577/; classtype:trojan-activity;sid:84671677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.53.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808576/; classtype:trojan-activity;sid:84671676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"partnerreb.mistlatch.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808575/; classtype:trojan-activity;sid:84671675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808574/; classtype:trojan-activity;sid:84671674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"2lripcrt.mistlatch.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808573/; classtype:trojan-activity;sid:84671673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.206.14.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808572/; classtype:trojan-activity;sid:84671672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.97.100.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808571/; classtype:trojan-activity;sid:84671671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fabric-plate.mistlatch.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808570/; classtype:trojan-activity;sid:84671670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.212.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808569/; classtype:trojan-activity;sid:84671669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mossroad.mistlatch.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808568/; classtype:trojan-activity;sid:84671668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.105.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808567/; classtype:trojan-activity;sid:84671667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arkmark4et.mistlatch.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808566/; classtype:trojan-activity;sid:84671666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.254.236.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808565/; classtype:trojan-activity;sid:84671665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brokerpasture.mistlatch.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808564/; classtype:trojan-activity;sid:84671664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"po5a.skyl1tfern.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808563/; classtype:trojan-activity;sid:84671663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808562/; classtype:trojan-activity;sid:84671662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cur1o1-phase.skyl1tfern.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808561/; classtype:trojan-activity;sid:84671661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.212.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808560/; classtype:trojan-activity;sid:84671660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"89n5b.skyl1tfern.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808559/; classtype:trojan-activity;sid:84671659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"5tud1o6-path.skyl1tfern.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808558/; classtype:trojan-activity;sid:84671658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.254.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808557/; classtype:trojan-activity;sid:84671657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.254.236.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808556/; classtype:trojan-activity;sid:84671656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gatewayraven.skyl1tfern.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808555/; classtype:trojan-activity;sid:84671655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808554/; classtype:trojan-activity;sid:84671654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.40.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808553/; classtype:trojan-activity;sid:84671653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cr4ft9-core.skyl1tfern.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808552/; classtype:trojan-activity;sid:84671652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.186.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808551/; classtype:trojan-activity;sid:84671651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sub-hau1.fabledrift.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808550/; classtype:trojan-activity;sid:84671650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.248.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808549/; classtype:trojan-activity;sid:84671649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quorspireum8.fabledrift.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808548/; classtype:trojan-activity;sid:84671648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.186.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808547/; classtype:trojan-activity;sid:84671647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"storyfros.fabledrift.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808546/; classtype:trojan-activity;sid:84671646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tpqicucp.fabledrift.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808545/; classtype:trojan-activity;sid:84671645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"securclea.fabledrift.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808544/; classtype:trojan-activity;sid:84671644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.200.178.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808543/; classtype:trojan-activity;sid:84671643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.24.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808542/; classtype:trojan-activity;sid:84671642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arraynarrow.fabledrift.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808541/; classtype:trojan-activity;sid:84671641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.200.178.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808540/; classtype:trojan-activity;sid:84671640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.157.219.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808539/; classtype:trojan-activity;sid:84671639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumlithor9.thorncairn.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808538/; classtype:trojan-activity;sid:84671638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.248.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808537/; classtype:trojan-activity;sid:84671637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"clif-lagoo.thorncairn.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808536/; classtype:trojan-activity;sid:84671636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.35.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808535/; classtype:trojan-activity;sid:84671635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8317177049/xg9j7pf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808534/; classtype:trojan-activity;sid:84671634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.24.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808533/; classtype:trojan-activity;sid:84671633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kfem.thorncairn.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808532/; classtype:trojan-activity;sid:84671632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ze2975m.thorncairn.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808531/; classtype:trojan-activity;sid:84671631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vgge57l.thorncairn.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808530/; classtype:trojan-activity;sid:84671630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.157.219.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808529/; classtype:trojan-activity;sid:84671629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solforgeor4.thorncairn.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808528/; classtype:trojan-activity;sid:84671628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"loyalreel.v7lora.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808527/; classtype:trojan-activity;sid:84671627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.153.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808526/; classtype:trojan-activity;sid:84671626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.147.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808525/; classtype:trojan-activity;sid:84671625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kgb/encrypt.ps1"; depth:16; endswith; nocase; http.host; content:"www.vame.be"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808524/; classtype:trojan-activity;sid:84671624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftp/frvbzpnxf99.bin"; depth:20; endswith; nocase; http.host; content:"www.vame.be"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808523/; classtype:trojan-activity;sid:84671623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tr4ck-frame.v7lora.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808522/; classtype:trojan-activity;sid:84671622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tdp72.v7lora.in.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808521/; classtype:trojan-activity;sid:84671621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sswms.v7lora.in.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808520/; classtype:trojan-activity;sid:84671620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.153.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808519/; classtype:trojan-activity;sid:84671619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"surnm5-route.v7lora.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808518/; classtype:trojan-activity;sid:84671618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.227.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808517/; classtype:trojan-activity;sid:84671617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.75.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808516/; classtype:trojan-activity;sid:84671616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.147.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808515/; classtype:trojan-activity;sid:84671615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"r0ug3-stack.v7lora.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808514/; classtype:trojan-activity;sid:84671614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-pur3.glowhaven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808513/; classtype:trojan-activity;sid:84671613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/myphotomsi.jpg"; depth:15; endswith; nocase; http.host; content:"careersconnect.work"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808510/; classtype:trojan-activity;sid:84671610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beta_evaluation_distribute_v4.4.1.bat"; depth:38; endswith; nocase; http.host; content:"176.98.182.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808506/; classtype:trojan-activity;sid:84671606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwormclient.exe"; depth:16; endswith; nocase; http.host; content:"epgoldsecurity.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808507/; classtype:trojan-activity;sid:84671607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rechung.pdf"; depth:12; endswith; nocase; http.host; content:"wet-envelope-beam-laser.trycloudflare.com"; depth:41; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808508/; classtype:trojan-activity;sid:84671608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shadoclient.exe"; depth:16; endswith; nocase; http.host; content:"epgoldsecurity.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808509/; classtype:trojan-activity;sid:84671609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shadowclient.exe"; depth:17; endswith; nocase; http.host; content:"epgoldsecurity.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808504/; classtype:trojan-activity;sid:84671604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombmh.dat"; depth:10; endswith; nocase; http.host; content:"wet-envelope-beam-laser.trycloudflare.com"; depth:41; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808505/; classtype:trojan-activity;sid:84671605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php"; depth:13; endswith; nocase; http.host; content:"getzoomupdate.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808501/; classtype:trojan-activity;sid:84671601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwormclient2.exe"; depth:17; endswith; nocase; http.host; content:"epgoldsecurity.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808502/; classtype:trojan-activity;sid:84671602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"jem-mialwe.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808503/; classtype:trojan-activity;sid:84671603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"jem-mialwe.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808499/; classtype:trojan-activity;sid:84671599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"inomanliner.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808500/; classtype:trojan-activity;sid:84671600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miumiu.7z"; depth:10; endswith; nocase; http.host; content:"mlbkn.com"; depth:9; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808498/; classtype:trojan-activity;sid:84671598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobe_updated_27.092.3029.vbs"; depth:30; endswith; nocase; http.host; content:"pub-eb752c5fc6fd4e21973d399eafb1844c.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808496/; classtype:trojan-activity;sid:84671596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/startgo18.03.2026v/gostartworksvby.jpg"; depth:39; endswith; nocase; http.host; content:"careersconnect.work"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808497/; classtype:trojan-activity;sid:84671597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.95.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808495/; classtype:trojan-activity;sid:84671595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pr1v-zone.glowhaven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808494/; classtype:trojan-activity;sid:84671594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.189.26.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808493/; classtype:trojan-activity;sid:84671593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pin3-point.glowhaven.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808492/; classtype:trojan-activity;sid:84671592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.218.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808491/; classtype:trojan-activity;sid:84671591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fz01ob.glowhaven.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808490/; classtype:trojan-activity;sid:84671590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quatrigge.glowhaven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808489/; classtype:trojan-activity;sid:84671589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.29.101"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808487/; classtype:trojan-activity;sid:84671587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.29.101"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808488/; classtype:trojan-activity;sid:84671588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"normesh0a.glowhaven.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808486/; classtype:trojan-activity;sid:84671586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.75.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808485/; classtype:trojan-activity;sid:84671585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808484/; classtype:trojan-activity;sid:84671584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.75.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808483/; classtype:trojan-activity;sid:84671583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"triforgea4.cinderbay.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808482/; classtype:trojan-activity;sid:84671582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"velvetautu.cinderbay.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808481/; classtype:trojan-activity;sid:84671581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.189.26.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808480/; classtype:trojan-activity;sid:84671580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.99.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808479/; classtype:trojan-activity;sid:84671579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"coralsolid.cinderbay.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808478/; classtype:trojan-activity;sid:84671578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.238.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808477/; classtype:trojan-activity;sid:84671577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ziuyacdv.cinderbay.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808476/; classtype:trojan-activity;sid:84671576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808475/; classtype:trojan-activity;sid:84671575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"talline1is.cinderbay.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808474/; classtype:trojan-activity;sid:84671574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"poster-port.cinderbay.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808473/; classtype:trojan-activity;sid:84671573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.73.17.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808472/; classtype:trojan-activity;sid:84671572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.75.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808471/; classtype:trojan-activity;sid:84671571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.94.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808470/; classtype:trojan-activity;sid:84671570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.99.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808469/; classtype:trojan-activity;sid:84671569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"falldusk.mossbyte.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808468/; classtype:trojan-activity;sid:84671568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wkilqh.mossbyte.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808467/; classtype:trojan-activity;sid:84671567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wavrapi.mossbyte.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808466/; classtype:trojan-activity;sid:84671566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gb3r.mossbyte.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808465/; classtype:trojan-activity;sid:84671565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.127.227.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808464/; classtype:trojan-activity;sid:84671564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"r6cp.mossbyte.in.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808463/; classtype:trojan-activity;sid:84671563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.27.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808462/; classtype:trojan-activity;sid:84671562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.240.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808461/; classtype:trojan-activity;sid:84671561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nor-lineor.mossbyte.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808460/; classtype:trojan-activity;sid:84671560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808459/; classtype:trojan-activity;sid:84671559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808453/; classtype:trojan-activity;sid:84671553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808454/; classtype:trojan-activity;sid:84671554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808455/; classtype:trojan-activity;sid:84671555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808456/; classtype:trojan-activity;sid:84671556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808457/; classtype:trojan-activity;sid:84671557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808458/; classtype:trojan-activity;sid:84671558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808452/; classtype:trojan-activity;sid:84671552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808451/; classtype:trojan-activity;sid:84671551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808449/; classtype:trojan-activity;sid:84671549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808450/; classtype:trojan-activity;sid:84671550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808447/; classtype:trojan-activity;sid:84671547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"87.121.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808448/; classtype:trojan-activity;sid:84671548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"handleramber.cl0verpeak.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808446/; classtype:trojan-activity;sid:84671546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.58.229.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808445/; classtype:trojan-activity;sid:84671545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"scrip8-grid.cl0verpeak.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808444/; classtype:trojan-activity;sid:84671544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.198.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808443/; classtype:trojan-activity;sid:84671543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zennexos5.cl0verpeak.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808442/; classtype:trojan-activity;sid:84671542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.71.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808441/; classtype:trojan-activity;sid:84671541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.124.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808440/; classtype:trojan-activity;sid:84671540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tri-coreen.cl0verpeak.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808439/; classtype:trojan-activity;sid:84671539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.127.227.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808438/; classtype:trojan-activity;sid:84671538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dtlxmaf.cl0verpeak.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808437/; classtype:trojan-activity;sid:84671537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.9.165.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808436/; classtype:trojan-activity;sid:84671536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.240.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808435/; classtype:trojan-activity;sid:84671535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.184.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808434/; classtype:trojan-activity;sid:84671534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"voyageinspect.cl0verpeak.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808433/; classtype:trojan-activity;sid:84671533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.77.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808432/; classtype:trojan-activity;sid:84671532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.188.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808431/; classtype:trojan-activity;sid:84671531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solcresten3.n0vabrook.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808430/; classtype:trojan-activity;sid:84671530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.231.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808429/; classtype:trojan-activity;sid:84671529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.107.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808428/; classtype:trojan-activity;sid:84671528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"delta6-zone.stormglade.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808427/; classtype:trojan-activity;sid:84671527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.71.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808426/; classtype:trojan-activity;sid:84671526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.124.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808425/; classtype:trojan-activity;sid:84671525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"roy4l-node.foxrunet.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808424/; classtype:trojan-activity;sid:84671524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tru37-point.oakwhisper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808423/; classtype:trojan-activity;sid:84671523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.77.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808422/; classtype:trojan-activity;sid:84671522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.9.165.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808421/; classtype:trojan-activity;sid:84671521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"d3ep-forge.br1ghtmere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808420/; classtype:trojan-activity;sid:84671520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.205.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808419/; classtype:trojan-activity;sid:84671519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vzdgys.starforge.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808418/; classtype:trojan-activity;sid:84671518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.243.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808417/; classtype:trojan-activity;sid:84671517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808416/; classtype:trojan-activity;sid:84671516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.231.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808415/; classtype:trojan-activity;sid:84671515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.234.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808414/; classtype:trojan-activity;sid:84671514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yx16l.n0vabrook.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808413/; classtype:trojan-activity;sid:84671513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sh1f-signal.n0vabrook.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808412/; classtype:trojan-activity;sid:84671512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.197.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808410/; classtype:trojan-activity;sid:84671510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.36.9.175"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808411/; classtype:trojan-activity;sid:84671511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.249.70.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808409/; classtype:trojan-activity;sid:84671509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gl0ss-grid.n0vabrook.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808408/; classtype:trojan-activity;sid:84671508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.230.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808406/; classtype:trojan-activity;sid:84671506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.184.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808407/; classtype:trojan-activity;sid:84671507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.234.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808405/; classtype:trojan-activity;sid:84671505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.235.123.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808404/; classtype:trojan-activity;sid:84671504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.60.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808403/; classtype:trojan-activity;sid:84671503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808402/; classtype:trojan-activity;sid:84671502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.253.80.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808401/; classtype:trojan-activity;sid:84671501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hmndwk.n0vabrook.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808400/; classtype:trojan-activity;sid:84671500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.139.3.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808399/; classtype:trojan-activity;sid:84671499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"capitclou.stormglade.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808398/; classtype:trojan-activity;sid:84671498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.36.9.175"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808397/; classtype:trojan-activity;sid:84671497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"creekcargo.stormglade.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808396/; classtype:trojan-activity;sid:84671496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"39vhl.stormglade.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808395/; classtype:trojan-activity;sid:84671495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.40.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808394/; classtype:trojan-activity;sid:84671494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"88.249.70.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808393/; classtype:trojan-activity;sid:84671493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.227.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808392/; classtype:trojan-activity;sid:84671492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.197.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808391/; classtype:trojan-activity;sid:84671491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.230.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808390/; classtype:trojan-activity;sid:84671490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.91.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808389/; classtype:trojan-activity;sid:84671489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dpvvgwcg.stormglade.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808388/; classtype:trojan-activity;sid:84671488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.227.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808387/; classtype:trojan-activity;sid:84671487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.255.10.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808385/; classtype:trojan-activity;sid:84671485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808386/; classtype:trojan-activity;sid:84671486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.235.123.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808384/; classtype:trojan-activity;sid:84671484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sceneretainer.foxrunet.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808383/; classtype:trojan-activity;sid:84671483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"field-shoa.foxrunet.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808382/; classtype:trojan-activity;sid:84671482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"margingene.foxrunet.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808381/; classtype:trojan-activity;sid:84671481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.91.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808380/; classtype:trojan-activity;sid:84671480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cybdh.foxrunet.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808379/; classtype:trojan-activity;sid:84671479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.37.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808378/; classtype:trojan-activity;sid:84671478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808377/; classtype:trojan-activity;sid:84671477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.244.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808376/; classtype:trojan-activity;sid:84671476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.24.36.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808375/; classtype:trojan-activity;sid:84671475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.37.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808374/; classtype:trojan-activity;sid:84671474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solline0en.oakwhisper.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808373/; classtype:trojan-activity;sid:84671473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.60.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808372/; classtype:trojan-activity;sid:84671472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"atom-mount.oakwhisper.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808371/; classtype:trojan-activity;sid:84671471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.70.199.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808369/; classtype:trojan-activity;sid:84671469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.199.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808370/; classtype:trojan-activity;sid:84671470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.255.10.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808368/; classtype:trojan-activity;sid:84671468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packages/83/b7/5e93f51cd157cc8cf5599f387e587a1926d50fc7e54fb76d04b342341fb0/telnyx-4.87.1-py3-none-any.whl"; depth:107; endswith; nocase; http.host; content:"files.pythonhosted.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808366/; classtype:trojan-activity;sid:84671466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packages/5a/73/87cb49434a1f89f253819b81993d3a4e65186ae08b013b9825633ceac359/telnyx-4.87.2-py3-none-any.whl"; depth:107; endswith; nocase; http.host; content:"files.pythonhosted.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808367/; classtype:trojan-activity;sid:84671467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808365/; classtype:trojan-activity;sid:84671465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"50ravelv.oakwhisper.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808364/; classtype:trojan-activity;sid:84671464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dispatchmemory.oakwhisper.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808363/; classtype:trojan-activity;sid:84671463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proto-tru5ted.br1ghtmere.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808362/; classtype:trojan-activity;sid:84671462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.168.208.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808361/; classtype:trojan-activity;sid:84671461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.54.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808360/; classtype:trojan-activity;sid:84671460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"runti5-flow.br1ghtmere.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808359/; classtype:trojan-activity;sid:84671459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"95abc92.br1ghtmere.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808358/; classtype:trojan-activity;sid:84671458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.9.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808357/; classtype:trojan-activity;sid:84671457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.114.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808356/; classtype:trojan-activity;sid:84671456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yyin.br1ghtmere.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808355/; classtype:trojan-activity;sid:84671455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.30.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808354/; classtype:trojan-activity;sid:84671454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.140.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808353/; classtype:trojan-activity;sid:84671453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"geyseropti.starforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808352/; classtype:trojan-activity;sid:84671452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.243.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808351/; classtype:trojan-activity;sid:84671451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.54.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808350/; classtype:trojan-activity;sid:84671450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.125.55.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808349/; classtype:trojan-activity;sid:84671449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tranrur.starforge.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808348/; classtype:trojan-activity;sid:84671448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808347/; classtype:trojan-activity;sid:84671447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.241.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808346/; classtype:trojan-activity;sid:84671446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-0rch.starforge.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808345/; classtype:trojan-activity;sid:84671445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.114.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808344/; classtype:trojan-activity;sid:84671444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.140.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808343/; classtype:trojan-activity;sid:84671443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bzknn.starforge.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808342/; classtype:trojan-activity;sid:84671442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808341/; classtype:trojan-activity;sid:84671441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wu4747.n0vabrook.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808340/; classtype:trojan-activity;sid:84671440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.224.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808339/; classtype:trojan-activity;sid:84671439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.48.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808333/; classtype:trojan-activity;sid:84671433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.218.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808334/; classtype:trojan-activity;sid:84671434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.242.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808332/; classtype:trojan-activity;sid:84671432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/gvqmqepp"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808331/; classtype:trojan-activity;sid:84671431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sogou_pinyin_x64_v20_win.zip"; depth:29; endswith; nocase; http.host; content:"www.shanmaocnhingkong-oss.top"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808329/; classtype:trojan-activity;sid:84671429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gvqmqepp"; depth:9; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808330/; classtype:trojan-activity;sid:84671430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/urllink/www-win-sogou-com/windows/sg.setupbiyi.5.16.11.5lln.zip"; depth:64; endswith; nocase; http.host; content:"62c013c91f7f8152044efae44a432404.r2.cloudflarestorage.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808325/; classtype:trojan-activity;sid:84671425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/nfafgnh6"; depth:12; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808326/; classtype:trojan-activity;sid:84671426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k9rhtwbb"; depth:9; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808327/; classtype:trojan-activity;sid:84671427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/wxsgamud"; depth:12; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808328/; classtype:trojan-activity;sid:84671428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.32.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808324/; classtype:trojan-activity;sid:84671424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"guarmea.n0vabrook.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808323/; classtype:trojan-activity;sid:84671423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.189.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808322/; classtype:trojan-activity;sid:84671422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.241.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808321/; classtype:trojan-activity;sid:84671421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quick8-chain.n0vabrook.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808320/; classtype:trojan-activity;sid:84671420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"decode-stead.n0vabrook.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808319/; classtype:trojan-activity;sid:84671419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.208.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808318/; classtype:trojan-activity;sid:84671418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.224.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808317/; classtype:trojan-activity;sid:84671417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"3d1t-node.n0vabrook.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808316/; classtype:trojan-activity;sid:84671416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proto-p0rt.n0vabrook.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808315/; classtype:trojan-activity;sid:84671415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.226.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808314/; classtype:trojan-activity;sid:84671414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.32.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808313/; classtype:trojan-activity;sid:84671413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.166.152.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808312/; classtype:trojan-activity;sid:84671412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808311/; classtype:trojan-activity;sid:84671411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.208.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808310/; classtype:trojan-activity;sid:84671410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"anch0r1-route.stormglade.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808309/; classtype:trojan-activity;sid:84671409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.149.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808308/; classtype:trojan-activity;sid:84671408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"we5ohkh2.stormglade.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808307/; classtype:trojan-activity;sid:84671407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.9.66.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808306/; classtype:trojan-activity;sid:84671406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.203.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808305/; classtype:trojan-activity;sid:84671405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.175.206.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808304/; classtype:trojan-activity;sid:84671404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.195.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808303/; classtype:trojan-activity;sid:84671403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ligh-stric.stormglade.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808302/; classtype:trojan-activity;sid:84671402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.9.66.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808301/; classtype:trojan-activity;sid:84671401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.175.206.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808300/; classtype:trojan-activity;sid:84671400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"offecargo.stormglade.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808298/; classtype:trojan-activity;sid:84671398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.88.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808299/; classtype:trojan-activity;sid:84671399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.233.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808297/; classtype:trojan-activity;sid:84671397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quordra3os.stormglade.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808296/; classtype:trojan-activity;sid:84671396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.249.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808295/; classtype:trojan-activity;sid:84671395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"crimsonpublish.stormglade.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808294/; classtype:trojan-activity;sid:84671394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.93.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808293/; classtype:trojan-activity;sid:84671393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.109.126.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808292/; classtype:trojan-activity;sid:84671392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nortideis.foxrunet.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808291/; classtype:trojan-activity;sid:84671391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.212.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808290/; classtype:trojan-activity;sid:84671390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.88.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808289/; classtype:trojan-activity;sid:84671389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"echo-draf.foxrunet.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808288/; classtype:trojan-activity;sid:84671388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.149.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808287/; classtype:trojan-activity;sid:84671387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"refineterminal.foxrunet.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808286/; classtype:trojan-activity;sid:84671386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.249.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808285/; classtype:trojan-activity;sid:84671385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"urbanvoya.foxrunet.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808284/; classtype:trojan-activity;sid:84671384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.93.72.156"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808283/; classtype:trojan-activity;sid:84671383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.212.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808282/; classtype:trojan-activity;sid:84671382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lwvkfb.foxrunet.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808281/; classtype:trojan-activity;sid:84671381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skullzoinks/realdesk/refs/heads/main/lib/features/xbox/real_desk_nostrum.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808279/; classtype:trojan-activity;sid:84671379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skullzoinks/realdesk/raw/refs/heads/main/lib/features/xbox/real_desk_nostrum.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808280/; classtype:trojan-activity;sid:84671380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lordjos16/pixelbuddy/raw/refs/heads/main/pixelbuddy/buddy_pixel_v2.9.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808269/; classtype:trojan-activity;sid:84671369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lordjos16/pixelbuddy/refs/heads/main/pixelbuddy/buddy_pixel_v2.9.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808270/; classtype:trojan-activity;sid:84671370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aybibilalkali/nokia-book/refs/heads/master/03/minik/examples/book-nokia-2.4.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808271/; classtype:trojan-activity;sid:84671371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inevitable-code101/game-hub/refs/heads/main/game-site-fire/src/components/updateinfo/hub_game_chloropalladates.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808272/; classtype:trojan-activity;sid:84671372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dannyjune79/tangnano20k-pooyan/refs/heads/main/tn20k-pooyan/schematics/pooyan-tang-nano-v3.7.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808273/; classtype:trojan-activity;sid:84671373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aybibilalkali/blooket/refs/heads/master/thrasonic/software_perfoliation.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808274/; classtype:trojan-activity;sid:84671374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inevitable-code101/game-hub/raw/refs/heads/main/game-site-fire/src/components/updateinfo/hub_game_chloropalladates.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808275/; classtype:trojan-activity;sid:84671375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aybibilalkali/nokia-book/raw/refs/heads/master/03/minik/examples/book-nokia-2.4.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808276/; classtype:trojan-activity;sid:84671376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dannyjune79/tangnano20k-pooyan/raw/refs/heads/main/tn20k-pooyan/schematics/pooyan-tang-nano-v3.7.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808277/; classtype:trojan-activity;sid:84671377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aybibilalkali/blooket/raw/refs/heads/master/thrasonic/software_perfoliation.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808278/; classtype:trojan-activity;sid:84671378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"subtlsegme.foxrunet.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808268/; classtype:trojan-activity;sid:84671368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"11kzvq.oakwhisper.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808267/; classtype:trojan-activity;sid:84671367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.63.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808266/; classtype:trojan-activity;sid:84671366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wpx3375n.oakwhisper.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808265/; classtype:trojan-activity;sid:84671365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.78.58"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808264/; classtype:trojan-activity;sid:84671364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"riverrefine.oakwhisper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808263/; classtype:trojan-activity;sid:84671363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hyper-4uth.oakwhisper.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808262/; classtype:trojan-activity;sid:84671362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.9.140"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808260/; classtype:trojan-activity;sid:84671360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"filteglob.oakwhisper.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808261/; classtype:trojan-activity;sid:84671361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.1.26.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808259/; classtype:trojan-activity;sid:84671359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"runwaypublic.oakwhisper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808258/; classtype:trojan-activity;sid:84671358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vmcs.br1ghtmere.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808257/; classtype:trojan-activity;sid:84671357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tal-venal.br1ghtmere.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808256/; classtype:trojan-activity;sid:84671356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.199.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808255/; classtype:trojan-activity;sid:84671355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.205.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808254/; classtype:trojan-activity;sid:84671354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.9.140"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808253/; classtype:trojan-activity;sid:84671353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wgyinknm.br1ghtmere.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808252/; classtype:trojan-activity;sid:84671352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.44.136.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808251/; classtype:trojan-activity;sid:84671351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.163.134.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808250/; classtype:trojan-activity;sid:84671350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"screennotify.br1ghtmere.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808249/; classtype:trojan-activity;sid:84671349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.204.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808248/; classtype:trojan-activity;sid:84671348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cell-plate.br1ghtmere.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808247/; classtype:trojan-activity;sid:84671347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7411337060/m94sczj.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808246/; classtype:trojan-activity;sid:84671346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"n73pw.br1ghtmere.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808245/; classtype:trojan-activity;sid:84671345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"aftwizk.starforge.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808244/; classtype:trojan-activity;sid:84671344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.19.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808243/; classtype:trojan-activity;sid:84671343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.163.134.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808242/; classtype:trojan-activity;sid:84671342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zencrestal2.starforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808241/; classtype:trojan-activity;sid:84671341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.42.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808240/; classtype:trojan-activity;sid:84671340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.34.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808239/; classtype:trojan-activity;sid:84671339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"icegold.starforge.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808238/; classtype:trojan-activity;sid:84671338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.9.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808237/; classtype:trojan-activity;sid:84671337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"80tlyi.starforge.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808236/; classtype:trojan-activity;sid:84671336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.1.238.186"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808235/; classtype:trojan-activity;sid:84671335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.19.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808234/; classtype:trojan-activity;sid:84671334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vvave3-gate.starforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808233/; classtype:trojan-activity;sid:84671333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.199.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808232/; classtype:trojan-activity;sid:84671332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.123.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808231/; classtype:trojan-activity;sid:84671331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumvale8is.starforge.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808230/; classtype:trojan-activity;sid:84671330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.34.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808229/; classtype:trojan-activity;sid:84671329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.246.43.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808228/; classtype:trojan-activity;sid:84671328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"resource-api.infrastructurehub.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808227/; classtype:trojan-activity;sid:84671327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.140.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808226/; classtype:trojan-activity;sid:84671326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"power-plant.infrastructurehub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808225/; classtype:trojan-activity;sid:84671325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.80.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808224/; classtype:trojan-activity;sid:84671324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.246.43.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808223/; classtype:trojan-activity;sid:84671323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"asset-track.infrastructurehub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808222/; classtype:trojan-activity;sid:84671322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4k"; depth:6; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808220/; classtype:trojan-activity;sid:84671320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isis.sh"; depth:8; endswith; nocase; http.host; content:"192.227.183.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808221/; classtype:trojan-activity;sid:84671321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.212.52.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808219/; classtype:trojan-activity;sid:84671319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh"; depth:7; endswith; nocase; http.host; content:"cn.bossjy.cc.cd"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808218/; classtype:trojan-activity;sid:84671318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.x86_64"; depth:34; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808210/; classtype:trojan-activity;sid:84671310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.m68k"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808211/; classtype:trojan-activity;sid:84671311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.ppc"; depth:31; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808212/; classtype:trojan-activity;sid:84671312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm64"; depth:33; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808213/; classtype:trojan-activity;sid:84671313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.x86"; depth:31; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808214/; classtype:trojan-activity;sid:84671314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm"; depth:31; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808215/; classtype:trojan-activity;sid:84671315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.sh"; depth:7; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808216/; classtype:trojan-activity;sid:84671316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"83.142.209.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808217/; classtype:trojan-activity;sid:84671317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808201/; classtype:trojan-activity;sid:84671301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm7"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808202/; classtype:trojan-activity;sid:84671302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm5"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808203/; classtype:trojan-activity;sid:84671303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.i686"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808204/; classtype:trojan-activity;sid:84671304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arc"; depth:31; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808205/; classtype:trojan-activity;sid:84671305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.mips"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808206/; classtype:trojan-activity;sid:84671306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm6"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808207/; classtype:trojan-activity;sid:84671307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.sh4"; depth:31; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808208/; classtype:trojan-activity;sid:84671308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.mpsl"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808209/; classtype:trojan-activity;sid:84671309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808199/; classtype:trojan-activity;sid:84671299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.123.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808200/; classtype:trojan-activity;sid:84671300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.sparc"; depth:14; endswith; nocase; http.host; content:"87.120.191.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808194/; classtype:trojan-activity;sid:84671294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.i586"; depth:13; endswith; nocase; http.host; content:"87.120.191.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808195/; classtype:trojan-activity;sid:84671295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i468"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808196/; classtype:trojan-activity;sid:84671296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808197/; classtype:trojan-activity;sid:84671297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808198/; classtype:trojan-activity;sid:84671298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7k"; depth:6; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808189/; classtype:trojan-activity;sid:84671289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpslk"; depth:6; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808190/; classtype:trojan-activity;sid:84671290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsk"; depth:6; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808191/; classtype:trojan-activity;sid:84671291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5k"; depth:6; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808192/; classtype:trojan-activity;sid:84671292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"45.139.104.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808193/; classtype:trojan-activity;sid:84671293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr."; depth:9; endswith; nocase; http.host; content:"194.163.151.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808186/; classtype:trojan-activity;sid:84671286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.i468"; depth:32; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808187/; classtype:trojan-activity;sid:84671287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.spc"; depth:31; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808188/; classtype:trojan-activity;sid:84671288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mipsel"; depth:15; endswith; nocase; http.host; content:"87.120.191.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808185/; classtype:trojan-activity;sid:84671285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808180/; classtype:trojan-activity;sid:84671280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr."; depth:14; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808181/; classtype:trojan-activity;sid:84671281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php"; depth:7; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808182/; classtype:trojan-activity;sid:84671282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808183/; classtype:trojan-activity;sid:84671283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.i468"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808184/; classtype:trojan-activity;sid:84671284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tc/fvdehqlqwcsnwx33.bin"; depth:24; endswith; nocase; http.host; content:"jieqaingdaolu.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808179/; classtype:trojan-activity;sid:84671279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tc.php"; depth:7; endswith; nocase; http.host; content:"jieqaingdaolu.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808178/; classtype:trojan-activity;sid:84671278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"base-build.infrastructurehub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808176/; classtype:trojan-activity;sid:84671276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.80.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808177/; classtype:trojan-activity;sid:84671277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.76.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808175/; classtype:trojan-activity;sid:84671275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.140.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808174/; classtype:trojan-activity;sid:84671274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.140.44.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808173/; classtype:trojan-activity;sid:84671273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.43.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808170/; classtype:trojan-activity;sid:84671270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.129.179.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808171/; classtype:trojan-activity;sid:84671271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.76.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808172/; classtype:trojan-activity;sid:84671272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.183.140.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808169/; classtype:trojan-activity;sid:84671269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.129.179.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808168/; classtype:trojan-activity;sid:84671268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.54.107"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808166/; classtype:trojan-activity;sid:84671266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.233.77.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808167/; classtype:trojan-activity;sid:84671267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.39.79.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808165/; classtype:trojan-activity;sid:84671265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.217.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808163/; classtype:trojan-activity;sid:84671263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.3.101.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808164/; classtype:trojan-activity;sid:84671264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solid-state.infrastructurehub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808162/; classtype:trojan-activity;sid:84671262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808155/; classtype:trojan-activity;sid:84671255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.54.107"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808156/; classtype:trojan-activity;sid:84671256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.213.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808157/; classtype:trojan-activity;sid:84671257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.166.152.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808158/; classtype:trojan-activity;sid:84671258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.80.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808159/; classtype:trojan-activity;sid:84671259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.233.77.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808160/; classtype:trojan-activity;sid:84671260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.80.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808161/; classtype:trojan-activity;sid:84671261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.224.208.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808154/; classtype:trojan-activity;sid:84671254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"heavy-duty.infrastructurehub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808153/; classtype:trojan-activity;sid:84671253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.9.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808152/; classtype:trojan-activity;sid:84671252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.200.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808151/; classtype:trojan-activity;sid:84671251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"form-builder.municipalmatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808150/; classtype:trojan-activity;sid:84671250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.44.175.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808149/; classtype:trojan-activity;sid:84671249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.138.135.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808148/; classtype:trojan-activity;sid:84671248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"24.44.175.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808147/; classtype:trojan-activity;sid:84671247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"code-index.municipalmatrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808146/; classtype:trojan-activity;sid:84671246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.43.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808145/; classtype:trojan-activity;sid:84671245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.58.126.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808144/; classtype:trojan-activity;sid:84671244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"auth-trust.municipalmatrix.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808143/; classtype:trojan-activity;sid:84671243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.35.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808142/; classtype:trojan-activity;sid:84671242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.79.95"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808141/; classtype:trojan-activity;sid:84671241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.252.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808139/; classtype:trojan-activity;sid:84671239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.170.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808140/; classtype:trojan-activity;sid:84671240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/6f675d51cb094e0f.enc"; depth:29; endswith; nocase; http.host; content:"45.153.34.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808138/; classtype:trojan-activity;sid:84671238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/a068699010734e6d.jar"; depth:29; endswith; nocase; http.host; content:"45.153.34.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808134/; classtype:trojan-activity;sid:84671234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/06d00e3f266343c0.jar"; depth:29; endswith; nocase; http.host; content:"45.153.34.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808135/; classtype:trojan-activity;sid:84671235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/3d98f65dbb44491e.jar"; depth:29; endswith; nocase; http.host; content:"45.153.34.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808136/; classtype:trojan-activity;sid:84671236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/c68c92c7b9974302.enc"; depth:29; endswith; nocase; http.host; content:"45.153.34.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808137/; classtype:trojan-activity;sid:84671237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"citizen-dev.municipalmatrix.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808133/; classtype:trojan-activity;sid:84671233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.170.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808132/; classtype:trojan-activity;sid:84671232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86_64"; depth:26; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808121/; classtype:trojan-activity;sid:84671221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i686"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808122/; classtype:trojan-activity;sid:84671222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm7"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808123/; classtype:trojan-activity;sid:84671223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm6"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808124/; classtype:trojan-activity;sid:84671224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm"; depth:23; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808125/; classtype:trojan-activity;sid:84671225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.spc"; depth:23; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808126/; classtype:trojan-activity;sid:84671226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm5"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808127/; classtype:trojan-activity;sid:84671227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.ppc"; depth:23; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808128/; classtype:trojan-activity;sid:84671228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mpsl"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808129/; classtype:trojan-activity;sid:84671229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.m68k"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808130/; classtype:trojan-activity;sid:84671230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.sh4"; depth:23; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808131/; classtype:trojan-activity;sid:84671231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.200.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808120/; classtype:trojan-activity;sid:84671220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.193.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808119/; classtype:trojan-activity;sid:84671219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"web-captcha.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808118/; classtype:trojan-activity;sid:84671218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"town-council.municipalmatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808117/; classtype:trojan-activity;sid:84671217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"public-serv.municipalmatrix.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808116/; classtype:trojan-activity;sid:84671216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.35.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808115/; classtype:trojan-activity;sid:84671215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"reach-base.territoriallink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808114/; classtype:trojan-activity;sid:84671214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.58.126.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808113/; classtype:trojan-activity;sid:84671213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.107.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808112/; classtype:trojan-activity;sid:84671212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"69.173.182.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808111/; classtype:trojan-activity;sid:84671211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.232.75.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808110/; classtype:trojan-activity;sid:84671210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"map-anchor.territoriallink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808109/; classtype:trojan-activity;sid:84671209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808108/; classtype:trojan-activity;sid:84671208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"site-connect.territoriallink.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808107/; classtype:trojan-activity;sid:84671207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"land-mark.territoriallink.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808106/; classtype:trojan-activity;sid:84671206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.61.70.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808105/; classtype:trojan-activity;sid:84671205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.129.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808104/; classtype:trojan-activity;sid:84671204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proxy-edge.territoriallink.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808103/; classtype:trojan-activity;sid:84671203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.79.95"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808102/; classtype:trojan-activity;sid:84671202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.232.75.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808101/; classtype:trojan-activity;sid:84671201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808100/; classtype:trojan-activity;sid:84671200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"border-gate.territoriallink.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808099/; classtype:trojan-activity;sid:84671199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"remote-log.regionaltelemetry.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808098/; classtype:trojan-activity;sid:84671198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.76.132.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808097/; classtype:trojan-activity;sid:84671197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.76.132.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808096/; classtype:trojan-activity;sid:84671196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wave-form.regionaltelemetry.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808095/; classtype:trojan-activity;sid:84671195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.226.183.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808094/; classtype:trojan-activity;sid:84671194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.223.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808093/; classtype:trojan-activity;sid:84671193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.129.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808092/; classtype:trojan-activity;sid:84671192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808091/; classtype:trojan-activity;sid:84671191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.251.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808090/; classtype:trojan-activity;sid:84671190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"data-packet.regionaltelemetry.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808089/; classtype:trojan-activity;sid:84671189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.216.167.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808088/; classtype:trojan-activity;sid:84671188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"signal-box.regionaltelemetry.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808087/; classtype:trojan-activity;sid:84671187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.224.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808086/; classtype:trojan-activity;sid:84671186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"field-report.regionaltelemetry.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808085/; classtype:trojan-activity;sid:84671185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wide-telemetry.regionaltelemetry.in.net"; depth:39; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808084/; classtype:trojan-activity;sid:84671184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tunnel-sync.centralizedduct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808083/; classtype:trojan-activity;sid:84671183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.167.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808082/; classtype:trojan-activity;sid:84671182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pressure-io.centralizedduct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808081/; classtype:trojan-activity;sid:84671181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.245.32.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808080/; classtype:trojan-activity;sid:84671180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flow-guide.centralizedduct.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808079/; classtype:trojan-activity;sid:84671179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.234.174.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808078/; classtype:trojan-activity;sid:84671178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"filter-proc.centralizedduct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808077/; classtype:trojan-activity;sid:84671177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.50.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808076/; classtype:trojan-activity;sid:84671176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"outlet-node.centralizedduct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808075/; classtype:trojan-activity;sid:84671175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"inlet-valve.centralizedduct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808074/; classtype:trojan-activity;sid:84671174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808073/; classtype:trojan-activity;sid:84671173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.167.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808072/; classtype:trojan-activity;sid:84671172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"node-carrier.linearbackbone.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808071/; classtype:trojan-activity;sid:84671171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.239.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808070/; classtype:trojan-activity;sid:84671170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808069/; classtype:trojan-activity;sid:84671169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"main-frame.linearbackbone.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808068/; classtype:trojan-activity;sid:84671168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.114.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808067/; classtype:trojan-activity;sid:84671167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fiber-route.linearbackbone.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808066/; classtype:trojan-activity;sid:84671166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808065/; classtype:trojan-activity;sid:84671165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.52.142.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808064/; classtype:trojan-activity;sid:84671164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trunk-line.linearbackbone.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808063/; classtype:trojan-activity;sid:84671163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"path-bridge.linearbackbone.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808062/; classtype:trojan-activity;sid:84671162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.239.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808061/; classtype:trojan-activity;sid:84671161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.172.181.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808060/; classtype:trojan-activity;sid:84671160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.205.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808059/; classtype:trojan-activity;sid:84671159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"link-secure.linearbackbone.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808058/; classtype:trojan-activity;sid:84671158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.172.181.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808057/; classtype:trojan-activity;sid:84671157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.90.238"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808056/; classtype:trojan-activity;sid:84671156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"task-logic.sectoralcontrol.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808055/; classtype:trojan-activity;sid:84671155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"switch-gear.sectoralcontrol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808054/; classtype:trojan-activity;sid:84671154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.244.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808053/; classtype:trojan-activity;sid:84671153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.32.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808052/; classtype:trojan-activity;sid:84671152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"system-core.sectoralcontrol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808051/; classtype:trojan-activity;sid:84671151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.90.238"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808050/; classtype:trojan-activity;sid:84671150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.114.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808049/; classtype:trojan-activity;sid:84671149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"remote-desk.sectoralcontrol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808048/; classtype:trojan-activity;sid:84671148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.15.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808047/; classtype:trojan-activity;sid:84671147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.114.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808046/; classtype:trojan-activity;sid:84671146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.141.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808045/; classtype:trojan-activity;sid:84671145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6560547276/yzztzly.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808044/; classtype:trojan-activity;sid:84671144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.235.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808043/; classtype:trojan-activity;sid:84671143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.204.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808042/; classtype:trojan-activity;sid:84671142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"unit-command.sectoralcontrol.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808041/; classtype:trojan-activity;sid:84671141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"admin-panel.sectoralcontrol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808040/; classtype:trojan-activity;sid:84671140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.202.103.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808039/; classtype:trojan-activity;sid:84671139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.244.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808038/; classtype:trojan-activity;sid:84671138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"site-archive.districtbuffer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808036/; classtype:trojan-activity;sid:84671136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.235.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808037/; classtype:trojan-activity;sid:84671137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.15.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808035/; classtype:trojan-activity;sid:84671135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"load-buffer.districtbuffer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808034/; classtype:trojan-activity;sid:84671134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.204.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808033/; classtype:trojan-activity;sid:84671133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"relay-point.districtbuffer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808032/; classtype:trojan-activity;sid:84671132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.208.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808030/; classtype:trojan-activity;sid:84671130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"queue-manager.districtbuffer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808031/; classtype:trojan-activity;sid:84671131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.202.103.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808029/; classtype:trojan-activity;sid:84671129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"temp-storage.districtbuffer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808028/; classtype:trojan-activity;sid:84671128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.179.232.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808027/; classtype:trojan-activity;sid:84671127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"local-cache.districtbuffer.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808026/; classtype:trojan-activity;sid:84671126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.219.150.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808025/; classtype:trojan-activity;sid:84671125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"topo-render.precisemapnode.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808024/; classtype:trojan-activity;sid:84671124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.89.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808023/; classtype:trojan-activity;sid:84671123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"69.173.182.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808022/; classtype:trojan-activity;sid:84671122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"view-finder.precisemapnode.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808021/; classtype:trojan-activity;sid:84671121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.229.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808020/; classtype:trojan-activity;sid:84671120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"scale-vector.precisemapnode.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808019/; classtype:trojan-activity;sid:84671119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"layer-stack.precisemapnode.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808018/; classtype:trojan-activity;sid:84671118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"point-atlas.precisemapnode.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808017/; classtype:trojan-activity;sid:84671117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.219.150.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808016/; classtype:trojan-activity;sid:84671116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.144.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808015/; classtype:trojan-activity;sid:84671115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.236.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808013/; classtype:trojan-activity;sid:84671113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.227.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808014/; classtype:trojan-activity;sid:84671114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"coord-sync.precisemapnode.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808012/; classtype:trojan-activity;sid:84671112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.89.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808011/; classtype:trojan-activity;sid:84671111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.55.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808010/; classtype:trojan-activity;sid:84671110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flow-master.urbanflowmetric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808009/; classtype:trojan-activity;sid:84671109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"drift-control.urbanflowmetric.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808008/; classtype:trojan-activity;sid:84671108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.72.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808007/; classtype:trojan-activity;sid:84671107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pulse-check.urbanflowmetric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808006/; classtype:trojan-activity;sid:84671106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.236.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808005/; classtype:trojan-activity;sid:84671105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.101.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808004/; classtype:trojan-activity;sid:84671104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"surge-protect.urbanflowmetric.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808003/; classtype:trojan-activity;sid:84671103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.20.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808002/; classtype:trojan-activity;sid:84671102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stream-audit.urbanflowmetric.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808001/; classtype:trojan-activity;sid:84671101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.109.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808000/; classtype:trojan-activity;sid:84671100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.101.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807999/; classtype:trojan-activity;sid:84671099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"traffic-api.urbanflowmetric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807998/; classtype:trojan-activity;sid:84671098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.229.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807997/; classtype:trojan-activity;sid:84671097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.109.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807996/; classtype:trojan-activity;sid:84671096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"urban-access.metropolitangrid.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807995/; classtype:trojan-activity;sid:84671095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.20.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807994/; classtype:trojan-activity;sid:84671094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zone-portal.metropolitangrid.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807993/; classtype:trojan-activity;sid:84671093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"block-sensor.metropolitangrid.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807992/; classtype:trojan-activity;sid:84671092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.arc"; depth:7; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807977/; classtype:trojan-activity;sid:84671077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.mips"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807978/; classtype:trojan-activity;sid:84671078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.x86"; depth:7; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807979/; classtype:trojan-activity;sid:84671079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.arm6"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807980/; classtype:trojan-activity;sid:84671080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.arm7"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807981/; classtype:trojan-activity;sid:84671081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.ppc"; depth:7; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807982/; classtype:trojan-activity;sid:84671082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.sh4"; depth:7; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807983/; classtype:trojan-activity;sid:84671083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.arm"; depth:7; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807984/; classtype:trojan-activity;sid:84671084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.sh"; depth:6; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807985/; classtype:trojan-activity;sid:84671085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.spc"; depth:7; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807986/; classtype:trojan-activity;sid:84671086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.x86_64"; depth:10; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807987/; classtype:trojan-activity;sid:84671087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.m68k"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807988/; classtype:trojan-activity;sid:84671088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.mpsl"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807989/; classtype:trojan-activity;sid:84671089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.arm5"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807990/; classtype:trojan-activity;sid:84671090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.i686"; depth:8; endswith; nocase; http.host; content:"38.83.138.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807991/; classtype:trojan-activity;sid:84671091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"area-scanner.metropolitangrid.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807976/; classtype:trojan-activity;sid:84671076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"street-logic.metropolitangrid.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807975/; classtype:trojan-activity;sid:84671075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.49.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807974/; classtype:trojan-activity;sid:84671074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"city-monitor.metropolitangrid.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807973/; classtype:trojan-activity;sid:84671073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.138.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807972/; classtype:trojan-activity;sid:84671072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"instant-msg.velocityterminal.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807971/; classtype:trojan-activity;sid:84671071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quick-step.velocityterminal.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3807970/; classtype:trojan-activity;sid:84671070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.49.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807969/; classtype:trojan-activity;sid:84671069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shift-ctrl.velocityterminal.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807968/; classtype:trojan-activity;sid:84671068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"boost-engine.velocityterminal.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807967/; classtype:trojan-activity;sid:84671067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.119.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807966/; classtype:trojan-activity;sid:84671066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rapid-fire.velocityterminal.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807965/; classtype:trojan-activity;sid:84671065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fast-track.velocityterminal.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807964/; classtype:trojan-activity;sid:84671064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"codec-proxy.compressionlayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807963/; classtype:trojan-activity;sid:84671063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.198.140.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807962/; classtype:trojan-activity;sid:84671062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flat-buffer.compressionlayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807961/; classtype:trojan-activity;sid:84671061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.119.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807960/; classtype:trojan-activity;sid:84671060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807959/; classtype:trojan-activity;sid:84671059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shrink-node.compressionlayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807958/; classtype:trojan-activity;sid:84671058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zip-archive.compressionlayer.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807957/; classtype:trojan-activity;sid:84671057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.156.133.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807956/; classtype:trojan-activity;sid:84671056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dense-pack.compressionlayer.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807955/; classtype:trojan-activity;sid:84671055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"survey-data.topographictrace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807954/; classtype:trojan-activity;sid:84671054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"contour-api.topographictrace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807953/; classtype:trojan-activity;sid:84671053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807952/; classtype:trojan-activity;sid:84671052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p-p.c-.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807933/; classtype:trojan-activity;sid:84671033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-3.2-.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807934/; classtype:trojan-activity;sid:84671034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-4.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807935/; classtype:trojan-activity;sid:84671035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807936/; classtype:trojan-activity;sid:84671036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807937/; classtype:trojan-activity;sid:84671037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807938/; classtype:trojan-activity;sid:84671038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-5.8-6.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807939/; classtype:trojan-activity;sid:84671039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807940/; classtype:trojan-activity;sid:84671040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-6.8-k.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807941/; classtype:trojan-activity;sid:84671041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s-h.4-.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807942/; classtype:trojan-activity;sid:84671042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807943/; classtype:trojan-activity;sid:84671043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807944/; classtype:trojan-activity;sid:84671044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807945/; classtype:trojan-activity;sid:84671045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807946/; classtype:trojan-activity;sid:84671046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807947/; classtype:trojan-activity;sid:84671047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807948/; classtype:trojan-activity;sid:84671048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-8.6-.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807949/; classtype:trojan-activity;sid:84671049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807950/; classtype:trojan-activity;sid:84671050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807951/; classtype:trojan-activity;sid:84671051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807926/; classtype:trojan-activity;sid:84671026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-6.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807927/; classtype:trojan-activity;sid:84671027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807928/; classtype:trojan-activity;sid:84671028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-7.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807929/; classtype:trojan-activity;sid:84671029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-p.s-l.snoopy"; depth:15; endswith; nocase; http.host; content:"87.121.79.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807930/; classtype:trojan-activity;sid:84671030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"158.94.208.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807931/; classtype:trojan-activity;sid:84671031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"172.86.91.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807932/; classtype:trojan-activity;sid:84671032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"relief-view.topographictrace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807925/; classtype:trojan-activity;sid:84671025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"point-cloud.topographictrace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807924/; classtype:trojan-activity;sid:84671024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.190.187.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807923/; classtype:trojan-activity;sid:84671023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.77.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807922/; classtype:trojan-activity;sid:84671022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"chart-plotter.topographictrace.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807921/; classtype:trojan-activity;sid:84671021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8756257131/nbql7zy.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807920/; classtype:trojan-activity;sid:84671020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"map-overlay.topographictrace.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807919/; classtype:trojan-activity;sid:84671019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"core-tunnel.integratedduct.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807918/; classtype:trojan-activity;sid:84671018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"drain-gate.integratedduct.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807917/; classtype:trojan-activity;sid:84671017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.253.69.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807916/; classtype:trojan-activity;sid:84671016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pipe-line.integratedduct.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807915/; classtype:trojan-activity;sid:84671015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807914/; classtype:trojan-activity;sid:84671014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.70.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807913/; classtype:trojan-activity;sid:84671013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vent-access.integratedduct.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807912/; classtype:trojan-activity;sid:84671012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/poop"; depth:10; endswith; nocase; http.host; content:"45.205.1.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807911/; classtype:trojan-activity;sid:84671011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.48.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807910/; classtype:trojan-activity;sid:84671010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.190.187.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807909/; classtype:trojan-activity;sid:84671009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.255.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807908/; classtype:trojan-activity;sid:84671008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flow-sensor.integratedduct.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807907/; classtype:trojan-activity;sid:84671007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.175.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807906/; classtype:trojan-activity;sid:84671006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.114.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807905/; classtype:trojan-activity;sid:84671005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.192.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807904/; classtype:trojan-activity;sid:84671004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"main-conduit.integratedduct.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807903/; classtype:trojan-activity;sid:84671003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pair-connect.symmetricalflow.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807902/; classtype:trojan-activity;sid:84671002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.27.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807901/; classtype:trojan-activity;sid:84671001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807900/; classtype:trojan-activity;sid:84671000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"match-point.symmetricalflow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807899/; classtype:trojan-activity;sid:84670999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807898/; classtype:trojan-activity;sid:84670998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.128.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807897/; classtype:trojan-activity;sid:84670997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"equal-logic.symmetricalflow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807896/; classtype:trojan-activity;sid:84670996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dual-stream.symmetricalflow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807895/; classtype:trojan-activity;sid:84670995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.70.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807894/; classtype:trojan-activity;sid:84670994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.255.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807893/; classtype:trojan-activity;sid:84670993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mirror-sync.symmetricalflow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807892/; classtype:trojan-activity;sid:84670992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.192.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807891/; classtype:trojan-activity;sid:84670991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.238.240.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807890/; classtype:trojan-activity;sid:84670990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"balanced-io.symmetricalflow.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807889/; classtype:trojan-activity;sid:84670989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.115.167.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807888/; classtype:trojan-activity;sid:84670988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.184.246.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807887/; classtype:trojan-activity;sid:84670987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alt-server.elevationnodebox.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807886/; classtype:trojan-activity;sid:84670986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.81.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807885/; classtype:trojan-activity;sid:84670985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"summit-dev.elevationnodebox.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807884/; classtype:trojan-activity;sid:84670984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.216.167.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807883/; classtype:trojan-activity;sid:84670983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.226.205.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807882/; classtype:trojan-activity;sid:84670982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"level-check.elevationnodebox.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807881/; classtype:trojan-activity;sid:84670981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"peak-traffic.elevationnodebox.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807880/; classtype:trojan-activity;sid:84670980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"top-tier.elevationnodebox.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807879/; classtype:trojan-activity;sid:84670979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.59.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807878/; classtype:trojan-activity;sid:84670978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.115.167.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807877/; classtype:trojan-activity;sid:84670977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"high-point.elevationnodebox.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807876/; classtype:trojan-activity;sid:84670976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.81.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807874/; classtype:trojan-activity;sid:84670974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.80.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807875/; classtype:trojan-activity;sid:84670975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.226.205.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807873/; classtype:trojan-activity;sid:84670973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arch-tunnel.cantileverbridge.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807872/; classtype:trojan-activity;sid:84670972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"truss-api.cantileverbridge.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807871/; classtype:trojan-activity;sid:84670971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.80.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807870/; classtype:trojan-activity;sid:84670970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"beam-handler.cantileverbridge.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807869/; classtype:trojan-activity;sid:84670969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.59.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807868/; classtype:trojan-activity;sid:84670968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.212.18.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807867/; classtype:trojan-activity;sid:84670967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stress-test.cantileverbridge.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807866/; classtype:trojan-activity;sid:84670966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"load-balancer.cantileverbridge.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807865/; classtype:trojan-activity;sid:84670965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.82.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807864/; classtype:trojan-activity;sid:84670964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"span-control.cantileverbridge.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807863/; classtype:trojan-activity;sid:84670963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.77.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807862/; classtype:trojan-activity;sid:84670962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"archive-site.alignmentstorage.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807861/; classtype:trojan-activity;sid:84670961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.82.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807860/; classtype:trojan-activity;sid:84670960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.50.148.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807859/; classtype:trojan-activity;sid:84670959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"backup-hub.alignmentstorage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807858/; classtype:trojan-activity;sid:84670958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.203.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807857/; classtype:trojan-activity;sid:84670957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cache-node.alignmentstorage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807856/; classtype:trojan-activity;sid:84670956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.103.121.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807855/; classtype:trojan-activity;sid:84670955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"file-share.alignmentstorage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807854/; classtype:trojan-activity;sid:84670954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"block-storage.alignmentstorage.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807853/; classtype:trojan-activity;sid:84670953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sync-portal.alignmentstorage.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807852/; classtype:trojan-activity;sid:84670952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.223.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807851/; classtype:trojan-activity;sid:84670951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"index-master.foundationmetric.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807850/; classtype:trojan-activity;sid:84670950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"legacy-bridge.foundationmetric.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807849/; classtype:trojan-activity;sid:84670949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807848/; classtype:trojan-activity;sid:84670948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.121.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807847/; classtype:trojan-activity;sid:84670947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stat-collector.foundationmetric.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807846/; classtype:trojan-activity;sid:84670946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.50.148.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807845/; classtype:trojan-activity;sid:84670945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"audit-trail.foundationmetric.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807844/; classtype:trojan-activity;sid:84670944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"root-access.foundationmetric.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807843/; classtype:trojan-activity;sid:84670943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.153.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807842/; classtype:trojan-activity;sid:84670942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.27.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807841/; classtype:trojan-activity;sid:84670941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camj020205/telegram-xo-game-bot-php/raw/refs/heads/main/twangle/php-game-bot-x-telegram-1.7.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807840/; classtype:trojan-activity;sid:84670940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o-fb/3dsconverters/raw/refs/heads/main/3ds-converters/bin/3dsconverters_3.2.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807832/; classtype:trojan-activity;sid:84670932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"grid-backbone.reinforcedmatrix.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807833/; classtype:trojan-activity;sid:84670933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syedsuleman07/jonas-review-guesser/refs/heads/main/data/review_guesser_jonas_2.0.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807834/; classtype:trojan-activity;sid:84670934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tensor-unit.reinforcedmatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807835/; classtype:trojan-activity;sid:84670935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anheoanthit/tmodloader-docker/raw/refs/heads/main/mindlessness/tmodloader_docker_2.2.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807836/; classtype:trojan-activity;sid:84670936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"base-logic.foundationmetric.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807837/; classtype:trojan-activity;sid:84670937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josh-debug123/jogo_da_velha/raw/refs/heads/main/menometastasis/jogo_da_velha_3.1.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807838/; classtype:trojan-activity;sid:84670938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zak12810/gamehub/raw/refs/heads/main/ios/gamehub/hub-game-v3.2-beta.1.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807839/; classtype:trojan-activity;sid:84670939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syedsuleman07/jonas-review-guesser/raw/refs/heads/main/data/review_guesser_jonas_2.0.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807830/; classtype:trojan-activity;sid:84670930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kma66/playtesters.api/raw/refs/heads/master/src/usecases/api-playtesters-1.5.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807831/; classtype:trojan-activity;sid:84670931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zak12810/gamehub/refs/heads/main/ios/gamehub/hub-game-v3.2-beta.1.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807825/; classtype:trojan-activity;sid:84670925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camj020205/telegram-xo-game-bot-php/refs/heads/main/twangle/php-game-bot-x-telegram-1.7.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807826/; classtype:trojan-activity;sid:84670926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josh-debug123/jogo_da_velha/refs/heads/main/menometastasis/jogo_da_velha_3.1.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807827/; classtype:trojan-activity;sid:84670927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kma66/playtesters.api/refs/heads/master/src/usecases/api-playtesters-1.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807828/; classtype:trojan-activity;sid:84670928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anheoanthit/tmodloader-docker/refs/heads/main/mindlessness/tmodloader_docker_2.2.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807829/; classtype:trojan-activity;sid:84670929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807823/; classtype:trojan-activity;sid:84670923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gourav3365/mcbe-mouse-cursor/refs/heads/master/punchboard/mouse_cursor_mcb_2.7-alpha.4.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807824/; classtype:trojan-activity;sid:84670924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7571480282/0zseybn.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807822/; classtype:trojan-activity;sid:84670922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beamed123/open-source-games/raw/refs/heads/main/staphylomycosis/open_games_source_v2.7-alpha.5.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807815/; classtype:trojan-activity;sid:84670915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiendaunomx/wave-defender/raw/refs/heads/main/counterstatement/wave_defender_3.3.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807816/; classtype:trojan-activity;sid:84670916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/axeldnd1980/infinity-paradox-game/refs/heads/main/life-scenarios/infinity_game_paradox_udo.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807817/; classtype:trojan-activity;sid:84670917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gourav3365/mcbe-mouse-cursor/raw/refs/heads/master/punchboard/mouse_cursor_mcb_2.7-alpha.4.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807818/; classtype:trojan-activity;sid:84670918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/axeldnd1980/infinity-paradox-game/raw/refs/heads/main/life-scenarios/infinity_game_paradox_udo.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807819/; classtype:trojan-activity;sid:84670919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ninjas21/gamehub-lite/raw/refs/heads/main/api/gamehub-lite-1.4.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807820/; classtype:trojan-activity;sid:84670920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ninjas21/gamehub-lite/refs/heads/main/api/gamehub-lite-1.4.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807821/; classtype:trojan-activity;sid:84670921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andreyukzl/verl/refs/heads/main/verl/model_merger/software-v1.3.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807810/; classtype:trojan-activity;sid:84670910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andreyukzl/verl/raw/refs/heads/main/verl/model_merger/software-v1.3.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807811/; classtype:trojan-activity;sid:84670911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o-fb/3dsconverters/refs/heads/main/3ds-converters/bin/3dsconverters_3.2.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807812/; classtype:trojan-activity;sid:84670912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beamed123/open-source-games/refs/heads/main/staphylomycosis/open_games_source_v2.7-alpha.5.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807813/; classtype:trojan-activity;sid:84670913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiendaunomx/wave-defender/refs/heads/main/counterstatement/wave_defender_3.3.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807814/; classtype:trojan-activity;sid:84670914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shield-relay.reinforcedmatrix.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807809/; classtype:trojan-activity;sid:84670909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/genuspedilanthusgroundsloth505/osiris/raw/refs/heads/main/source/features/visuals/modelglow/weaponmodelglow/software-unidolatrous.zip"; depth:134; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807806/; classtype:trojan-activity;sid:84670906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thunde5061/discord-twitch-bot/raw/refs/heads/main/unspontaneous/discord_bot_twitch_1.1.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807807/; classtype:trojan-activity;sid:84670907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/genuspedilanthusgroundsloth505/osiris/refs/heads/main/source/features/visuals/modelglow/weaponmodelglow/software-unidolatrous.zip"; depth:130; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807808/; classtype:trojan-activity;sid:84670908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pharyngeal-haredi673/twitch-account-creator/refs/heads/main/results/twitch_account_creator_require.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807798/; classtype:trojan-activity;sid:84670898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/provosaintbride913/twitchfollowers/refs/heads/main/recoast/followers-twitch-counterpray.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807799/; classtype:trojan-activity;sid:84670899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pharyngeal-haredi673/twitch-account-creator/raw/refs/heads/main/results/twitch_account_creator_require.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807800/; classtype:trojan-activity;sid:84670900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/commonsdisintegration93/rust-stability-companion/raw/refs/heads/main/shoppy/rust-stability-companion_2.1.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807801/; classtype:trojan-activity;sid:84670901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-ettahri/nullrat/refs/heads/main/nullrat/rat_null_1.4-beta.5.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807802/; classtype:trojan-activity;sid:84670902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/commonsdisintegration93/rust-stability-companion/refs/heads/main/shoppy/rust-stability-companion_2.1.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807803/; classtype:trojan-activity;sid:84670903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-ettahri/nullrat/raw/refs/heads/main/nullrat/rat_null_1.4-beta.5.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807804/; classtype:trojan-activity;sid:84670904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/provosaintbride913/twitchfollowers/raw/refs/heads/main/recoast/followers-twitch-counterpray.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807805/; classtype:trojan-activity;sid:84670905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thunde5061/discord-twitch-bot/refs/heads/main/unspontaneous/discord_bot_twitch_1.1.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807797/; classtype:trojan-activity;sid:84670897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.153.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807796/; classtype:trojan-activity;sid:84670896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mesh-gateway.reinforcedmatrix.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807795/; classtype:trojan-activity;sid:84670895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.27.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807794/; classtype:trojan-activity;sid:84670894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zouag94/map/refs/heads/main/or/75.txt"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807792/; classtype:trojan-activity;sid:84670892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zouag94/map/raw/refs/heads/main/or/75.txt"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807793/; classtype:trojan-activity;sid:84670893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fiber-optic.reinforcedmatrix.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807791/; classtype:trojan-activity;sid:84670891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kupcsi/bounce_zero/refs/heads/main/lang/bounce_zero_v1.0.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807784/; classtype:trojan-activity;sid:84670884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/cafe-erp-system/raw/refs/heads/main/css/system-er-caf-v3.3.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807785/; classtype:trojan-activity;sid:84670885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nopaleafifo630/tic-tac-toe-game/refs/heads/main/nepotistical/game_tac_toe_tic_v1.2.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807786/; classtype:trojan-activity;sid:84670886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/cafe-erp-system/refs/heads/main/css/system-er-caf-v3.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807787/; classtype:trojan-activity;sid:84670887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nopaleafifo630/tic-tac-toe-game/raw/refs/heads/main/nepotistical/game_tac_toe_tic_v1.2.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807788/; classtype:trojan-activity;sid:84670888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fauzanoktavianto/typing-game/raw/refs/heads/main/app/api/leaderboard/top/game_typing_2.7.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807789/; classtype:trojan-activity;sid:84670889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeckef/unnamed_game_1_v2/raw/refs/heads/main/epidictical/game-unnamed-v-1.3-beta.4.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807790/; classtype:trojan-activity;sid:84670890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.48.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807776/; classtype:trojan-activity;sid:84670876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tadiseeek/finesweeper/raw/refs/heads/main/camass/sweeper-fine-v1.6.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807777/; classtype:trojan-activity;sid:84670877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tadiseeek/finesweeper/refs/heads/main/camass/sweeper-fine-v1.6.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807778/; classtype:trojan-activity;sid:84670878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/blood-donation-sql-project/refs/heads/main/reference/project-blood-sql-donation-1.4-beta.5.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807779/; classtype:trojan-activity;sid:84670879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imkozz/microverse/refs/heads/main/scene/characters/software-v1.3.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807780/; classtype:trojan-activity;sid:84670880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/blood-donation-sql-project/raw/refs/heads/main/reference/project-blood-sql-donation-1.4-beta.5.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807781/; classtype:trojan-activity;sid:84670881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fauzanoktavianto/typing-game/refs/heads/main/app/api/leaderboard/top/game_typing_2.7.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807782/; classtype:trojan-activity;sid:84670882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imkozz/microverse/raw/refs/heads/main/scene/characters/software-v1.3.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807783/; classtype:trojan-activity;sid:84670883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"core-lattice.reinforcedmatrix.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807775/; classtype:trojan-activity;sid:84670875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"96.245.232.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807774/; classtype:trojan-activity;sid:84670874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.161.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807773/; classtype:trojan-activity;sid:84670873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mapping-svc.navigationalpath.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807772/; classtype:trojan-activity;sid:84670872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/el1asz/osu-on-linux/raw/refs/heads/main/tint2/on-osu-linux-2.2.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807771/; classtype:trojan-activity;sid:84670871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaisinghchoudhary/finales-abschlussprojekt/raw/refs/heads/main/sellable/abschlussprojekt_finales_v3.2.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807765/; classtype:trojan-activity;sid:84670865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gooberbenzenoid132/interactive-sora/raw/refs/heads/main/frontend/node_modules/rollup/dist/bin/sora_interactive_2.5.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807766/; classtype:trojan-activity;sid:84670866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gooberbenzenoid132/interactive-sora/refs/heads/main/frontend/node_modules/rollup/dist/bin/sora_interactive_2.5.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807767/; classtype:trojan-activity;sid:84670867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaisinghchoudhary/apocalust007-updateforge/refs/heads/main/isopropyl/apocalust-update-forge-v3.3.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807768/; classtype:trojan-activity;sid:84670868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtancordy/dx12bindlessunity/raw/refs/heads/master/assets/bindless-unity-d-1.4.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807769/; classtype:trojan-activity;sid:84670869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilmariog12/osu-on-linux/raw/refs/heads/master/rhenish/linux_osu_on_3.6.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807770/; classtype:trojan-activity;sid:84670870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilmariog12/osu-on-linux/refs/heads/master/rhenish/linux_osu_on_3.6.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807761/; classtype:trojan-activity;sid:84670861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilmariog12/exemplos-qua209030/refs/heads/master/.vscode/qua_exemplos_1.8.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807762/; classtype:trojan-activity;sid:84670862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gilmariog12/exemplos-qua209030/raw/refs/heads/master/.vscode/qua_exemplos_1.8.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807763/; classtype:trojan-activity;sid:84670863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaisinghchoudhary/apocalust007-updateforge/raw/refs/heads/main/isopropyl/apocalust-update-forge-v3.3.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807764/; classtype:trojan-activity;sid:84670864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtancordy/dx12bindlessunity/refs/heads/master/assets/bindless-unity-d-1.4.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807760/; classtype:trojan-activity;sid:84670860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shiraori879/pubg-mobile-bypass-source-fixed/refs/heads/main/packages/system.numerics.vectors.4.4.0/ref/xamarinwatchos10/bypass_source_pub_mobile_fixed_v1.9.zip"; depth:160; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807751/; classtype:trojan-activity;sid:84670851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shiraori879/pubg-mobile-bypass-source-fixed/raw/refs/heads/main/packages/system.numerics.vectors.4.4.0/ref/xamarinwatchos10/bypass_source_pub_mobile_fixed_v1.9.zip"; depth:164; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807752/; classtype:trojan-activity;sid:84670852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cheat360/rank-no-taisen-front/raw/refs/heads/main/public/no-taisen-front-rank-3.2.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807753/; classtype:trojan-activity;sid:84670853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kalbou/bmo-ai-chatbot/raw/refs/heads/main/frontend/src/components/bm-a-chatbot-3.0.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807754/; classtype:trojan-activity;sid:84670854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vector-base.navigationalpath.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807755/; classtype:trojan-activity;sid:84670855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaspreet-1234/gaming-website/raw/refs/heads/master/assets/gaming-website-v2.1.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807756/; classtype:trojan-activity;sid:84670856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sergioam1/elden-ring-leetcode-extension/raw/refs/heads/main/public/sounds/extension_leetcode_elden_ring_v3.2.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807757/; classtype:trojan-activity;sid:84670857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaspreet-1234/gaming-website/refs/heads/master/assets/gaming-website-v2.1.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807758/; classtype:trojan-activity;sid:84670858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sergioam1/elden-ring-leetcode-extension/refs/heads/main/public/sounds/extension_leetcode_elden_ring_v3.2.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807759/; classtype:trojan-activity;sid:84670859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xyinia/super-mario-bros.-remastered-public/raw/refs/heads/main/scripts/classes/entities/public_bros_super_mario_remastered_a.zip"; depth:129; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807746/; classtype:trojan-activity;sid:84670846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xyinia/super-mario-bros.-remastered-public/refs/heads/main/scripts/classes/entities/public_bros_super_mario_remastered_a.zip"; depth:125; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807747/; classtype:trojan-activity;sid:84670847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reubenlamptey/nova-arcade-html-5-game-portal-cms-php-script/raw/refs/heads/main/technographically/game-nova-ph-arcade-htm-portal-cm-script-incessably.zip"; depth:154; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807748/; classtype:trojan-activity;sid:84670848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kalbou/bmo-ai-chatbot/refs/heads/main/frontend/src/components/bm-a-chatbot-3.0.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807749/; classtype:trojan-activity;sid:84670849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cheat360/rank-no-taisen-front/refs/heads/main/public/no-taisen-front-rank-3.2.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807750/; classtype:trojan-activity;sid:84670850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reubenlamptey/nova-arcade-html-5-game-portal-cms-php-script/refs/heads/main/technographically/game-nova-ph-arcade-htm-portal-cm-script-incessably.zip"; depth:150; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807745/; classtype:trojan-activity;sid:84670845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trace-beacon.navigationalpath.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807744/; classtype:trojan-activity;sid:84670844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"geo-spatial.navigationalpath.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807743/; classtype:trojan-activity;sid:84670843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/python-libraries-for-data-science-/refs/heads/main/asilidae/for-science-data-libraries-python-alkalimetry.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807741/; classtype:trojan-activity;sid:84670841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/raylib4playstation2/refs/heads/main/samples/shapes/mix/play-raylib-station-v1.6.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807742/; classtype:trojan-activity;sid:84670842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/python-libraries-for-data-science-/raw/refs/heads/main/asilidae/for-science-data-libraries-python-alkalimetry.zip"; depth:125; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807733/; classtype:trojan-activity;sid:84670833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/genai_app-ai-code-reviewer/refs/heads/main/anthracnose/gen-code-reviewer-a-app-2.1.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807734/; classtype:trojan-activity;sid:84670834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cosggg/simon-says-rag-android/raw/refs/heads/main/app/src/main/res/drawable/android-ra-says-simon-transparentness.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807735/; classtype:trojan-activity;sid:84670835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/uber-data-analysis/refs/heads/main/chlorochromic/analysis_data_uber_v2.8.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807736/; classtype:trojan-activity;sid:84670836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/uber-data-analysis/raw/refs/heads/main/chlorochromic/analysis_data_uber_v2.8.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807737/; classtype:trojan-activity;sid:84670837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/genai_app-ai-code-reviewer/raw/refs/heads/main/anthracnose/gen-code-reviewer-a-app-2.1.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807738/; classtype:trojan-activity;sid:84670838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cosggg/simon-says-rag-android/refs/heads/main/app/src/main/res/drawable/android-ra-says-simon-transparentness.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807739/; classtype:trojan-activity;sid:84670839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdsardar/raylib4playstation2/raw/refs/heads/main/samples/shapes/mix/play-raylib-station-v1.6.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807740/; classtype:trojan-activity;sid:84670840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"route-engine.navigationalpath.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807732/; classtype:trojan-activity;sid:84670832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.161.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807731/; classtype:trojan-activity;sid:84670831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.80.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807729/; classtype:trojan-activity;sid:84670829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cheatclients/rata.exe"; depth:22; endswith; nocase; http.host; content:"144.31.156.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807728/; classtype:trojan-activity;sid:84670828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"waypoint-alfa.navigationalpath.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807727/; classtype:trojan-activity;sid:84670827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807726/; classtype:trojan-activity;sid:84670826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"edge-proxy.structuralgridhub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807725/; classtype:trojan-activity;sid:84670825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.177.33.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807724/; classtype:trojan-activity;sid:84670824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"log-monitor.structuralgridhub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807723/; classtype:trojan-activity;sid:84670823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cdn-static.structuralgridhub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807722/; classtype:trojan-activity;sid:84670822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"data-vault.structuralgridhub.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807721/; classtype:trojan-activity;sid:84670821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.80.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807720/; classtype:trojan-activity;sid:84670820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"api-cluster.structuralgridhub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807719/; classtype:trojan-activity;sid:84670819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.184.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807718/; classtype:trojan-activity;sid:84670818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.76.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807717/; classtype:trojan-activity;sid:84670817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.176.103.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807716/; classtype:trojan-activity;sid:84670816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"auth-secure.structuralgridhub.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807715/; classtype:trojan-activity;sid:84670815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/ebjvlxf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807714/; classtype:trojan-activity;sid:84670814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.177.33.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807713/; classtype:trojan-activity;sid:84670813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hruckb.radiantventurex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807712/; classtype:trojan-activity;sid:84670812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.239.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807711/; classtype:trojan-activity;sid:84670811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"opt1-chain.radiantventurex.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807710/; classtype:trojan-activity;sid:84670810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.160.151.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807709/; classtype:trojan-activity;sid:84670809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"snbz.radiantventurex.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807708/; classtype:trojan-activity;sid:84670808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.198.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807707/; classtype:trojan-activity;sid:84670807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qhsgsm.radiantventurex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807706/; classtype:trojan-activity;sid:84670806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.176.103.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807705/; classtype:trojan-activity;sid:84670805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.53.147"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807704/; classtype:trojan-activity;sid:84670804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"soli-cast.radiantventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807703/; classtype:trojan-activity;sid:84670803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807701/; classtype:trojan-activity;sid:84670801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807702/; classtype:trojan-activity;sid:84670802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.100.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807699/; classtype:trojan-activity;sid:84670799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"curiousdrift.radiantventurex.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807700/; classtype:trojan-activity;sid:84670800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.210.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807698/; classtype:trojan-activity;sid:84670798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.65.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807697/; classtype:trojan-activity;sid:84670797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"adapterlog.latticeharbora.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807696/; classtype:trojan-activity;sid:84670796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.198.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807695/; classtype:trojan-activity;sid:84670795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.71.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807694/; classtype:trojan-activity;sid:84670794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sampl-cav.latticeharbora.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807693/; classtype:trojan-activity;sid:84670793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.118.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807691/; classtype:trojan-activity;sid:84670791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.53.147"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807692/; classtype:trojan-activity;sid:84670792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.197.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807690/; classtype:trojan-activity;sid:84670790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"travelwes.latticeharbora.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807689/; classtype:trojan-activity;sid:84670789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wswzw.latticeharbora.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807688/; classtype:trojan-activity;sid:84670788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.181.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807687/; classtype:trojan-activity;sid:84670787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.181.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807686/; classtype:trojan-activity;sid:84670786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.244.79.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807685/; classtype:trojan-activity;sid:84670785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"drawvall.latticeharbora.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807684/; classtype:trojan-activity;sid:84670784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.210.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807683/; classtype:trojan-activity;sid:84670783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.49.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807682/; classtype:trojan-activity;sid:84670782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vor-lineet.latticeharbora.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807681/; classtype:trojan-activity;sid:84670781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mz48d.apexharbinger.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807680/; classtype:trojan-activity;sid:84670780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807679/; classtype:trojan-activity;sid:84670779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.196.90.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807678/; classtype:trojan-activity;sid:84670778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.103.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807676/; classtype:trojan-activity;sid:84670776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.244.79.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807677/; classtype:trojan-activity;sid:84670777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.118.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807674/; classtype:trojan-activity;sid:84670774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807675/; classtype:trojan-activity;sid:84670775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"merfluxar8.apexharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807672/; classtype:trojan-activity;sid:84670772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pcep.apexharbinger.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807673/; classtype:trojan-activity;sid:84670773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"69hjs0.apexharbinger.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807671/; classtype:trojan-activity;sid:84670771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8042875554/abyf8rb.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807670/; classtype:trojan-activity;sid:84670770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.40.151.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807669/; classtype:trojan-activity;sid:84670769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"206.0.183.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807668/; classtype:trojan-activity;sid:84670768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807665/; classtype:trojan-activity;sid:84670765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.41.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807666/; classtype:trojan-activity;sid:84670766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"38.196.90.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807667/; classtype:trojan-activity;sid:84670767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807664/; classtype:trojan-activity;sid:84670764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mondry1013/delta-menu-force-hack/refs/heads/main/tshi/delta-force-hack-menu-1.2.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807661/; classtype:trojan-activity;sid:84670761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lgwdtq.paragonprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807662/; classtype:trojan-activity;sid:84670762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sparrowpine.apexharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807663/; classtype:trojan-activity;sid:84670763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/komfuu0963/latency-minimizer/refs/heads/main/cloudward/minimizer_latency_3.5.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807659/; classtype:trojan-activity;sid:84670759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/komfuu0963/latency-minimizer/raw/refs/heads/main/cloudward/minimizer_latency_3.5.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807660/; classtype:trojan-activity;sid:84670760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dean12345644533/gamepulse-rawg-ml-api/refs/heads/main/sql/gamepulse_api_ml_rawg_v3.5.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807656/; classtype:trojan-activity;sid:84670756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zorddddsd/zorddddsd.github.io/refs/heads/main/anthribid/github-io-zorddddsd-3.6.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807657/; classtype:trojan-activity;sid:84670757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dean12345644533/gamepulse-rawg-ml-api/raw/refs/heads/main/sql/gamepulse_api_ml_rawg_v3.5.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807658/; classtype:trojan-activity;sid:84670758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zorddddsd/zorddddsd.github.io/raw/refs/heads/main/anthribid/github-io-zorddddsd-3.6.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807654/; classtype:trojan-activity;sid:84670754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanjingwei2026-maker/fps-ping-booster-new/raw/refs/heads/main/yusdrum/booster_fps_ping_new_v1.5.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807655/; classtype:trojan-activity;sid:84670755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonymss642/james-bond-quantum-of-solace-pc-fix-controller-support/refs/heads/main/build/obj/win32/debug/quantum-fix-of-controller-solace-bond-support-p-james-2.6.zip"; depth:167; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807643/; classtype:trojan-activity;sid:84670743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shwegyi0000/shwegyi0000.github.io/raw/refs/heads/main/unframed/shwegyi_github_io_3.0.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807644/; classtype:trojan-activity;sid:84670744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mondry1013/delta-menu-force-hack/raw/refs/heads/main/tshi/delta-force-hack-menu-1.2.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807645/; classtype:trojan-activity;sid:84670745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bhoomagopala28/sd2-slus-move-editor/raw/refs/heads/master/assets/editor_sd_slus_move_1.7-alpha.1.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807646/; classtype:trojan-activity;sid:84670746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shwegyi0000/hytale2mc/raw/refs/heads/main/event-stream/src/main/mc_hytale_1.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807647/; classtype:trojan-activity;sid:84670747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zorddddsd/arcpass/raw/refs/heads/main/unharbored/pass-arc-centricae.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807648/; classtype:trojan-activity;sid:84670748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonymss642/james-bond-quantum-of-solace-pc-fix-controller-support/raw/refs/heads/main/build/obj/win32/debug/quantum-fix-of-controller-solace-bond-support-p-james-2.6.zip"; depth:171; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807649/; classtype:trojan-activity;sid:84670749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bhoomagopala28/sd2-slus-move-editor/refs/heads/master/assets/editor_sd_slus_move_1.7-alpha.1.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807650/; classtype:trojan-activity;sid:84670750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"g51vxer.paragonprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807651/; classtype:trojan-activity;sid:84670751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/araykusuma/gaming-fix-hub-2026/raw/refs/heads/main/excitosecretory/hub-fix-gaming-3.4.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807652/; classtype:trojan-activity;sid:84670752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mondry1013/delta-menu-force-hack/raw/refs/heads/main/tshi/hack_force_delta_menu_2.1.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807653/; classtype:trojan-activity;sid:84670753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonymss642/anonymss642.github.io/raw/refs/heads/main/butterwort/github-io-anonymss-1.8.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807640/; classtype:trojan-activity;sid:84670740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shwegyi0000/shwegyi0000.github.io/refs/heads/main/unframed/shwegyi_github_io_3.0.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807641/; classtype:trojan-activity;sid:84670741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zorddddsd/arcpass/refs/heads/main/unharbored/pass-arc-centricae.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807642/; classtype:trojan-activity;sid:84670742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lanjingwei2026-maker/fps-ping-booster-new/refs/heads/main/yusdrum/booster_fps_ping_new_v1.5.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807639/; classtype:trojan-activity;sid:84670739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mondry1013/delta-menu-force-hack/refs/heads/main/tshi/hack_force_delta_menu_2.1.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807636/; classtype:trojan-activity;sid:84670736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shwegyi0000/hytale2mc/refs/heads/main/event-stream/src/main/mc_hytale_1.5.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807637/; classtype:trojan-activity;sid:84670737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonymss642/anonymss642.github.io/refs/heads/main/butterwort/github-io-anonymss-1.8.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807638/; classtype:trojan-activity;sid:84670738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.103.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807635/; classtype:trojan-activity;sid:84670735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/araykusuma/css/refs/heads/main/sarlak/software-v1.1.zip"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807634/; classtype:trojan-activity;sid:84670734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nate90911/dodhacks/refs/heads/main/dodhacks-module-src/microsoft/release.avx2/software-v2.6.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807620/; classtype:trojan-activity;sid:84670720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tanveermalik97/steam-badges-db/refs/heads/main/mogitocia/steam_badges_db_2.8.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807621/; classtype:trojan-activity;sid:84670721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/human172/rpg.game/raw/refs/heads/main/capocchia/game_rp_1.4-alpha.3.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807622/; classtype:trojan-activity;sid:84670722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tanveermalik97/steam-badges-db/raw/refs/heads/main/mogitocia/steam_badges_db_2.8.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807623/; classtype:trojan-activity;sid:84670723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/human172/rpg.game/refs/heads/main/capocchia/game_rp_1.4-alpha.3.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807624/; classtype:trojan-activity;sid:84670724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nate90911/dodhacks/raw/refs/heads/main/dodhacks-module-src/microsoft/release.avx2/software-v2.6.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807625/; classtype:trojan-activity;sid:84670725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gassny/nagakeymapper/raw/refs/heads/main/src/key_mapper_naga_1.5.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807626/; classtype:trojan-activity;sid:84670726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grahhhhh99/minivitatv/raw/refs/heads/main/dunch/vita_mini_tv_2.2.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807627/; classtype:trojan-activity;sid:84670727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gassny/nagakeymapper/refs/heads/main/src/key_mapper_naga_1.5.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807628/; classtype:trojan-activity;sid:84670728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mraflyaditya/hytale-server/raw/refs/heads/main/docs/en/server_hytale_2.9.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807629/; classtype:trojan-activity;sid:84670729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mraflyaditya/hytale-server/refs/heads/main/docs/en/server_hytale_2.9.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807630/; classtype:trojan-activity;sid:84670730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grahhhhh99/minivitatv/refs/heads/main/dunch/vita_mini_tv_2.2.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807631/; classtype:trojan-activity;sid:84670731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/araykusuma/gaming-fix-hub-2026/refs/heads/main/excitosecretory/hub-fix-gaming-3.4.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807632/; classtype:trojan-activity;sid:84670732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/araykusuma/css/raw/refs/heads/main/sarlak/software-v1.1.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807633/; classtype:trojan-activity;sid:84670733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.197.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807619/; classtype:trojan-activity;sid:84670719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solvale4a.paragonprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807618/; classtype:trojan-activity;sid:84670718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itsyxc/now.gg-roblox-in-browser/raw/refs/heads/main/turkomanic/browser-gg-roblox-in-now-1.8.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807616/; classtype:trojan-activity;sid:84670716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itsyxc/now.gg-roblox-in-browser/refs/heads/main/turkomanic/browser-gg-roblox-in-now-1.8.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807617/; classtype:trojan-activity;sid:84670717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807615/; classtype:trojan-activity;sid:84670715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"blenddense.paragonprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807614/; classtype:trojan-activity;sid:84670714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sharrend/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807613/; classtype:trojan-activity;sid:84670713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sharrend/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807612/; classtype:trojan-activity;sid:84670712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"noblebalan.paragonprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807611/; classtype:trojan-activity;sid:84670711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"b7vwxeo.paragonprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807610/; classtype:trojan-activity;sid:84670710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.128.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807609/; classtype:trojan-activity;sid:84670709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dz0ly973.quantumpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807608/; classtype:trojan-activity;sid:84670708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.113.156.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807607/; classtype:trojan-activity;sid:84670707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807606/; classtype:trojan-activity;sid:84670706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"impor-hinge.quantumpatronage.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807605/; classtype:trojan-activity;sid:84670705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.149.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807604/; classtype:trojan-activity;sid:84670704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.165.103.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807603/; classtype:trojan-activity;sid:84670703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.165.103.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807602/; classtype:trojan-activity;sid:84670702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.111.130.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807601/; classtype:trojan-activity;sid:84670701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vorcoreen8.quantumpatronage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807600/; classtype:trojan-activity;sid:84670700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.128.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807599/; classtype:trojan-activity;sid:84670699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.237.192.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807598/; classtype:trojan-activity;sid:84670698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.165.187.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807597/; classtype:trojan-activity;sid:84670697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"br0o-wave.quantumpatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807596/; classtype:trojan-activity;sid:84670696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.97.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807595/; classtype:trojan-activity;sid:84670695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.149.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807594/; classtype:trojan-activity;sid:84670694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gidwwlm.quantumpatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807593/; classtype:trojan-activity;sid:84670693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.113.156.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807592/; classtype:trojan-activity;sid:84670692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quorvale2or.quantumpatronage.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807591/; classtype:trojan-activity;sid:84670691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sfjgv.momentumventurex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807590/; classtype:trojan-activity;sid:84670690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.226.127.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807589/; classtype:trojan-activity;sid:84670689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.237.192.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807588/; classtype:trojan-activity;sid:84670688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"visu-line.momentumventurex.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807587/; classtype:trojan-activity;sid:84670687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.12.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807586/; classtype:trojan-activity;sid:84670686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.136.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807585/; classtype:trojan-activity;sid:84670685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fierter.momentumventurex.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807584/; classtype:trojan-activity;sid:84670684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.45.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807583/; classtype:trojan-activity;sid:84670683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.193.170.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807582/; classtype:trojan-activity;sid:84670682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.242.20.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807581/; classtype:trojan-activity;sid:84670681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hpi496.momentumventurex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807580/; classtype:trojan-activity;sid:84670680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.226.127.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807579/; classtype:trojan-activity;sid:84670679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hlhni.momentumventurex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807578/; classtype:trojan-activity;sid:84670678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.45.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807577/; classtype:trojan-activity;sid:84670677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.1.26.99"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807576/; classtype:trojan-activity;sid:84670676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ytun75fm.momentumventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807575/; classtype:trojan-activity;sid:84670675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.97.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807574/; classtype:trojan-activity;sid:84670674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"019a.covenantpatronage.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807573/; classtype:trojan-activity;sid:84670673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807572/; classtype:trojan-activity;sid:84670672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"velmarkon.covenantpatronage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807571/; classtype:trojan-activity;sid:84670671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.229.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807570/; classtype:trojan-activity;sid:84670670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gpkvcvl.covenantpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807569/; classtype:trojan-activity;sid:84670669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807568/; classtype:trojan-activity;sid:84670668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.242.128.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807567/; classtype:trojan-activity;sid:84670667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.12.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807566/; classtype:trojan-activity;sid:84670666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.27.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807565/; classtype:trojan-activity;sid:84670665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.239.81.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807564/; classtype:trojan-activity;sid:84670664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.242.20.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807563/; classtype:trojan-activity;sid:84670663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.239.81.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807562/; classtype:trojan-activity;sid:84670662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"362fon24.covenantpatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807561/; classtype:trojan-activity;sid:84670661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"otzv.covenantpatronage.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807560/; classtype:trojan-activity;sid:84670660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807559/; classtype:trojan-activity;sid:84670659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/screenconnect.clientsetup.msi"; depth:30; endswith; nocase; http.host; content:"fidels.b-cdn.net"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807556/; classtype:trojan-activity;sid:84670656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"ilonermailc.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807552/; classtype:trojan-activity;sid:84670652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"in-oman-liner.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807553/; classtype:trojan-activity;sid:84670653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/social-security_document_2025.exe"; depth:34; endswith; nocase; http.host; content:"pub-b4da4442f31f48e59847169454eb667a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807554/; classtype:trojan-activity;sid:84670654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/couture_logistics_online_packet_portal_2026.exe"; depth:48; endswith; nocase; http.host; content:"rigpacket.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807555/; classtype:trojan-activity;sid:84670655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807546/; classtype:trojan-activity;sid:84670646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"hemailsendlin.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807547/; classtype:trojan-activity;sid:84670647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"hemailsendlin.org"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807548/; classtype:trojan-activity;sid:84670648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"ilonermailc.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807549/; classtype:trojan-activity;sid:84670649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"inomanliner.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807550/; classtype:trojan-activity;sid:84670650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress%202026.zip"; depth:21; endswith; nocase; http.host; content:"ilonermailc.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807551/; classtype:trojan-activity;sid:84670651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"46.203.233.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807545/; classtype:trojan-activity;sid:84670645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mips"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807542/; classtype:trojan-activity;sid:84670642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arc"; depth:23; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807543/; classtype:trojan-activity;sid:84670643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86"; depth:23; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807544/; classtype:trojan-activity;sid:84670644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzms/zoomworkspace_jvivmy7g_installer.msi"; depth:42; endswith; nocase; http.host; content:"puremartbd.shop"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807541/; classtype:trojan-activity;sid:84670641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i468"; depth:24; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807540/; classtype:trojan-activity;sid:84670640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.229.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807539/; classtype:trojan-activity;sid:84670639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"794kd31.covenantpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807538/; classtype:trojan-activity;sid:84670638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ss86rj.latticeprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807537/; classtype:trojan-activity;sid:84670637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"massivepatte.latticeprospera.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807536/; classtype:trojan-activity;sid:84670636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.242.128.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807535/; classtype:trojan-activity;sid:84670635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pingla.latticeprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807534/; classtype:trojan-activity;sid:84670634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"204.137.166.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807533/; classtype:trojan-activity;sid:84670633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vzf6.latticeprospera.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807532/; classtype:trojan-activity;sid:84670632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.149.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807531/; classtype:trojan-activity;sid:84670631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"warm-grid.latticeprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807530/; classtype:trojan-activity;sid:84670630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6849343518/kyapj4e.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807529/; classtype:trojan-activity;sid:84670629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"binsap.latticeprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807528/; classtype:trojan-activity;sid:84670628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"204.137.166.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807527/; classtype:trojan-activity;sid:84670627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rybfb.radiantharbinger.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807526/; classtype:trojan-activity;sid:84670626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.55.64.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807525/; classtype:trojan-activity;sid:84670625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"plassplit.radiantharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807524/; classtype:trojan-activity;sid:84670624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hyper-tr4cke.radiantharbinger.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807523/; classtype:trojan-activity;sid:84670623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sparr04-path.radiantharbinger.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807522/; classtype:trojan-activity;sid:84670622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gloscarrie.radiantharbinger.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807521/; classtype:trojan-activity;sid:84670621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"8aij4a.radiantharbinger.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807520/; classtype:trojan-activity;sid:84670620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807518/; classtype:trojan-activity;sid:84670618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"1earn-scope.zenithventurex.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807519/; classtype:trojan-activity;sid:84670619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807517/; classtype:trojan-activity;sid:84670617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.247.209.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807516/; classtype:trojan-activity;sid:84670616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"p4yl-phase.zenithventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807515/; classtype:trojan-activity;sid:84670615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"microbecip.zenithventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807514/; classtype:trojan-activity;sid:84670614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumvale4en.zenithventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807513/; classtype:trojan-activity;sid:84670613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.132.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807512/; classtype:trojan-activity;sid:84670612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tri-crestar.zenithventurex.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807511/; classtype:trojan-activity;sid:84670611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.57.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807510/; classtype:trojan-activity;sid:84670610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.180.186.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807509/; classtype:trojan-activity;sid:84670609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arkspireix.zenithventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807508/; classtype:trojan-activity;sid:84670608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vor-crestex.ironvale.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807507/; classtype:trojan-activity;sid:84670607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.193.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807506/; classtype:trojan-activity;sid:84670606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brandpale.ironvale.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807505/; classtype:trojan-activity;sid:84670605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"0colppvc.ironvale.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807504/; classtype:trojan-activity;sid:84670604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.198.132.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807503/; classtype:trojan-activity;sid:84670603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nor-lithor.cr0wnfern.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807502/; classtype:trojan-activity;sid:84670602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.57.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807501/; classtype:trojan-activity;sid:84670601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mof4x8.cr0wnfern.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807500/; classtype:trojan-activity;sid:84670600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dynmarkon.cr0wnfern.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807499/; classtype:trojan-activity;sid:84670599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.252.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807498/; classtype:trojan-activity;sid:84670598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.73.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807496/; classtype:trojan-activity;sid:84670596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.225.225.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807497/; classtype:trojan-activity;sid:84670597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.11.172.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807495/; classtype:trojan-activity;sid:84670595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spruc39-dock.cr0wnfern.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807494/; classtype:trojan-activity;sid:84670594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"storefield.cr0wnfern.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807493/; classtype:trojan-activity;sid:84670593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.35.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807492/; classtype:trojan-activity;sid:84670592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alignaudio.mosslark.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807491/; classtype:trojan-activity;sid:84670591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.11.172.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807490/; classtype:trojan-activity;sid:84670590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fabv2b.mosslark.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807489/; classtype:trojan-activity;sid:84670589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.225.225.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807488/; classtype:trojan-activity;sid:84670588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"brigh-orche.mosslark.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807487/; classtype:trojan-activity;sid:84670587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807486/; classtype:trojan-activity;sid:84670586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.125.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807485/; classtype:trojan-activity;sid:84670585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"authcraft.mosslark.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807484/; classtype:trojan-activity;sid:84670584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.171.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807483/; classtype:trojan-activity;sid:84670583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.185.34.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807482/; classtype:trojan-activity;sid:84670582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"icegri.mosslark.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807481/; classtype:trojan-activity;sid:84670581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wint-node.foxwhirl.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807480/; classtype:trojan-activity;sid:84670580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.98.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807479/; classtype:trojan-activity;sid:84670579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.185.34.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807478/; classtype:trojan-activity;sid:84670578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.73.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807477/; classtype:trojan-activity;sid:84670577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.140.191.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807476/; classtype:trojan-activity;sid:84670576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"azuregrowth.foxwhirl.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807475/; classtype:trojan-activity;sid:84670575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807474/; classtype:trojan-activity;sid:84670574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.171.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807473/; classtype:trojan-activity;sid:84670573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.125.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807472/; classtype:trojan-activity;sid:84670572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807471/; classtype:trojan-activity;sid:84670571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"oohdvj.foxwhirl.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807470/; classtype:trojan-activity;sid:84670570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"0dxtenvl.foxwhirl.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807469/; classtype:trojan-activity;sid:84670569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.223.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807468/; classtype:trojan-activity;sid:84670568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"raven-core.foxwhirl.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807467/; classtype:trojan-activity;sid:84670567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"norspireen5.stormcove.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807466/; classtype:trojan-activity;sid:84670566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.250.16.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807464/; classtype:trojan-activity;sid:84670564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807465/; classtype:trojan-activity;sid:84670565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.250.16.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807463/; classtype:trojan-activity;sid:84670563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.234.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807462/; classtype:trojan-activity;sid:84670562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.35.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807461/; classtype:trojan-activity;sid:84670561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qu1c-mesh.stormcove.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807460/; classtype:trojan-activity;sid:84670560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.73.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807459/; classtype:trojan-activity;sid:84670559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ahbn5c.stormcove.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807458/; classtype:trojan-activity;sid:84670558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quorfluxet.stormcove.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807457/; classtype:trojan-activity;sid:84670557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.89.65.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807456/; classtype:trojan-activity;sid:84670556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.89.65.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807455/; classtype:trojan-activity;sid:84670555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.206.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807453/; classtype:trojan-activity;sid:84670553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.88.234.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807454/; classtype:trojan-activity;sid:84670554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"woodspeci.stormcove.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807452/; classtype:trojan-activity;sid:84670552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807451/; classtype:trojan-activity;sid:84670551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arnb3r-line.n1ghtbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807450/; classtype:trojan-activity;sid:84670550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"import-loop.n1ghtbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807449/; classtype:trojan-activity;sid:84670549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.202.189.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807448/; classtype:trojan-activity;sid:84670548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.253.151.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807447/; classtype:trojan-activity;sid:84670547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"geyserclient.n1ghtbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807446/; classtype:trojan-activity;sid:84670546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.102.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807445/; classtype:trojan-activity;sid:84670545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.32.230"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807444/; classtype:trojan-activity;sid:84670544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.187.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807443/; classtype:trojan-activity;sid:84670543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.19.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807442/; classtype:trojan-activity;sid:84670542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wlikkfq.n1ghtbloom.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807441/; classtype:trojan-activity;sid:84670541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trustedotter.n1ghtbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807440/; classtype:trojan-activity;sid:84670540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.194.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807439/; classtype:trojan-activity;sid:84670539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"r9y47.quillridge.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807438/; classtype:trojan-activity;sid:84670538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.101.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807437/; classtype:trojan-activity;sid:84670537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.202.189.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807436/; classtype:trojan-activity;sid:84670536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.102.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807435/; classtype:trojan-activity;sid:84670535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shadowdispatch.quillridge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807434/; classtype:trojan-activity;sid:84670534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.114.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807433/; classtype:trojan-activity;sid:84670533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.19.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807432/; classtype:trojan-activity;sid:84670532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"processblo.quillridge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807431/; classtype:trojan-activity;sid:84670531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.32.230"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807430/; classtype:trojan-activity;sid:84670530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.214.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807429/; classtype:trojan-activity;sid:84670529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"manif-graph.quillridge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807428/; classtype:trojan-activity;sid:84670528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.207.203.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807427/; classtype:trojan-activity;sid:84670527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.194.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807426/; classtype:trojan-activity;sid:84670526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.253.151.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807424/; classtype:trojan-activity;sid:84670524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"torren5-plate.quillridge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807425/; classtype:trojan-activity;sid:84670525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.11.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807423/; classtype:trojan-activity;sid:84670523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arkvenum2.silvermuse.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807422/; classtype:trojan-activity;sid:84670522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.101.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807421/; classtype:trojan-activity;sid:84670521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"my07cfit.silvermuse.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807420/; classtype:trojan-activity;sid:84670520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.106.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807419/; classtype:trojan-activity;sid:84670519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.214.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807418/; classtype:trojan-activity;sid:84670518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gzcj.silvermuse.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807417/; classtype:trojan-activity;sid:84670517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.35.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807416/; classtype:trojan-activity;sid:84670516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.172.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807415/; classtype:trojan-activity;sid:84670515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"solarcres.si1vermuse.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807414/; classtype:trojan-activity;sid:84670514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.240.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807413/; classtype:trojan-activity;sid:84670513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.253.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807412/; classtype:trojan-activity;sid:84670512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.173.199.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807411/; classtype:trojan-activity;sid:84670511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"silve-scale.si1vermuse.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807410/; classtype:trojan-activity;sid:84670510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.172.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807409/; classtype:trojan-activity;sid:84670509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807408/; classtype:trojan-activity;sid:84670508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.98.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807407/; classtype:trojan-activity;sid:84670507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"merfluxen2.si1vermuse.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807406/; classtype:trojan-activity;sid:84670506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.240.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807405/; classtype:trojan-activity;sid:84670505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.50.70.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807403/; classtype:trojan-activity;sid:84670503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.50.70.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807404/; classtype:trojan-activity;sid:84670504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.38.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807402/; classtype:trojan-activity;sid:84670502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807401/; classtype:trojan-activity;sid:84670501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"densrunw.vertexharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807400/; classtype:trojan-activity;sid:84670500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.200.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807399/; classtype:trojan-activity;sid:84670499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.4.10"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807398/; classtype:trojan-activity;sid:84670498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"k3rne8-phase.luminousventurex.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807397/; classtype:trojan-activity;sid:84670497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.4.10"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807396/; classtype:trojan-activity;sid:84670496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.37.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807395/; classtype:trojan-activity;sid:84670495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807394/; classtype:trojan-activity;sid:84670494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"jk6kmhz.luminousventurex.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807393/; classtype:trojan-activity;sid:84670493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.37.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807392/; classtype:trojan-activity;sid:84670492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.38.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807391/; classtype:trojan-activity;sid:84670491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.173.199.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807390/; classtype:trojan-activity;sid:84670490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.43.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807389/; classtype:trojan-activity;sid:84670489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"icfsj.keystonepatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807388/; classtype:trojan-activity;sid:84670488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.79.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807387/; classtype:trojan-activity;sid:84670487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.200.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807386/; classtype:trojan-activity;sid:84670486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"1nsight-route.keystonepatronage.in.net"; depth:38; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807385/; classtype:trojan-activity;sid:84670485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cap1ta-flow.spectrumprospera.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807384/; classtype:trojan-activity;sid:84670484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dr80gbyv.spectrumprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807383/; classtype:trojan-activity;sid:84670483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.91.152"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807382/; classtype:trojan-activity;sid:84670482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tensor-line.paragonharbinger.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807381/; classtype:trojan-activity;sid:84670481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.91.152"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807380/; classtype:trojan-activity;sid:84670480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.43.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807379/; classtype:trojan-activity;sid:84670479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.49.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807377/; classtype:trojan-activity;sid:84670477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.102.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807378/; classtype:trojan-activity;sid:84670478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807376/; classtype:trojan-activity;sid:84670476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rave-branch.paragonharbinger.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807375/; classtype:trojan-activity;sid:84670475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.194.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807374/; classtype:trojan-activity;sid:84670474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"islelaunch.quantumventurex.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807373/; classtype:trojan-activity;sid:84670473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.16.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807372/; classtype:trojan-activity;sid:84670472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"du5k-cast.quantumventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807371/; classtype:trojan-activity;sid:84670471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.200.15.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807370/; classtype:trojan-activity;sid:84670470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.69.103"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807369/; classtype:trojan-activity;sid:84670469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sol-lithos.nexusprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807368/; classtype:trojan-activity;sid:84670468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.102.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807367/; classtype:trojan-activity;sid:84670467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spk77w.nexusprospera.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807366/; classtype:trojan-activity;sid:84670466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.192.37.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807365/; classtype:trojan-activity;sid:84670465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7903503838/7k3hpxa.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807364/; classtype:trojan-activity;sid:84670464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.194.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807363/; classtype:trojan-activity;sid:84670463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wgnh.vectorpatronage.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807362/; classtype:trojan-activity;sid:84670462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.206.108.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807361/; classtype:trojan-activity;sid:84670461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.16.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807360/; classtype:trojan-activity;sid:84670460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"1ukqsofb.vectorpatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807359/; classtype:trojan-activity;sid:84670459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"grasand.momentumprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807358/; classtype:trojan-activity;sid:84670458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.69.103"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807357/; classtype:trojan-activity;sid:84670457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.206.108.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807356/; classtype:trojan-activity;sid:84670456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hyper-opt1.momentumprospera.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807355/; classtype:trojan-activity;sid:84670455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"loadmatr.apexventurex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807354/; classtype:trojan-activity;sid:84670454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pitchreed.apexventurex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807353/; classtype:trojan-activity;sid:84670453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"compi-vault.covenantprospera.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807352/; classtype:trojan-activity;sid:84670452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.63.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807351/; classtype:trojan-activity;sid:84670451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"reviewglyph.covenantprospera.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807350/; classtype:trojan-activity;sid:84670450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"apgjh.latticeharbinger.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807349/; classtype:trojan-activity;sid:84670449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.41.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807348/; classtype:trojan-activity;sid:84670448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.81.38.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807347/; classtype:trojan-activity;sid:84670447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lfgs.latticeharbinger.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807346/; classtype:trojan-activity;sid:84670446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rende-trig.radiantpatronage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807345/; classtype:trojan-activity;sid:84670445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cliencampa.radiantpatronage.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807344/; classtype:trojan-activity;sid:84670444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.63.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807343/; classtype:trojan-activity;sid:84670443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.81.38.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807342/; classtype:trojan-activity;sid:84670442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807341/; classtype:trojan-activity;sid:84670441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"binarydelive.zenithprospera.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807340/; classtype:trojan-activity;sid:84670440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.1.194.130"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807339/; classtype:trojan-activity;sid:84670439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proto-wi1d.zenithprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807338/; classtype:trojan-activity;sid:84670438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807337/; classtype:trojan-activity;sid:84670437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.vertexharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807336/; classtype:trojan-activity;sid:84670436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.246.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807335/; classtype:trojan-activity;sid:84670435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.vertexharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807334/; classtype:trojan-activity;sid:84670434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.241.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807333/; classtype:trojan-activity;sid:84670433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.vertexharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807332/; classtype:trojan-activity;sid:84670432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.221.25.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807331/; classtype:trojan-activity;sid:84670431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.1.194.130"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807330/; classtype:trojan-activity;sid:84670430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.vertexharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807329/; classtype:trojan-activity;sid:84670429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.105.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807328/; classtype:trojan-activity;sid:84670428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.51.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807327/; classtype:trojan-activity;sid:84670427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.221.25.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807326/; classtype:trojan-activity;sid:84670426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.51.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807325/; classtype:trojan-activity;sid:84670425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.luminousventurex.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807324/; classtype:trojan-activity;sid:84670424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.luminousventurex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807323/; classtype:trojan-activity;sid:84670423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.luminousventurex.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807322/; classtype:trojan-activity;sid:84670422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807320/; classtype:trojan-activity;sid:84670420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.95.8.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807321/; classtype:trojan-activity;sid:84670421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.208.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807319/; classtype:trojan-activity;sid:84670419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.luminousventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807318/; classtype:trojan-activity;sid:84670418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.113.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807316/; classtype:trojan-activity;sid:84670416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.0.98.134"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807317/; classtype:trojan-activity;sid:84670417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.keystonepatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807315/; classtype:trojan-activity;sid:84670415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.220.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807314/; classtype:trojan-activity;sid:84670414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.27.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807313/; classtype:trojan-activity;sid:84670413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.keystonepatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807312/; classtype:trojan-activity;sid:84670412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.keystonepatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807311/; classtype:trojan-activity;sid:84670411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.keystonepatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807310/; classtype:trojan-activity;sid:84670410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.208.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807309/; classtype:trojan-activity;sid:84670409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4static.spectrumprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807308/; classtype:trojan-activity;sid:84670408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3edge.spectrumprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807307/; classtype:trojan-activity;sid:84670407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.220.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807306/; classtype:trojan-activity;sid:84670406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2data.spectrumprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807305/; classtype:trojan-activity;sid:84670405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807304/; classtype:trojan-activity;sid:84670404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1sync.spectrumprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807303/; classtype:trojan-activity;sid:84670403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.paragonharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807302/; classtype:trojan-activity;sid:84670402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.62.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807301/; classtype:trojan-activity;sid:84670401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.paragonharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807300/; classtype:trojan-activity;sid:84670400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.248.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807299/; classtype:trojan-activity;sid:84670399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.113.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807298/; classtype:trojan-activity;sid:84670398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.paragonharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807297/; classtype:trojan-activity;sid:84670397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.177.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807296/; classtype:trojan-activity;sid:84670396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807295/; classtype:trojan-activity;sid:84670395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.paragonharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807294/; classtype:trojan-activity;sid:84670394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.quantumventurex.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807293/; classtype:trojan-activity;sid:84670393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.quantumventurex.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807292/; classtype:trojan-activity;sid:84670392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.115.102.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807291/; classtype:trojan-activity;sid:84670391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.248.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807290/; classtype:trojan-activity;sid:84670390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.quantumventurex.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807289/; classtype:trojan-activity;sid:84670389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.113.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807288/; classtype:trojan-activity;sid:84670388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.quantumventurex.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807287/; classtype:trojan-activity;sid:84670387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.nexusprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807286/; classtype:trojan-activity;sid:84670386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.11.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807285/; classtype:trojan-activity;sid:84670385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.nexusprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807284/; classtype:trojan-activity;sid:84670384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.109.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807283/; classtype:trojan-activity;sid:84670383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.32.111.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807282/; classtype:trojan-activity;sid:84670382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.147.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807281/; classtype:trojan-activity;sid:84670381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.nexusprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807280/; classtype:trojan-activity;sid:84670380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.32.111.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807279/; classtype:trojan-activity;sid:84670379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.nexusprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807278/; classtype:trojan-activity;sid:84670378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/3ufj4lc.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807277/; classtype:trojan-activity;sid:84670377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.vectorpatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807276/; classtype:trojan-activity;sid:84670376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.vectorpatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807275/; classtype:trojan-activity;sid:84670375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.147.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807274/; classtype:trojan-activity;sid:84670374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.253.156.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807273/; classtype:trojan-activity;sid:84670373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.vectorpatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807272/; classtype:trojan-activity;sid:84670372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.172.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807271/; classtype:trojan-activity;sid:84670371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.vectorpatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807270/; classtype:trojan-activity;sid:84670370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.momentumprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807269/; classtype:trojan-activity;sid:84670369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.momentumprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807268/; classtype:trojan-activity;sid:84670368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.momentumprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807267/; classtype:trojan-activity;sid:84670367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8042875554/v5vvpk2.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807266/; classtype:trojan-activity;sid:84670366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.momentumprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807265/; classtype:trojan-activity;sid:84670365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.apexventurex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807264/; classtype:trojan-activity;sid:84670364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807263/; classtype:trojan-activity;sid:84670363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.apexventurex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807260/; classtype:trojan-activity;sid:84670360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.177.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807261/; classtype:trojan-activity;sid:84670361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.200.208.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807262/; classtype:trojan-activity;sid:84670362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.239.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807259/; classtype:trojan-activity;sid:84670359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.apexventurex.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807258/; classtype:trojan-activity;sid:84670358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.apexventurex.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807257/; classtype:trojan-activity;sid:84670357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.covenantprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807256/; classtype:trojan-activity;sid:84670356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.covenantprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807255/; classtype:trojan-activity;sid:84670355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.239.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807254/; classtype:trojan-activity;sid:84670354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.91.172.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807253/; classtype:trojan-activity;sid:84670353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.covenantprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807252/; classtype:trojan-activity;sid:84670352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.62.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807251/; classtype:trojan-activity;sid:84670351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.covenantprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807250/; classtype:trojan-activity;sid:84670350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.237.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807248/; classtype:trojan-activity;sid:84670348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.168.253.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807249/; classtype:trojan-activity;sid:84670349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.latticeharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807247/; classtype:trojan-activity;sid:84670347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807246/; classtype:trojan-activity;sid:84670346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.latticeharbinger.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807245/; classtype:trojan-activity;sid:84670345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.latticeharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807244/; classtype:trojan-activity;sid:84670344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.latticeharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807243/; classtype:trojan-activity;sid:84670343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.237.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807242/; classtype:trojan-activity;sid:84670342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.223.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807241/; classtype:trojan-activity;sid:84670341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.radiantpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807240/; classtype:trojan-activity;sid:84670340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.91.172.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807239/; classtype:trojan-activity;sid:84670339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807238/; classtype:trojan-activity;sid:84670338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.radiantpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807237/; classtype:trojan-activity;sid:84670337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.38.51.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807236/; classtype:trojan-activity;sid:84670336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.radiantpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807235/; classtype:trojan-activity;sid:84670335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.radiantpatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807234/; classtype:trojan-activity;sid:84670334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.35.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807232/; classtype:trojan-activity;sid:84670332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.213.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807233/; classtype:trojan-activity;sid:84670333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.zenithprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807231/; classtype:trojan-activity;sid:84670331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.3.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807230/; classtype:trojan-activity;sid:84670330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"92.38.51.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807229/; classtype:trojan-activity;sid:84670329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.zenithprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807228/; classtype:trojan-activity;sid:84670328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807227/; classtype:trojan-activity;sid:84670327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.zenithprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807226/; classtype:trojan-activity;sid:84670326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.zenithprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807225/; classtype:trojan-activity;sid:84670325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.213.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807224/; classtype:trojan-activity;sid:84670324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.35.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807222/; classtype:trojan-activity;sid:84670322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.7.73"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807223/; classtype:trojan-activity;sid:84670323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.6.55"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807221/; classtype:trojan-activity;sid:84670321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.authenticoperation.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807220/; classtype:trojan-activity;sid:84670320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.7.73"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807219/; classtype:trojan-activity;sid:84670319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.authenticoperation.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807218/; classtype:trojan-activity;sid:84670318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7260582679/3aqabyf.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807217/; classtype:trojan-activity;sid:84670317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.authenticoperation.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807216/; classtype:trojan-activity;sid:84670316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.authenticoperation.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807215/; classtype:trojan-activity;sid:84670315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.fundamentaldivision.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807214/; classtype:trojan-activity;sid:84670314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.24.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807213/; classtype:trojan-activity;sid:84670313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.fundamentaldivision.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807212/; classtype:trojan-activity;sid:84670312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.163.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807210/; classtype:trojan-activity;sid:84670310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.fundamentaldivision.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807211/; classtype:trojan-activity;sid:84670311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.permanentancillary.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807209/; classtype:trojan-activity;sid:84670309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7359455182/gqzs5no.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807208/; classtype:trojan-activity;sid:84670308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.permanentancillary.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807207/; classtype:trojan-activity;sid:84670307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.permanentancillary.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807206/; classtype:trojan-activity;sid:84670306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.178.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807205/; classtype:trojan-activity;sid:84670305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.24.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807204/; classtype:trojan-activity;sid:84670304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.permanentancillary.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807203/; classtype:trojan-activity;sid:84670303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807202/; classtype:trojan-activity;sid:84670302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.163.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807201/; classtype:trojan-activity;sid:84670301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.ubiquitousfoundry.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807200/; classtype:trojan-activity;sid:84670300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.109.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807199/; classtype:trojan-activity;sid:84670299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.ubiquitousfoundry.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807198/; classtype:trojan-activity;sid:84670298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.178.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807197/; classtype:trojan-activity;sid:84670297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=myjgoqngwivrlfsa"; depth:53; endswith; nocase; http.host; content:"5eed8sf5.covenantventure.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807196/; classtype:trojan-activity;sid:84670296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.ubiquitousfoundry.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807195/; classtype:trojan-activity;sid:84670295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.ubiquitousfoundry.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807194/; classtype:trojan-activity;sid:84670294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.resonantcommercial.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807193/; classtype:trojan-activity;sid:84670293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807192/; classtype:trojan-activity;sid:84670292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.resonantcommercial.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807191/; classtype:trojan-activity;sid:84670291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.241.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807190/; classtype:trojan-activity;sid:84670290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.108.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807189/; classtype:trojan-activity;sid:84670289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.resonantcommercial.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807188/; classtype:trojan-activity;sid:84670288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.241.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807187/; classtype:trojan-activity;sid:84670287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.211.209.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807185/; classtype:trojan-activity;sid:84670285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.108.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807186/; classtype:trojan-activity;sid:84670286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.220.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807183/; classtype:trojan-activity;sid:84670283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.115.166.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807184/; classtype:trojan-activity;sid:84670284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.41.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807182/; classtype:trojan-activity;sid:84670282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.resonantcommercial.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807181/; classtype:trojan-activity;sid:84670281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.196.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807180/; classtype:trojan-activity;sid:84670280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.absolutecontinuity.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807179/; classtype:trojan-activity;sid:84670279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.219.74.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807177/; classtype:trojan-activity;sid:84670277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.228.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807178/; classtype:trojan-activity;sid:84670278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.absolutecontinuity.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807176/; classtype:trojan-activity;sid:84670276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.219.74.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807175/; classtype:trojan-activity;sid:84670275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.absolutecontinuity.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807174/; classtype:trojan-activity;sid:84670274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.208.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807173/; classtype:trojan-activity;sid:84670273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.absolutecontinuity.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807172/; classtype:trojan-activity;sid:84670272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.manifestdelivery.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807171/; classtype:trojan-activity;sid:84670271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.manifestdelivery.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807170/; classtype:trojan-activity;sid:84670270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.manifestdelivery.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807169/; classtype:trojan-activity;sid:84670269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.manifestdelivery.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807168/; classtype:trojan-activity;sid:84670268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.92.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807167/; classtype:trojan-activity;sid:84670267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.sovereignprotocol.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807166/; classtype:trojan-activity;sid:84670266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.208.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807165/; classtype:trojan-activity;sid:84670265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.sovereignprotocol.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807164/; classtype:trojan-activity;sid:84670264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.sovereignprotocol.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807163/; classtype:trojan-activity;sid:84670263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.212.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807162/; classtype:trojan-activity;sid:84670262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.sovereignprotocol.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807161/; classtype:trojan-activity;sid:84670261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.intrinsiclogistics.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807160/; classtype:trojan-activity;sid:84670260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.35.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807159/; classtype:trojan-activity;sid:84670259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.intrinsiclogistics.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807158/; classtype:trojan-activity;sid:84670258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.intrinsiclogistics.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807157/; classtype:trojan-activity;sid:84670257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.intrinsiclogistics.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807156/; classtype:trojan-activity;sid:84670256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mips"; depth:13; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807154/; classtype:trojan-activity;sid:84670254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm7"; depth:13; endswith; nocase; http.host; content:"178.16.52.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807155/; classtype:trojan-activity;sid:84670255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.primordialconsensus.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807153/; classtype:trojan-activity;sid:84670253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.primordialconsensus.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807152/; classtype:trojan-activity;sid:84670252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.primordialconsensus.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807151/; classtype:trojan-activity;sid:84670251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.86.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807150/; classtype:trojan-activity;sid:84670250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.primordialconsensus.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807149/; classtype:trojan-activity;sid:84670249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"1dxll.keystoneprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807148/; classtype:trojan-activity;sid:84670248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807145/; classtype:trojan-activity;sid:84670245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807146/; classtype:trojan-activity;sid:84670246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807147/; classtype:trojan-activity;sid:84670247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807144/; classtype:trojan-activity;sid:84670244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807143/; classtype:trojan-activity;sid:84670243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807141/; classtype:trojan-activity;sid:84670241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807142/; classtype:trojan-activity;sid:84670242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807134/; classtype:trojan-activity;sid:84670234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807135/; classtype:trojan-activity;sid:84670235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807136/; classtype:trojan-activity;sid:84670236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807137/; classtype:trojan-activity;sid:84670237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807138/; classtype:trojan-activity;sid:84670238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807139/; classtype:trojan-activity;sid:84670239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807140/; classtype:trojan-activity;sid:84670240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.240.216.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807133/; classtype:trojan-activity;sid:84670233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.227.63.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807132/; classtype:trojan-activity;sid:84670232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.93.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807131/; classtype:trojan-activity;sid:84670231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yzl9.keystoneprospera.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807130/; classtype:trojan-activity;sid:84670230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"unpf0.spectrumforge.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807129/; classtype:trojan-activity;sid:84670229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.71.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807128/; classtype:trojan-activity;sid:84670228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807127/; classtype:trojan-activity;sid:84670227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"j7pyx.spectrumforge.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807126/; classtype:trojan-activity;sid:84670226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qudo8h54.paragonventure.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807125/; classtype:trojan-activity;sid:84670225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.253.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807124/; classtype:trojan-activity;sid:84670224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ser-crestal.paragonventure.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807123/; classtype:trojan-activity;sid:84670223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.89.174.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807122/; classtype:trojan-activity;sid:84670222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.240.216.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807121/; classtype:trojan-activity;sid:84670221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zenven2ix.quantumprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807120/; classtype:trojan-activity;sid:84670220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"linkstudi.quantumprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807119/; classtype:trojan-activity;sid:84670219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807118/; classtype:trojan-activity;sid:84670218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vvatch9-array.nexusharbora.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807117/; classtype:trojan-activity;sid:84670217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"r2tf.nexusharbora.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807116/; classtype:trojan-activity;sid:84670216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"scuh266.luminouspatron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807115/; classtype:trojan-activity;sid:84670215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.7.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807114/; classtype:trojan-activity;sid:84670214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"print6-lab.luminouspatron.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807113/; classtype:trojan-activity;sid:84670213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zd3cs.apexbloomera.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807112/; classtype:trojan-activity;sid:84670212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"columnbinary.apexbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807111/; classtype:trojan-activity;sid:84670211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.44.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807110/; classtype:trojan-activity;sid:84670210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.80.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807109/; classtype:trojan-activity;sid:84670209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rvfh.horizonprospera.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807108/; classtype:trojan-activity;sid:84670208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.248.120.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807107/; classtype:trojan-activity;sid:84670207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gather-line.horizonprospera.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807106/; classtype:trojan-activity;sid:84670206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/poop"; depth:10; endswith; nocase; http.host; content:"87.121.84.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807105/; classtype:trojan-activity;sid:84670205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cgnnhw.catalystventure.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807104/; classtype:trojan-activity;sid:84670204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trivenen2.catalystventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807103/; classtype:trojan-activity;sid:84670203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807102/; classtype:trojan-activity;sid:84670202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.252.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807101/; classtype:trojan-activity;sid:84670201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.80.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807100/; classtype:trojan-activity;sid:84670200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.133.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807099/; classtype:trojan-activity;sid:84670199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.44.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807098/; classtype:trojan-activity;sid:84670198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.86.71.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807097/; classtype:trojan-activity;sid:84670197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ultra-r0ug.vectorharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807096/; classtype:trojan-activity;sid:84670196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.248.120.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807095/; classtype:trojan-activity;sid:84670195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"c0lo-scope.vectorharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807094/; classtype:trojan-activity;sid:84670194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"neurafor.pozellant.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807093/; classtype:trojan-activity;sid:84670193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.252.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807092/; classtype:trojan-activity;sid:84670192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807091/; classtype:trojan-activity;sid:84670191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"scanque.pozellant.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807090/; classtype:trojan-activity;sid:84670190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.128.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807089/; classtype:trojan-activity;sid:84670189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807088/; classtype:trojan-activity;sid:84670188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"59fxy.chromeflack.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807087/; classtype:trojan-activity;sid:84670187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.113.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807086/; classtype:trojan-activity;sid:84670186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=mcjwehculyowvkfg"; depth:53; endswith; nocase; http.host; content:"ypmd72xu.latticepatronage.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807085/; classtype:trojan-activity;sid:84670185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807084/; classtype:trojan-activity;sid:84670184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"triforgeix.chromeflack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807083/; classtype:trojan-activity;sid:84670183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dyn-tidear.dockhype.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807082/; classtype:trojan-activity;sid:84670182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"thifleet.dockhype.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807081/; classtype:trojan-activity;sid:84670181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.126.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807080/; classtype:trojan-activity;sid:84670180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.70.95.15"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807079/; classtype:trojan-activity;sid:84670179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.3.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807078/; classtype:trojan-activity;sid:84670178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gridfocus.cloudfloot.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807077/; classtype:trojan-activity;sid:84670177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.113.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807076/; classtype:trojan-activity;sid:84670176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"336yzvub.cloudfloot.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807075/; classtype:trojan-activity;sid:84670175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.195.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807074/; classtype:trojan-activity;sid:84670174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zenmarken4.hostyard.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807073/; classtype:trojan-activity;sid:84670173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tw9hk.hostyard.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807072/; classtype:trojan-activity;sid:84670172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.215.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807071/; classtype:trojan-activity;sid:84670171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"binscree.matchexact.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807070/; classtype:trojan-activity;sid:84670170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7048186296/a8cot32.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807069/; classtype:trojan-activity;sid:84670169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"git33.matchexact.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807068/; classtype:trojan-activity;sid:84670168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7359455182/s5akpxu.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807067/; classtype:trojan-activity;sid:84670167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"patternprint.productter.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807066/; classtype:trojan-activity;sid:84670166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.222.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807065/; classtype:trojan-activity;sid:84670165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.197.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807064/; classtype:trojan-activity;sid:84670164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"circuittraile.productter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807063/; classtype:trojan-activity;sid:84670163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"merlithex.tockentrue.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807062/; classtype:trojan-activity;sid:84670162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.35.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807061/; classtype:trojan-activity;sid:84670161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"emberbroker.tockentrue.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807060/; classtype:trojan-activity;sid:84670160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"gr0w-grid.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807059/; classtype:trojan-activity;sid:84670159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumforgea.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807058/; classtype:trojan-activity;sid:84670158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.249.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807057/; classtype:trojan-activity;sid:84670157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.162.228.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807056/; classtype:trojan-activity;sid:84670156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"capitalultra.quantumharbinger.in.net"; depth:36; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807055/; classtype:trojan-activity;sid:84670155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807054/; classtype:trojan-activity;sid:84670154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hyperobs.nexuspatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807053/; classtype:trojan-activity;sid:84670153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cleanrain.vectorprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807052/; classtype:trojan-activity;sid:84670152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807051/; classtype:trojan-activity;sid:84670151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"568sx.momentumbloomera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807050/; classtype:trojan-activity;sid:84670150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.249.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807049/; classtype:trojan-activity;sid:84670149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"24dw.apexharvestor.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807048/; classtype:trojan-activity;sid:84670148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.43.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807047/; classtype:trojan-activity;sid:84670147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.43.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807046/; classtype:trojan-activity;sid:84670146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-latt1c.covenantventure.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807045/; classtype:trojan-activity;sid:84670145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.172.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807044/; classtype:trojan-activity;sid:84670144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.224.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807043/; classtype:trojan-activity;sid:84670143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vect01-gate.latticepatronage.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807042/; classtype:trojan-activity;sid:84670142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlh/cccc.sh"; depth:12; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807041/; classtype:trojan-activity;sid:84670141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arkmeshum2.radiantprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807040/; classtype:trojan-activity;sid:84670140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.240.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807039/; classtype:trojan-activity;sid:84670139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sync-route.radiantprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807038/; classtype:trojan-activity;sid:84670138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mm52vg.zenithharbinger.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807037/; classtype:trojan-activity;sid:84670137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"boldoffe.zenithharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807036/; classtype:trojan-activity;sid:84670136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"notmar.pozellant.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807035/; classtype:trojan-activity;sid:84670135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807034/; classtype:trojan-activity;sid:84670134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=pjmohcszoedmhugu"; depth:53; endswith; nocase; http.host; content:"kjpf3o93.radiantprospera.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807033/; classtype:trojan-activity;sid:84670133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.168.22.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807032/; classtype:trojan-activity;sid:84670132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807031/; classtype:trojan-activity;sid:84670131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"daemondeli.chromeflack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807030/; classtype:trojan-activity;sid:84670130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807029/; classtype:trojan-activity;sid:84670129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"oi52ewc.dockhype.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807028/; classtype:trojan-activity;sid:84670128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.38.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807027/; classtype:trojan-activity;sid:84670127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sun-line.cloudfloot.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807026/; classtype:trojan-activity;sid:84670126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.6.167.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807024/; classtype:trojan-activity;sid:84670124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.168.22.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807025/; classtype:trojan-activity;sid:84670125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dyn-coreal.hostyard.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807023/; classtype:trojan-activity;sid:84670123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.245.107.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807022/; classtype:trojan-activity;sid:84670122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dockswitch.matchexact.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807021/; classtype:trojan-activity;sid:84670121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.38.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807020/; classtype:trojan-activity;sid:84670120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cfp1laq8.productter.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807019/; classtype:trojan-activity;sid:84670119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807018/; classtype:trojan-activity;sid:84670118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807017/; classtype:trojan-activity;sid:84670117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"velflux0or.tockentrue.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807016/; classtype:trojan-activity;sid:84670116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.109.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807015/; classtype:trojan-activity;sid:84670115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.6.167.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807014/; classtype:trojan-activity;sid:84670114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"duskgrand.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807013/; classtype:trojan-activity;sid:84670113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.59.105.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807012/; classtype:trojan-activity;sid:84670112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.245.107.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807011/; classtype:trojan-activity;sid:84670111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"optic5-dock.paragonbloomera.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807010/; classtype:trojan-activity;sid:84670110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807009/; classtype:trojan-activity;sid:84670109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"2woz.quantumharbinger.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807008/; classtype:trojan-activity;sid:84670108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=ssftnkjvkmecvvkt"; depth:53; endswith; nocase; http.host; content:"hnz4q1fw.zenithharbinger.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807007/; classtype:trojan-activity;sid:84670107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.172.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807006/; classtype:trojan-activity;sid:84670106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"arkline9ar.quantumharbinger.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807005/; classtype:trojan-activity;sid:84670105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.140.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807004/; classtype:trojan-activity;sid:84670104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pol43-plate.nexuspatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807003/; classtype:trojan-activity;sid:84670103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lecbyj6.nexuspatronage.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807002/; classtype:trojan-activity;sid:84670102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.70.167.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807001/; classtype:trojan-activity;sid:84670101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.201.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807000/; classtype:trojan-activity;sid:84670100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806999/; classtype:trojan-activity;sid:84670099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.59.105.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806998/; classtype:trojan-activity;sid:84670098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"zwyyuczn.vectorprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806997/; classtype:trojan-activity;sid:84670097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806996/; classtype:trojan-activity;sid:84670096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.73.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806995/; classtype:trojan-activity;sid:84670095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wylzkl.vectorprospera.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806994/; classtype:trojan-activity;sid:84670094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"serdraos.momentumbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806993/; classtype:trojan-activity;sid:84670093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.162.228.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806992/; classtype:trojan-activity;sid:84670092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.140.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806991/; classtype:trojan-activity;sid:84670091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pale-line.momentumbloomera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806990/; classtype:trojan-activity;sid:84670090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nimblestitch.apexharvestor.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806989/; classtype:trojan-activity;sid:84670089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.201.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806988/; classtype:trojan-activity;sid:84670088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"proto-pub1.apexharvestor.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806987/; classtype:trojan-activity;sid:84670087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.47.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806986/; classtype:trojan-activity;sid:84670086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"roufal.covenantventure.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806985/; classtype:trojan-activity;sid:84670085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ukswf.covenantventure.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806984/; classtype:trojan-activity;sid:84670084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806983/; classtype:trojan-activity;sid:84670083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.206.101.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806982/; classtype:trojan-activity;sid:84670082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"c0upon1-sheet.latticepatronage.in.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806981/; classtype:trojan-activity;sid:84670081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.196.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806980/; classtype:trojan-activity;sid:84670080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806979/; classtype:trojan-activity;sid:84670079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.18.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806977/; classtype:trojan-activity;sid:84670077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"focu-stream.latticepatronage.in.net"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806978/; classtype:trojan-activity;sid:84670078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.144.89.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806976/; classtype:trojan-activity;sid:84670076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806975/; classtype:trojan-activity;sid:84670075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"xuyk.radiantprospera.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806974/; classtype:trojan-activity;sid:84670074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806973/; classtype:trojan-activity;sid:84670073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.47.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806972/; classtype:trojan-activity;sid:84670072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806971/; classtype:trojan-activity;sid:84670071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tal-marka.radiantprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806970/; classtype:trojan-activity;sid:84670070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806969/; classtype:trojan-activity;sid:84670069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.248.16.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806967/; classtype:trojan-activity;sid:84670067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"41.248.16.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806968/; classtype:trojan-activity;sid:84670068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.95.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806966/; classtype:trojan-activity;sid:84670066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.235.225.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806965/; classtype:trojan-activity;sid:84670065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.196.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806964/; classtype:trojan-activity;sid:84670064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.18.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806963/; classtype:trojan-activity;sid:84670063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"railglyph.zenithharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806962/; classtype:trojan-activity;sid:84670062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lqlk.zenithharbinger.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806961/; classtype:trojan-activity;sid:84670061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.171.123.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806960/; classtype:trojan-activity;sid:84670060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806959/; classtype:trojan-activity;sid:84670059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.95.8.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806958/; classtype:trojan-activity;sid:84670058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.164.179.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806957/; classtype:trojan-activity;sid:84670057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"2xxws.pozellant.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806956/; classtype:trojan-activity;sid:84670056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.82.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806955/; classtype:trojan-activity;sid:84670055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806954/; classtype:trojan-activity;sid:84670054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"linkclie.pozellant.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806953/; classtype:trojan-activity;sid:84670053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.85.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806952/; classtype:trojan-activity;sid:84670052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"e457.pozellant.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806951/; classtype:trojan-activity;sid:84670051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.171.123.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806950/; classtype:trojan-activity;sid:84670050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.95.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806949/; classtype:trojan-activity;sid:84670049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"1att0-crest.pozellant.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806948/; classtype:trojan-activity;sid:84670048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.159.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806947/; classtype:trojan-activity;sid:84670047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"soltidea3.pozellant.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806946/; classtype:trojan-activity;sid:84670046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kelvenon1.chromeflack.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806945/; classtype:trojan-activity;sid:84670045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.164.179.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806944/; classtype:trojan-activity;sid:84670044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.82.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806943/; classtype:trojan-activity;sid:84670043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ffvwks.chromeflack.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806942/; classtype:trojan-activity;sid:84670042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.48.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806941/; classtype:trojan-activity;sid:84670041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.246.41.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806940/; classtype:trojan-activity;sid:84670040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.186.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806939/; classtype:trojan-activity;sid:84670039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"0iwbrl.chromeflack.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806938/; classtype:trojan-activity;sid:84670038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.234.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806937/; classtype:trojan-activity;sid:84670037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806936/; classtype:trojan-activity;sid:84670036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vehb.chromeflack.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806935/; classtype:trojan-activity;sid:84670035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nortideix9.chromeflack.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806934/; classtype:trojan-activity;sid:84670034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.234.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806933/; classtype:trojan-activity;sid:84670033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pilhar.dockhype.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806932/; classtype:trojan-activity;sid:84670032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.191.230.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806931/; classtype:trojan-activity;sid:84670031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"compi1e-well.dockhype.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806930/; classtype:trojan-activity;sid:84670030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.251.87.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806929/; classtype:trojan-activity;sid:84670029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"decodeass.dockhype.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806928/; classtype:trojan-activity;sid:84670028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.159.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806927/; classtype:trojan-activity;sid:84670027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.251.87.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806926/; classtype:trojan-activity;sid:84670026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.201.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806925/; classtype:trojan-activity;sid:84670025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sertideos6.dockhype.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806924/; classtype:trojan-activity;sid:84670024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.144.89.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806923/; classtype:trojan-activity;sid:84670023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"f0x8-frame.dockhype.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806922/; classtype:trojan-activity;sid:84670022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.12.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806921/; classtype:trojan-activity;sid:84670021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.191.230.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806920/; classtype:trojan-activity;sid:84670020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"59zvgq.cloudfloot.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806919/; classtype:trojan-activity;sid:84670019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.167.27.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806918/; classtype:trojan-activity;sid:84670018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"broa-glow.cloudfloot.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806917/; classtype:trojan-activity;sid:84670017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flowmer.cloudfloot.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806916/; classtype:trojan-activity;sid:84670016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.244.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806914/; classtype:trojan-activity;sid:84670014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806915/; classtype:trojan-activity;sid:84670015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.224.208.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806913/; classtype:trojan-activity;sid:84670013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pur34-grid.cloudfloot.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806912/; classtype:trojan-activity;sid:84670012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.124.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806911/; classtype:trojan-activity;sid:84670011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"chorusschema.cloudfloot.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806910/; classtype:trojan-activity;sid:84670010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.167.27.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806909/; classtype:trojan-activity;sid:84670009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fi3ld-mount.hostyard.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806908/; classtype:trojan-activity;sid:84670008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806907/; classtype:trojan-activity;sid:84670007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.244.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806906/; classtype:trojan-activity;sid:84670006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.62.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806905/; classtype:trojan-activity;sid:84670005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"bxorbuj.hostyard.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806904/; classtype:trojan-activity;sid:84670004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"5tor-bridge.hostyard.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806903/; classtype:trojan-activity;sid:84670003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"datadir.hostyard.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806902/; classtype:trojan-activity;sid:84670002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vor-draa.hostyard.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806901/; classtype:trojan-activity;sid:84670001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.124.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806900/; classtype:trojan-activity;sid:84670000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ibdav4vt.matchexact.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806899/; classtype:trojan-activity;sid:84669999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"meta-qu4nt.matchexact.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806898/; classtype:trojan-activity;sid:84669998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806897/; classtype:trojan-activity;sid:84669997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ressilen.matchexact.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806896/; classtype:trojan-activity;sid:84669996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.86.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806895/; classtype:trojan-activity;sid:84669995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.5.28"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806894/; classtype:trojan-activity;sid:84669994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.12.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806893/; classtype:trojan-activity;sid:84669993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lafc2.matchexact.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806892/; classtype:trojan-activity;sid:84669992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.54.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806891/; classtype:trojan-activity;sid:84669991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"9uclkz8z.matchexact.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806890/; classtype:trojan-activity;sid:84669990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806889/; classtype:trojan-activity;sid:84669989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"stitchreed.productter.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806888/; classtype:trojan-activity;sid:84669988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806887/; classtype:trojan-activity;sid:84669987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"rjpx.productter.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806886/; classtype:trojan-activity;sid:84669986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.5.28"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806885/; classtype:trojan-activity;sid:84669985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"me5h-sheet.productter.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806884/; classtype:trojan-activity;sid:84669984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"geo-thr3.productter.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806883/; classtype:trojan-activity;sid:84669983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.140.6.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806882/; classtype:trojan-activity;sid:84669982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.166.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806881/; classtype:trojan-activity;sid:84669981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pe4k-chain.productter.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806880/; classtype:trojan-activity;sid:84669980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.54.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806879/; classtype:trojan-activity;sid:84669979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"69woakx5.tockentrue.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806878/; classtype:trojan-activity;sid:84669978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.174.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806877/; classtype:trojan-activity;sid:84669977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"48bc.tockentrue.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806876/; classtype:trojan-activity;sid:84669976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.248.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806875/; classtype:trojan-activity;sid:84669975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806874/; classtype:trojan-activity;sid:84669974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806863/; classtype:trojan-activity;sid:84669963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806864/; classtype:trojan-activity;sid:84669964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806865/; classtype:trojan-activity;sid:84669965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806866/; classtype:trojan-activity;sid:84669966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806867/; classtype:trojan-activity;sid:84669967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806868/; classtype:trojan-activity;sid:84669968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806869/; classtype:trojan-activity;sid:84669969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806870/; classtype:trojan-activity;sid:84669970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806871/; classtype:trojan-activity;sid:84669971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips"; depth:71; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806872/; classtype:trojan-activity;sid:84669972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x64"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806873/; classtype:trojan-activity;sid:84669973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806861/; classtype:trojan-activity;sid:84669961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc"; depth:70; endswith; nocase; http.host; content:"176.65.139.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806862/; classtype:trojan-activity;sid:84669962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.222.166.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806860/; classtype:trojan-activity;sid:84669960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.ps1"; depth:10; endswith; nocase; http.host; content:"79.124.59.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806858/; classtype:trojan-activity;sid:84669958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.174.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806859/; classtype:trojan-activity;sid:84669959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"quorcrestum4.tockentrue.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806857/; classtype:trojan-activity;sid:84669957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806856/; classtype:trojan-activity;sid:84669956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mvrwigmy.exe"; depth:13; endswith; nocase; http.host; content:"144.31.191.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806854/; classtype:trojan-activity;sid:84669954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user_h7hgn7sd9jm/zurfezkg.exe"; depth:30; endswith; nocase; http.host; content:"144.31.191.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806855/; classtype:trojan-activity;sid:84669955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sprble.tockentrue.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806853/; classtype:trojan-activity;sid:84669953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.233.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806852/; classtype:trojan-activity;sid:84669952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806851/; classtype:trojan-activity;sid:84669951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"primefierc.tockentrue.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806850/; classtype:trojan-activity;sid:84669950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.174.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806849/; classtype:trojan-activity;sid:84669949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806848/; classtype:trojan-activity;sid:84669948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.176.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806847/; classtype:trojan-activity;sid:84669947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.137.70.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806846/; classtype:trojan-activity;sid:84669946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steam/lemon.exe"; depth:16; endswith; nocase; http.host; content:"91.92.243.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806844/; classtype:trojan-activity;sid:84669944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"185.244.182.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806845/; classtype:trojan-activity;sid:84669945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.137.70.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806839/; classtype:trojan-activity;sid:84669939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"45.137.70.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806840/; classtype:trojan-activity;sid:84669940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"167.148.41.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806841/; classtype:trojan-activity;sid:84669941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"45.137.70.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806842/; classtype:trojan-activity;sid:84669942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claude"; depth:7; endswith; nocase; http.host; content:"download-version.1-7-2.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806843/; classtype:trojan-activity;sid:84669943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.11.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806838/; classtype:trojan-activity;sid:84669938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"206.189.22.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806837/; classtype:trojan-activity;sid:84669937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.196.7.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806836/; classtype:trojan-activity;sid:84669936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.paragonbloomera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806835/; classtype:trojan-activity;sid:84669935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.248.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806834/; classtype:trojan-activity;sid:84669934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.228.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806833/; classtype:trojan-activity;sid:84669933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806832/; classtype:trojan-activity;sid:84669932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.paragonbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806831/; classtype:trojan-activity;sid:84669931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.11.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806830/; classtype:trojan-activity;sid:84669930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806829/; classtype:trojan-activity;sid:84669929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.quantumharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806828/; classtype:trojan-activity;sid:84669928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.quantumharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806827/; classtype:trojan-activity;sid:84669927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.196.7.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806826/; classtype:trojan-activity;sid:84669926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.quantumharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806825/; classtype:trojan-activity;sid:84669925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.quantumharbinger.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806824/; classtype:trojan-activity;sid:84669924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.233.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806823/; classtype:trojan-activity;sid:84669923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.nexuspatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806822/; classtype:trojan-activity;sid:84669922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.nexuspatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806821/; classtype:trojan-activity;sid:84669921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806820/; classtype:trojan-activity;sid:84669920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.176.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806819/; classtype:trojan-activity;sid:84669919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806818/; classtype:trojan-activity;sid:84669918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.nexuspatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806817/; classtype:trojan-activity;sid:84669917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.215.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806816/; classtype:trojan-activity;sid:84669916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.nexuspatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806815/; classtype:trojan-activity;sid:84669915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806814/; classtype:trojan-activity;sid:84669914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.vectorprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806813/; classtype:trojan-activity;sid:84669913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.242.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806812/; classtype:trojan-activity;sid:84669912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.vectorprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806811/; classtype:trojan-activity;sid:84669911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.242.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806810/; classtype:trojan-activity;sid:84669910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.vectorprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806809/; classtype:trojan-activity;sid:84669909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.114.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806808/; classtype:trojan-activity;sid:84669908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.247.109.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806807/; classtype:trojan-activity;sid:84669907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.vectorprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806806/; classtype:trojan-activity;sid:84669906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.40.188.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806805/; classtype:trojan-activity;sid:84669905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.215.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806804/; classtype:trojan-activity;sid:84669904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.momentumbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806803/; classtype:trojan-activity;sid:84669903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806802/; classtype:trojan-activity;sid:84669902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.80.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806801/; classtype:trojan-activity;sid:84669901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.momentumbloomera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806800/; classtype:trojan-activity;sid:84669900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806799/; classtype:trojan-activity;sid:84669899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.momentumbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806798/; classtype:trojan-activity;sid:84669898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806797/; classtype:trojan-activity;sid:84669897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.momentumbloomera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806796/; classtype:trojan-activity;sid:84669896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.40.188.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806795/; classtype:trojan-activity;sid:84669895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.162.207.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806794/; classtype:trojan-activity;sid:84669894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.207.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806793/; classtype:trojan-activity;sid:84669893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.apexharvestor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806792/; classtype:trojan-activity;sid:84669892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.80.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806791/; classtype:trojan-activity;sid:84669891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.apexharvestor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806790/; classtype:trojan-activity;sid:84669890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.141.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806789/; classtype:trojan-activity;sid:84669889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.apexharvestor.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806788/; classtype:trojan-activity;sid:84669888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.253.152.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806787/; classtype:trojan-activity;sid:84669887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.75.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806786/; classtype:trojan-activity;sid:84669886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.apexharvestor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806785/; classtype:trojan-activity;sid:84669885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.199.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806784/; classtype:trojan-activity;sid:84669884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.covenantventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806783/; classtype:trojan-activity;sid:84669883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.225.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806782/; classtype:trojan-activity;sid:84669882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.covenantventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806781/; classtype:trojan-activity;sid:84669881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.199.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806780/; classtype:trojan-activity;sid:84669880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.235.242.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806779/; classtype:trojan-activity;sid:84669879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.covenantventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806778/; classtype:trojan-activity;sid:84669878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.253.152.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806777/; classtype:trojan-activity;sid:84669877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.75.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806776/; classtype:trojan-activity;sid:84669876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.covenantventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806775/; classtype:trojan-activity;sid:84669875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.235.242.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806774/; classtype:trojan-activity;sid:84669874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.latticepatronage.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806773/; classtype:trojan-activity;sid:84669873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.latticepatronage.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806772/; classtype:trojan-activity;sid:84669872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.225.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806771/; classtype:trojan-activity;sid:84669871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.96.165.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806769/; classtype:trojan-activity;sid:84669869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.latticepatronage.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806770/; classtype:trojan-activity;sid:84669870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806768/; classtype:trojan-activity;sid:84669868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.latticepatronage.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806767/; classtype:trojan-activity;sid:84669867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.210.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806766/; classtype:trojan-activity;sid:84669866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.radiantprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806765/; classtype:trojan-activity;sid:84669865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.73.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806764/; classtype:trojan-activity;sid:84669864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.189.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806763/; classtype:trojan-activity;sid:84669863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.73.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806762/; classtype:trojan-activity;sid:84669862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.143.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806761/; classtype:trojan-activity;sid:84669861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.radiantprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806760/; classtype:trojan-activity;sid:84669860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.radiantprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806759/; classtype:trojan-activity;sid:84669859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.253.154.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806758/; classtype:trojan-activity;sid:84669858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.98.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806757/; classtype:trojan-activity;sid:84669857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.radiantprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806756/; classtype:trojan-activity;sid:84669856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806755/; classtype:trojan-activity;sid:84669855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.180.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806753/; classtype:trojan-activity;sid:84669853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806754/; classtype:trojan-activity;sid:84669854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.180.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806752/; classtype:trojan-activity;sid:84669852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.210.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806751/; classtype:trojan-activity;sid:84669851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.zenithharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806750/; classtype:trojan-activity;sid:84669850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.zenithharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806749/; classtype:trojan-activity;sid:84669849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.143.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806748/; classtype:trojan-activity;sid:84669848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.zenithharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806747/; classtype:trojan-activity;sid:84669847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.225.238.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806746/; classtype:trojan-activity;sid:84669846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.53.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806745/; classtype:trojan-activity;sid:84669845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.253.80.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806744/; classtype:trojan-activity;sid:84669844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.zenithharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806743/; classtype:trojan-activity;sid:84669843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.96.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806742/; classtype:trojan-activity;sid:84669842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.218.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806741/; classtype:trojan-activity;sid:84669841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.keystoneprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806740/; classtype:trojan-activity;sid:84669840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.keystoneprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806739/; classtype:trojan-activity;sid:84669839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.218.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806738/; classtype:trojan-activity;sid:84669838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.122.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806737/; classtype:trojan-activity;sid:84669837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.98.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806736/; classtype:trojan-activity;sid:84669836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.keystoneprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806735/; classtype:trojan-activity;sid:84669835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.30.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806734/; classtype:trojan-activity;sid:84669834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.keystoneprospera.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806731/; classtype:trojan-activity;sid:84669831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.190.189.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806732/; classtype:trojan-activity;sid:84669832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.53.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806733/; classtype:trojan-activity;sid:84669833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.spectrumforge.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806730/; classtype:trojan-activity;sid:84669830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.253.154.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806728/; classtype:trojan-activity;sid:84669828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.218.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806729/; classtype:trojan-activity;sid:84669829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.spectrumforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806727/; classtype:trojan-activity;sid:84669827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.96.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806726/; classtype:trojan-activity;sid:84669826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.231.134.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806725/; classtype:trojan-activity;sid:84669825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.spectrumforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806724/; classtype:trojan-activity;sid:84669824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.65.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806722/; classtype:trojan-activity;sid:84669822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.122.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806723/; classtype:trojan-activity;sid:84669823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.spectrumforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806721/; classtype:trojan-activity;sid:84669821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.231.134.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806720/; classtype:trojan-activity;sid:84669820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.109.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806719/; classtype:trojan-activity;sid:84669819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.190.189.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806718/; classtype:trojan-activity;sid:84669818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.paragonventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806717/; classtype:trojan-activity;sid:84669817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.89.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806716/; classtype:trojan-activity;sid:84669816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.paragonventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806715/; classtype:trojan-activity;sid:84669815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.155.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806714/; classtype:trojan-activity;sid:84669814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.65.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806713/; classtype:trojan-activity;sid:84669813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.paragonventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806712/; classtype:trojan-activity;sid:84669812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.60.12.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806711/; classtype:trojan-activity;sid:84669811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806710/; classtype:trojan-activity;sid:84669810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.30.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806709/; classtype:trojan-activity;sid:84669809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.paragonventure.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806708/; classtype:trojan-activity;sid:84669808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.155.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806707/; classtype:trojan-activity;sid:84669807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.quantumprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806706/; classtype:trojan-activity;sid:84669806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.89.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806705/; classtype:trojan-activity;sid:84669805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.42.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806704/; classtype:trojan-activity;sid:84669804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.quantumprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806703/; classtype:trojan-activity;sid:84669803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.140.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806702/; classtype:trojan-activity;sid:84669802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.quantumprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806701/; classtype:trojan-activity;sid:84669801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.241.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806700/; classtype:trojan-activity;sid:84669800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.quantumprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806699/; classtype:trojan-activity;sid:84669799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.nexusharbora.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806698/; classtype:trojan-activity;sid:84669798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.nexusharbora.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806697/; classtype:trojan-activity;sid:84669797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.42.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806696/; classtype:trojan-activity;sid:84669796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.nexusharbora.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806695/; classtype:trojan-activity;sid:84669795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.177.108.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806694/; classtype:trojan-activity;sid:84669794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.nexusharbora.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806693/; classtype:trojan-activity;sid:84669793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.148.224.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806692/; classtype:trojan-activity;sid:84669792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.212.168.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806691/; classtype:trojan-activity;sid:84669791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.205.92.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806690/; classtype:trojan-activity;sid:84669790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.luminouspatron.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806689/; classtype:trojan-activity;sid:84669789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806688/; classtype:trojan-activity;sid:84669788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.92.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806687/; classtype:trojan-activity;sid:84669787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.22.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806686/; classtype:trojan-activity;sid:84669786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.luminouspatron.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806685/; classtype:trojan-activity;sid:84669785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.220.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806684/; classtype:trojan-activity;sid:84669784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.223.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806683/; classtype:trojan-activity;sid:84669783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.luminouspatron.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806682/; classtype:trojan-activity;sid:84669782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.220.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806681/; classtype:trojan-activity;sid:84669781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.luminouspatron.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806680/; classtype:trojan-activity;sid:84669780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.223.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806679/; classtype:trojan-activity;sid:84669779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.apexbloomera.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806678/; classtype:trojan-activity;sid:84669778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.58.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806677/; classtype:trojan-activity;sid:84669777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.apexbloomera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806676/; classtype:trojan-activity;sid:84669776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.156.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806675/; classtype:trojan-activity;sid:84669775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.apexbloomera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806674/; classtype:trojan-activity;sid:84669774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.apexbloomera.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806673/; classtype:trojan-activity;sid:84669773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.horizonprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806672/; classtype:trojan-activity;sid:84669772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/q4bdnvb.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806671/; classtype:trojan-activity;sid:84669771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.horizonprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806670/; classtype:trojan-activity;sid:84669770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.horizonprospera.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806669/; classtype:trojan-activity;sid:84669769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.130.70.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806668/; classtype:trojan-activity;sid:84669768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.156.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806667/; classtype:trojan-activity;sid:84669767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.58.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806666/; classtype:trojan-activity;sid:84669766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.121.83.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806665/; classtype:trojan-activity;sid:84669765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.horizonprospera.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806664/; classtype:trojan-activity;sid:84669764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.catalystventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806663/; classtype:trojan-activity;sid:84669763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.121.83.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806662/; classtype:trojan-activity;sid:84669762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.8.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806660/; classtype:trojan-activity;sid:84669760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.22.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806661/; classtype:trojan-activity;sid:84669761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.catalystventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806659/; classtype:trojan-activity;sid:84669759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.catalystventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806658/; classtype:trojan-activity;sid:84669758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.55.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806657/; classtype:trojan-activity;sid:84669757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.catalystventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806656/; classtype:trojan-activity;sid:84669756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8434554557/x8cqvra.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806650/; classtype:trojan-activity;sid:84669750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/gop/random.exe"; depth:21; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806651/; classtype:trojan-activity;sid:84669751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/random.exe"; depth:16; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806652/; classtype:trojan-activity;sid:84669752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8317177049/7tdj9hz.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806653/; classtype:trojan-activity;sid:84669753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/rdx/random.exe"; depth:21; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806654/; classtype:trojan-activity;sid:84669754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6608710704/ltjl6cp.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806655/; classtype:trojan-activity;sid:84669755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7281753217/qrtfbw7.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806648/; classtype:trojan-activity;sid:84669748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final/random.exe"; depth:17; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806649/; classtype:trojan-activity;sid:84669749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/yxpifd2.msi"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806646/; classtype:trojan-activity;sid:84669746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5900855435/enle4nm.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806647/; classtype:trojan-activity;sid:84669747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.190.120"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806645/; classtype:trojan-activity;sid:84669745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.25.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806644/; classtype:trojan-activity;sid:84669744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7341834371/bgatgh0.exe"; depth:29; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806643/; classtype:trojan-activity;sid:84669743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.vectorharbinger.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806642/; classtype:trojan-activity;sid:84669742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.vectorharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806641/; classtype:trojan-activity;sid:84669741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.8.37"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806640/; classtype:trojan-activity;sid:84669740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.22.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806639/; classtype:trojan-activity;sid:84669739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vid/random.exe"; depth:15; endswith; nocase; http.host; content:"85.239.147.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806638/; classtype:trojan-activity;sid:84669738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.132.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806637/; classtype:trojan-activity;sid:84669737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.vectorharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806636/; classtype:trojan-activity;sid:84669736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.55.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806635/; classtype:trojan-activity;sid:84669735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.168.208.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806634/; classtype:trojan-activity;sid:84669734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.vectorharbinger.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806633/; classtype:trojan-activity;sid:84669733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.201.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806632/; classtype:trojan-activity;sid:84669732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.possibilsubject.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806631/; classtype:trojan-activity;sid:84669731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.145.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806630/; classtype:trojan-activity;sid:84669730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.possibilsubject.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806629/; classtype:trojan-activity;sid:84669729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.possibilsubject.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806628/; classtype:trojan-activity;sid:84669728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.132.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806627/; classtype:trojan-activity;sid:84669727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.possibilsubject.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806626/; classtype:trojan-activity;sid:84669726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.210.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806625/; classtype:trojan-activity;sid:84669725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.233.192"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806624/; classtype:trojan-activity;sid:84669724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.201.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806623/; classtype:trojan-activity;sid:84669723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.235.234.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806621/; classtype:trojan-activity;sid:84669721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.235.234.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806622/; classtype:trojan-activity;sid:84669722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.greyreduction.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806620/; classtype:trojan-activity;sid:84669720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.186.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806619/; classtype:trojan-activity;sid:84669719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.145.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806618/; classtype:trojan-activity;sid:84669718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.greyreduction.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806617/; classtype:trojan-activity;sid:84669717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.greyreduction.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806616/; classtype:trojan-activity;sid:84669716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.141.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806615/; classtype:trojan-activity;sid:84669715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.greyreduction.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806614/; classtype:trojan-activity;sid:84669714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.210.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806613/; classtype:trojan-activity;sid:84669713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.57.126.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806612/; classtype:trojan-activity;sid:84669712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.meaningvitiaty.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806611/; classtype:trojan-activity;sid:84669711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.65.215.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806610/; classtype:trojan-activity;sid:84669710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.meaningvitiaty.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806609/; classtype:trojan-activity;sid:84669709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.186.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806608/; classtype:trojan-activity;sid:84669708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.meaningvitiaty.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806607/; classtype:trojan-activity;sid:84669707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/s6xwuz1.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806605/; classtype:trojan-activity;sid:84669705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/gop/random.exe"; depth:21; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806606/; classtype:trojan-activity;sid:84669706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.141.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806604/; classtype:trojan-activity;sid:84669704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8317177049/7tdj9hz.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806603/; classtype:trojan-activity;sid:84669703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8434554557/x8cqvra.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806602/; classtype:trojan-activity;sid:84669702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.meaningvitiaty.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806601/; classtype:trojan-activity;sid:84669701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.25.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806600/; classtype:trojan-activity;sid:84669700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7281753217/qrtfbw7.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806596/; classtype:trojan-activity;sid:84669696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7341834371/bgatgh0.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806597/; classtype:trojan-activity;sid:84669697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/yxpifd2.msi"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806598/; classtype:trojan-activity;sid:84669698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5900855435/enle4nm.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806599/; classtype:trojan-activity;sid:84669699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6608710704/ltjl6cp.exe"; depth:29; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806595/; classtype:trojan-activity;sid:84669695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.sororatspot.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806594/; classtype:trojan-activity;sid:84669694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.84.113.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806593/; classtype:trojan-activity;sid:84669693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.57.126.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806592/; classtype:trojan-activity;sid:84669692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.sororatspot.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806591/; classtype:trojan-activity;sid:84669691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.251.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806590/; classtype:trojan-activity;sid:84669690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.sororatspot.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806589/; classtype:trojan-activity;sid:84669689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806588/; classtype:trojan-activity;sid:84669688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.sororatspot.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806587/; classtype:trojan-activity;sid:84669687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806586/; classtype:trojan-activity;sid:84669686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.pleasedprism.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806585/; classtype:trojan-activity;sid:84669685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.213.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806584/; classtype:trojan-activity;sid:84669684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.84.113.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806583/; classtype:trojan-activity;sid:84669683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.pleasedprism.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806582/; classtype:trojan-activity;sid:84669682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.pleasedprism.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806581/; classtype:trojan-activity;sid:84669681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806580/; classtype:trojan-activity;sid:84669680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.196.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806579/; classtype:trojan-activity;sid:84669679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806578/; classtype:trojan-activity;sid:84669678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.pleasedprism.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806577/; classtype:trojan-activity;sid:84669677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.canisterget.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806576/; classtype:trojan-activity;sid:84669676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.213.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806575/; classtype:trojan-activity;sid:84669675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.canisterget.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806574/; classtype:trojan-activity;sid:84669674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.canisterget.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806573/; classtype:trojan-activity;sid:84669673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/random.exe"; depth:16; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806570/; classtype:trojan-activity;sid:84669670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final/random.exe"; depth:17; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806571/; classtype:trojan-activity;sid:84669671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/rdx/random.exe"; depth:21; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806572/; classtype:trojan-activity;sid:84669672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vid/random.exe"; depth:15; endswith; nocase; http.host; content:"166.1.89.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806569/; classtype:trojan-activity;sid:84669669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.canisterget.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806568/; classtype:trojan-activity;sid:84669668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.93.178.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806567/; classtype:trojan-activity;sid:84669667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.58.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806566/; classtype:trojan-activity;sid:84669666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.dressingsix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806565/; classtype:trojan-activity;sid:84669665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.117.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806564/; classtype:trojan-activity;sid:84669664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.dressingsix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806563/; classtype:trojan-activity;sid:84669663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.dressingsix.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806562/; classtype:trojan-activity;sid:84669662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.62.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806561/; classtype:trojan-activity;sid:84669661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.dressingsix.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806560/; classtype:trojan-activity;sid:84669660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.duralmanganese.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806559/; classtype:trojan-activity;sid:84669659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.13.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806558/; classtype:trojan-activity;sid:84669658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.93.178.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806557/; classtype:trojan-activity;sid:84669657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.duralmanganese.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806556/; classtype:trojan-activity;sid:84669656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.duralmanganese.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806555/; classtype:trojan-activity;sid:84669655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.210.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806554/; classtype:trojan-activity;sid:84669654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.210.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806553/; classtype:trojan-activity;sid:84669653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.duralmanganese.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806552/; classtype:trojan-activity;sid:84669652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.13.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806551/; classtype:trojan-activity;sid:84669651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.altruistchimes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806550/; classtype:trojan-activity;sid:84669650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.43.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806549/; classtype:trojan-activity;sid:84669649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.altruistchimes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806548/; classtype:trojan-activity;sid:84669648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.altruistchimes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806547/; classtype:trojan-activity;sid:84669647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.altruistchimes.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806546/; classtype:trojan-activity;sid:84669646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.pendantwhip.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806545/; classtype:trojan-activity;sid:84669645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.43.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806544/; classtype:trojan-activity;sid:84669644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.pendantwhip.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806543/; classtype:trojan-activity;sid:84669643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.pendantwhip.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806542/; classtype:trojan-activity;sid:84669642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.193.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806541/; classtype:trojan-activity;sid:84669641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.pendantwhip.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806540/; classtype:trojan-activity;sid:84669640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.98.188.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806539/; classtype:trojan-activity;sid:84669639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.hastyraja.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806538/; classtype:trojan-activity;sid:84669638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.193.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806537/; classtype:trojan-activity;sid:84669637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.hastyraja.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806536/; classtype:trojan-activity;sid:84669636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806535/; classtype:trojan-activity;sid:84669635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.253.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806534/; classtype:trojan-activity;sid:84669634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.hastyraja.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806533/; classtype:trojan-activity;sid:84669633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.hastyraja.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806532/; classtype:trojan-activity;sid:84669632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.231.159.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806531/; classtype:trojan-activity;sid:84669631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.182.236.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806530/; classtype:trojan-activity;sid:84669630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.playrevenater.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806529/; classtype:trojan-activity;sid:84669629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.197.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806528/; classtype:trojan-activity;sid:84669628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.playrevenater.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806527/; classtype:trojan-activity;sid:84669627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.253.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806526/; classtype:trojan-activity;sid:84669626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.playrevenater.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806525/; classtype:trojan-activity;sid:84669625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.playrevenater.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806524/; classtype:trojan-activity;sid:84669624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.12.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806523/; classtype:trojan-activity;sid:84669623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.231.159.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806522/; classtype:trojan-activity;sid:84669622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.controlpeople.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806521/; classtype:trojan-activity;sid:84669621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.232.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806520/; classtype:trojan-activity;sid:84669620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.182.236.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806519/; classtype:trojan-activity;sid:84669619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.98.188.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806518/; classtype:trojan-activity;sid:84669618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.controlpeople.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806517/; classtype:trojan-activity;sid:84669617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.200.15.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806516/; classtype:trojan-activity;sid:84669616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.controlpeople.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806515/; classtype:trojan-activity;sid:84669615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.12.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806514/; classtype:trojan-activity;sid:84669614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/oblivora/random.exe"; depth:26; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806513/; classtype:trojan-activity;sid:84669613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806512/; classtype:trojan-activity;sid:84669612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.controlpeople.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806511/; classtype:trojan-activity;sid:84669611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.226.85.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806510/; classtype:trojan-activity;sid:84669610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.mesozoicunder.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806509/; classtype:trojan-activity;sid:84669609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.232.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806508/; classtype:trojan-activity;sid:84669608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.mesozoicunder.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806507/; classtype:trojan-activity;sid:84669607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.240.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806506/; classtype:trojan-activity;sid:84669606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.mesozoicunder.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806505/; classtype:trojan-activity;sid:84669605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.mesozoicunder.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806504/; classtype:trojan-activity;sid:84669604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.archaicwillow.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806503/; classtype:trojan-activity;sid:84669603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.archaicwillow.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806502/; classtype:trojan-activity;sid:84669602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.101.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806501/; classtype:trojan-activity;sid:84669601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.archaicwillow.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806500/; classtype:trojan-activity;sid:84669600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.archaicwillow.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806499/; classtype:trojan-activity;sid:84669599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/219/img_003843.png"; depth:19; endswith; nocase; http.host; content:"107.172.135.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806498/; classtype:trojan-activity;sid:84669598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/219/goodpeopleswithbestfeeling.hta"; depth:35; endswith; nocase; http.host; content:"107.172.135.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806497/; classtype:trojan-activity;sid:84669597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.114.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806496/; classtype:trojan-activity;sid:84669596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/mdojagm.msi"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806495/; classtype:trojan-activity;sid:84669595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/final/random.exe"; depth:23; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806494/; classtype:trojan-activity;sid:84669594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.accomplicerepreh.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806490/; classtype:trojan-activity;sid:84669590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1.exe"; depth:10; endswith; nocase; http.host; content:"mainly-trim-lizard.cloudpub.ru"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806491/; classtype:trojan-activity;sid:84669591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2.exe"; depth:10; endswith; nocase; http.host; content:"mainly-trim-lizard.cloudpub.ru"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806492/; classtype:trojan-activity;sid:84669592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test3.exe"; depth:10; endswith; nocase; http.host; content:"mainly-trim-lizard.cloudpub.ru"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806493/; classtype:trojan-activity;sid:84669593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/185.224.215.205/1.exe"; depth:28; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806489/; classtype:trojan-activity;sid:84669589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806488/; classtype:trojan-activity;sid:84669588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.214.59.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806487/; classtype:trojan-activity;sid:84669587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.accomplicerepreh.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806486/; classtype:trojan-activity;sid:84669586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.214.59.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806485/; classtype:trojan-activity;sid:84669585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/gop/random.exe"; depth:21; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806484/; classtype:trojan-activity;sid:84669584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8317177049/7tdj9hz.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806481/; classtype:trojan-activity;sid:84669581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/yxpifd2.msi"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806482/; classtype:trojan-activity;sid:84669582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/s6xwuz1.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806483/; classtype:trojan-activity;sid:84669583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7281753217/qrtfbw7.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806480/; classtype:trojan-activity;sid:84669580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.accomplicerepreh.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806479/; classtype:trojan-activity;sid:84669579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6334661508/lzyfkos.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806478/; classtype:trojan-activity;sid:84669578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7341834371/bgatgh0.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806474/; classtype:trojan-activity;sid:84669574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6608710704/ltjl6cp.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806475/; classtype:trojan-activity;sid:84669575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8434554557/x8cqvra.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806476/; classtype:trojan-activity;sid:84669576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5900855435/enle4nm.exe"; depth:29; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806477/; classtype:trojan-activity;sid:84669577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.accomplicerepreh.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806473/; classtype:trojan-activity;sid:84669573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.193.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806472/; classtype:trojan-activity;sid:84669572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.banchiktend.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806471/; classtype:trojan-activity;sid:84669571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.banchiktend.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806470/; classtype:trojan-activity;sid:84669570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.banchiktend.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806469/; classtype:trojan-activity;sid:84669569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.banchiktend.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806468/; classtype:trojan-activity;sid:84669568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.168.253.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806467/; classtype:trojan-activity;sid:84669567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.conditoverwinter.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806466/; classtype:trojan-activity;sid:84669566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.193.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806465/; classtype:trojan-activity;sid:84669565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.conditoverwinter.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806464/; classtype:trojan-activity;sid:84669564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.101.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806463/; classtype:trojan-activity;sid:84669563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/random.exe"; depth:16; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806460/; classtype:trojan-activity;sid:84669560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final/random.exe"; depth:17; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806461/; classtype:trojan-activity;sid:84669561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/rdx/random.exe"; depth:21; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806462/; classtype:trojan-activity;sid:84669562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.conditoverwinter.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806459/; classtype:trojan-activity;sid:84669559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.222.153.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806458/; classtype:trojan-activity;sid:84669558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.140.191.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806457/; classtype:trojan-activity;sid:84669557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vid/random.exe"; depth:15; endswith; nocase; http.host; content:"150.251.145.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806456/; classtype:trojan-activity;sid:84669556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.108.173.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806455/; classtype:trojan-activity;sid:84669555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.conditoverwinter.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806454/; classtype:trojan-activity;sid:84669554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.droolingman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806453/; classtype:trojan-activity;sid:84669553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.droolingman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806452/; classtype:trojan-activity;sid:84669552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.droolingman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806451/; classtype:trojan-activity;sid:84669551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806450/; classtype:trojan-activity;sid:84669550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/rdx/random.exe"; depth:21; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806449/; classtype:trojan-activity;sid:84669549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806448/; classtype:trojan-activity;sid:84669548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.droolingman.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806447/; classtype:trojan-activity;sid:84669547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.88.0.216"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806446/; classtype:trojan-activity;sid:84669546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final/random.exe"; depth:17; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806444/; classtype:trojan-activity;sid:84669544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/random.exe"; depth:16; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806445/; classtype:trojan-activity;sid:84669545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/test/random.exe"; depth:22; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806443/; classtype:trojan-activity;sid:84669543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.apatitemoshka.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806442/; classtype:trojan-activity;sid:84669542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.95.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806441/; classtype:trojan-activity;sid:84669541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.apatitemoshka.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806440/; classtype:trojan-activity;sid:84669540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.25.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806439/; classtype:trojan-activity;sid:84669539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.119.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806438/; classtype:trojan-activity;sid:84669538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.apatitemoshka.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806437/; classtype:trojan-activity;sid:84669537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.222.153.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806436/; classtype:trojan-activity;sid:84669536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806435/; classtype:trojan-activity;sid:84669535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.25.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806434/; classtype:trojan-activity;sid:84669534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.apatitemoshka.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806433/; classtype:trojan-activity;sid:84669533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806432/; classtype:trojan-activity;sid:84669532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"207.231.107.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806431/; classtype:trojan-activity;sid:84669531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.sh"; depth:10; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806430/; classtype:trojan-activity;sid:84669530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vid/random.exe"; depth:15; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806429/; classtype:trojan-activity;sid:84669529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=attd"; depth:96; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806416/; classtype:trojan-activity;sid:84669516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=sshdd"; depth:97; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806417/; classtype:trojan-activity;sid:84669517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=udevdpd"; depth:99; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806418/; classtype:trojan-activity;sid:84669518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=cronn"; depth:97; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806419/; classtype:trojan-activity;sid:84669519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=telentd"; depth:99; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806420/; classtype:trojan-activity;sid:84669520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=acppid"; depth:98; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806421/; classtype:trojan-activity;sid:84669521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=upnnpd"; depth:98; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806422/; classtype:trojan-activity;sid:84669522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=avahi-deamon"; depth:104; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806423/; classtype:trojan-activity;sid:84669523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=lighttpdd"; depth:101; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806424/; classtype:trojan-activity;sid:84669524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=httppd"; depth:98; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806425/; classtype:trojan-activity;sid:84669525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=miniiupnpd"; depth:102; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806426/; classtype:trojan-activity;sid:84669526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=net-workd"; depth:101; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806427/; classtype:trojan-activity;sid:84669527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=systmed-login"; depth:105; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806428/; classtype:trojan-activity;sid:84669528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.php|3f|t=0101011001000010010011110101010001001100010011010100000101001111|7c|26|7c|arch=dbsu-daemon"; depth:103; endswith; nocase; http.host; content:"143.20.185.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806415/; classtype:trojan-activity;sid:84669515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.25.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806414/; classtype:trojan-activity;sid:84669514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.113.196"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806413/; classtype:trojan-activity;sid:84669513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.250.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806412/; classtype:trojan-activity;sid:84669512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"extendecho.keystonebloom.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806411/; classtype:trojan-activity;sid:84669511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.119.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806410/; classtype:trojan-activity;sid:84669510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.123.38.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806409/; classtype:trojan-activity;sid:84669509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.95.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806408/; classtype:trojan-activity;sid:84669508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.104.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806407/; classtype:trojan-activity;sid:84669507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806402/; classtype:trojan-activity;sid:84669502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806403/; classtype:trojan-activity;sid:84669503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806404/; classtype:trojan-activity;sid:84669504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806405/; classtype:trojan-activity;sid:84669505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806406/; classtype:trojan-activity;sid:84669506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806393/; classtype:trojan-activity;sid:84669493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806394/; classtype:trojan-activity;sid:84669494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806395/; classtype:trojan-activity;sid:84669495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806396/; classtype:trojan-activity;sid:84669496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806397/; classtype:trojan-activity;sid:84669497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806398/; classtype:trojan-activity;sid:84669498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806399/; classtype:trojan-activity;sid:84669499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806400/; classtype:trojan-activity;sid:84669500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"121.127.34.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806401/; classtype:trojan-activity;sid:84669501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"raildecode.radiantventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806392/; classtype:trojan-activity;sid:84669492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.137.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806391/; classtype:trojan-activity;sid:84669491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806390/; classtype:trojan-activity;sid:84669490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.222.147.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806389/; classtype:trojan-activity;sid:84669489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bin_dir/nullnet_load.i486"; depth:34; endswith; nocase; http.host; content:"144.172.105.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806388/; classtype:trojan-activity;sid:84669488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bash.sh"; depth:16; endswith; nocase; http.host; content:"144.172.105.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806384/; classtype:trojan-activity;sid:84669484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bin_dir/nullnet_load.spc"; depth:33; endswith; nocase; http.host; content:"144.172.105.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806385/; classtype:trojan-activity;sid:84669485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bin_dir/nullnet_load.i686"; depth:34; endswith; nocase; http.host; content:"144.172.105.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806386/; classtype:trojan-activity;sid:84669486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullnet_bin_dir/nullnet_load.x86_64"; depth:36; endswith; nocase; http.host; content:"144.172.105.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806387/; classtype:trojan-activity;sid:84669487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumvenon7.echelonprosper.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806383/; classtype:trojan-activity;sid:84669483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p.sh"; depth:5; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806382/; classtype:trojan-activity;sid:84669482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink.sh"; depth:10; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806381/; classtype:trojan-activity;sid:84669481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806376/; classtype:trojan-activity;sid:84669476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806377/; classtype:trojan-activity;sid:84669477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806378/; classtype:trojan-activity;sid:84669478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806379/; classtype:trojan-activity;sid:84669479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806380/; classtype:trojan-activity;sid:84669480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"147.45.60.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806375/; classtype:trojan-activity;sid:84669475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"spring-notif.paragonforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806374/; classtype:trojan-activity;sid:84669474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/window.exe"; depth:15; endswith; nocase; http.host; content:"150.251.145.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806373/; classtype:trojan-activity;sid:84669473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"79iy.spectrumharvest.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806372/; classtype:trojan-activity;sid:84669472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.181.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806371/; classtype:trojan-activity;sid:84669471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.113.196"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806370/; classtype:trojan-activity;sid:84669470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806369/; classtype:trojan-activity;sid:84669469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"207.231.107.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806368/; classtype:trojan-activity;sid:84669468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"4vggd.zenithpatron.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806367/; classtype:trojan-activity;sid:84669467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jack5tr.sh"; depth:11; endswith; nocase; http.host; content:"45.139.104.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806366/; classtype:trojan-activity;sid:84669466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flow-pil.covenantbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806365/; classtype:trojan-activity;sid:84669465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"unloadalig.latticeventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806364/; classtype:trojan-activity;sid:84669464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.255.87.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806363/; classtype:trojan-activity;sid:84669463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.247.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806362/; classtype:trojan-activity;sid:84669462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/vnc.exe"; depth:27; endswith; nocase; http.host; content:"89.45.6.18"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806361/; classtype:trojan-activity;sid:84669461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.181.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806360/; classtype:trojan-activity;sid:84669460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"audiodemand.momentumharbor.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806359/; classtype:trojan-activity;sid:84669459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.152.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806358/; classtype:trojan-activity;sid:84669458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806357/; classtype:trojan-activity;sid:84669457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"3ep11.tr4cefox.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806356/; classtype:trojan-activity;sid:84669456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806354/; classtype:trojan-activity;sid:84669454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.248.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806355/; classtype:trojan-activity;sid:84669455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.252.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806353/; classtype:trojan-activity;sid:84669453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806352/; classtype:trojan-activity;sid:84669452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"imagvalley.mirthbay.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806351/; classtype:trojan-activity;sid:84669451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.247.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806350/; classtype:trojan-activity;sid:84669450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sort-scope.larkspin.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806349/; classtype:trojan-activity;sid:84669449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qjbtkqgb.brimvale.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806348/; classtype:trojan-activity;sid:84669448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.103.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806347/; classtype:trojan-activity;sid:84669447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/window.exe"; depth:15; endswith; nocase; http.host; content:"193.17.95.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806346/; classtype:trojan-activity;sid:84669446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"prairialp.n1mbleoak.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806345/; classtype:trojan-activity;sid:84669445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.152.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806344/; classtype:trojan-activity;sid:84669444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.205.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806343/; classtype:trojan-activity;sid:84669443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"finalvide.duskforge.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806342/; classtype:trojan-activity;sid:84669442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.252.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806341/; classtype:trojan-activity;sid:84669441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806340/; classtype:trojan-activity;sid:84669440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.spc"; depth:23; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806330/; classtype:trojan-activity;sid:84669430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm5"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806331/; classtype:trojan-activity;sid:84669431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.ppc"; depth:23; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806332/; classtype:trojan-activity;sid:84669432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/185.224.215.205/1.exe"; depth:28; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806333/; classtype:trojan-activity;sid:84669433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arc"; depth:23; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806334/; classtype:trojan-activity;sid:84669434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i686"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806335/; classtype:trojan-activity;sid:84669435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86_64"; depth:26; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806336/; classtype:trojan-activity;sid:84669436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm7"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806337/; classtype:trojan-activity;sid:84669437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.sh4"; depth:23; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806338/; classtype:trojan-activity;sid:84669438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mpsl"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806339/; classtype:trojan-activity;sid:84669439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mips"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806325/; classtype:trojan-activity;sid:84669425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm"; depth:23; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806326/; classtype:trojan-activity;sid:84669426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.m68k"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806327/; classtype:trojan-activity;sid:84669427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm6"; depth:24; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806328/; classtype:trojan-activity;sid:84669428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86"; depth:23; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806329/; classtype:trojan-activity;sid:84669429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.62.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806324/; classtype:trojan-activity;sid:84669424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tipg.rivermint.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806323/; classtype:trojan-activity;sid:84669423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.88.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806322/; classtype:trojan-activity;sid:84669422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"plasmapublic.flare-path.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806321/; classtype:trojan-activity;sid:84669421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/windows.exe"; depth:16; endswith; nocase; http.host; content:"193.17.95.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806320/; classtype:trojan-activity;sid:84669420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806319/; classtype:trojan-activity;sid:84669419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.103.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806317/; classtype:trojan-activity;sid:84669417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.96.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806318/; classtype:trojan-activity;sid:84669418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ktyf9zwv.skyl0om.in.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806316/; classtype:trojan-activity;sid:84669416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.81.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806315/; classtype:trojan-activity;sid:84669415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.36.0"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806314/; classtype:trojan-activity;sid:84669414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.36.0"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806313/; classtype:trojan-activity;sid:84669413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cdecp45.graincrest.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806312/; classtype:trojan-activity;sid:84669412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.196.183.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806311/; classtype:trojan-activity;sid:84669411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"yq6zjr5.q7ravo.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806310/; classtype:trojan-activity;sid:84669410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.72.22.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806309/; classtype:trojan-activity;sid:84669409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tensorecho.thistlecore.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806308/; classtype:trojan-activity;sid:84669408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806307/; classtype:trojan-activity;sid:84669407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806305/; classtype:trojan-activity;sid:84669405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xx.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806306/; classtype:trojan-activity;sid:84669406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.88.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806304/; classtype:trojan-activity;sid:84669404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i.sh"; depth:5; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806302/; classtype:trojan-activity;sid:84669402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sc.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806303/; classtype:trojan-activity;sid:84669403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hhxxz.stone-blink.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806301/; classtype:trojan-activity;sid:84669401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.52.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806300/; classtype:trojan-activity;sid:84669400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806299/; classtype:trojan-activity;sid:84669399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"invoicgran.cl0verrun.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806298/; classtype:trojan-activity;sid:84669398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.96.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806297/; classtype:trojan-activity;sid:84669397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.177.33.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806296/; classtype:trojan-activity;sid:84669396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.81.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806295/; classtype:trojan-activity;sid:84669395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.52.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806294/; classtype:trojan-activity;sid:84669394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wmwr.keystonebloom.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806293/; classtype:trojan-activity;sid:84669393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806292/; classtype:trojan-activity;sid:84669392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.196.183.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806291/; classtype:trojan-activity;sid:84669391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"storagegust.keystonebloom.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806290/; classtype:trojan-activity;sid:84669390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.198.186.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806289/; classtype:trojan-activity;sid:84669389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"5ync-branch.keystonebloom.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806288/; classtype:trojan-activity;sid:84669388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"globaledi.keystonebloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806287/; classtype:trojan-activity;sid:84669387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.2.210"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806285/; classtype:trojan-activity;sid:84669385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.158.90.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806286/; classtype:trojan-activity;sid:84669386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"p1ne-cache.keystonebloom.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806284/; classtype:trojan-activity;sid:84669384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.157.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806283/; classtype:trojan-activity;sid:84669383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.86.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806282/; classtype:trojan-activity;sid:84669382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dynflux2a.radiantventure.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806281/; classtype:trojan-activity;sid:84669381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.168.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806280/; classtype:trojan-activity;sid:84669380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.27.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806279/; classtype:trojan-activity;sid:84669379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.7.83.253"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806277/; classtype:trojan-activity;sid:84669377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.81.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806278/; classtype:trojan-activity;sid:84669378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ho1lo0-reach.radiantventure.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806276/; classtype:trojan-activity;sid:84669376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806275/; classtype:trojan-activity;sid:84669375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.158.90.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806274/; classtype:trojan-activity;sid:84669374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806273/; classtype:trojan-activity;sid:84669373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vorspire5os.radiantventure.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806272/; classtype:trojan-activity;sid:84669372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.120.0.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806271/; classtype:trojan-activity;sid:84669371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tr41l4-point.radiantventure.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806270/; classtype:trojan-activity;sid:84669370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wl58.radiantventure.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806269/; classtype:trojan-activity;sid:84669369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.2.210"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806268/; classtype:trojan-activity;sid:84669368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.86.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806267/; classtype:trojan-activity;sid:84669367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fqwhi8.echelonprosper.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806266/; classtype:trojan-activity;sid:84669366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.40.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806265/; classtype:trojan-activity;sid:84669365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"shor-mesh.echelonprosper.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806264/; classtype:trojan-activity;sid:84669364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.93.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806263/; classtype:trojan-activity;sid:84669363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tra1-drive.echelonprosper.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806262/; classtype:trojan-activity;sid:84669362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.59.137.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806261/; classtype:trojan-activity;sid:84669361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"norfluxis4.echelonprosper.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806260/; classtype:trojan-activity;sid:84669360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fnnetcdn.b-cdn.net/kurulum.exe"; depth:37; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806259/; classtype:trojan-activity;sid:84669359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ynjrhuk4.echelonprosper.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806258/; classtype:trojan-activity;sid:84669358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"165.22.252.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806257/; classtype:trojan-activity;sid:84669357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.17.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806256/; classtype:trojan-activity;sid:84669356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.40.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806255/; classtype:trojan-activity;sid:84669355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"grand-optic.paragonforge.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806254/; classtype:trojan-activity;sid:84669354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.58.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806253/; classtype:trojan-activity;sid:84669353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"hyper-f4ll.paragonforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806252/; classtype:trojan-activity;sid:84669352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.97.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806251/; classtype:trojan-activity;sid:84669351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.92.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806250/; classtype:trojan-activity;sid:84669350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"measure6-loop.paragonforge.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806249/; classtype:trojan-activity;sid:84669349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"94.249.228.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806248/; classtype:trojan-activity;sid:84669348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"qfakp.paragonforge.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806247/; classtype:trojan-activity;sid:84669347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"94.249.228.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806246/; classtype:trojan-activity;sid:84669346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806245/; classtype:trojan-activity;sid:84669345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"needlerefine.paragonforge.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806244/; classtype:trojan-activity;sid:84669344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vdsh.spectrumharvest.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806243/; classtype:trojan-activity;sid:84669343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806242/; classtype:trojan-activity;sid:84669342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.92.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806241/; classtype:trojan-activity;sid:84669341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ce1l-mark.spectrumharvest.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806240/; classtype:trojan-activity;sid:84669340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"t0ken-core.spectrumharvest.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806239/; classtype:trojan-activity;sid:84669339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|=check|7c|26|7c||7c|26|7c|actmn=behwfqcvgrnsjpmk"; depth:53; endswith; nocase; http.host; content:"9ecs80cc.skybit.digital"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806238/; classtype:trojan-activity;sid:84669338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.75.27.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806237/; classtype:trojan-activity;sid:84669337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.227.66.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806236/; classtype:trojan-activity;sid:84669336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"r0ot-hinge.spectrumharvest.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806235/; classtype:trojan-activity;sid:84669335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.154.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806234/; classtype:trojan-activity;sid:84669334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"c0re4-grid.spectrumharvest.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806233/; classtype:trojan-activity;sid:84669333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.222.165.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806232/; classtype:trojan-activity;sid:84669332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"assetfilter.zenithpatron.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806231/; classtype:trojan-activity;sid:84669331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806230/; classtype:trojan-activity;sid:84669330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"fallgateway.zenithpatron.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806229/; classtype:trojan-activity;sid:84669329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.75.27.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806228/; classtype:trojan-activity;sid:84669328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.139.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806227/; classtype:trojan-activity;sid:84669327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.198.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806226/; classtype:trojan-activity;sid:84669326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.225.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806225/; classtype:trojan-activity;sid:84669325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"alt-rnanif3s.zenithpatron.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806224/; classtype:trojan-activity;sid:84669324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.26.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806223/; classtype:trojan-activity;sid:84669323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.20.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806222/; classtype:trojan-activity;sid:84669322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"122jtw.zenithpatron.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806221/; classtype:trojan-activity;sid:84669321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806220/; classtype:trojan-activity;sid:84669320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"conv35-ring.zenithpatron.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806219/; classtype:trojan-activity;sid:84669319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.199.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806218/; classtype:trojan-activity;sid:84669318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.203.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806217/; classtype:trojan-activity;sid:84669317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.199.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806216/; classtype:trojan-activity;sid:84669316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"lumflux4um.covenantbloom.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806215/; classtype:trojan-activity;sid:84669315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.198.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806214/; classtype:trojan-activity;sid:84669314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sandboximport.covenantbloom.in.net"; depth:34; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806213/; classtype:trojan-activity;sid:84669313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.20.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806212/; classtype:trojan-activity;sid:84669312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.26.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806211/; classtype:trojan-activity;sid:84669311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.68.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806210/; classtype:trojan-activity;sid:84669310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.203.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806209/; classtype:trojan-activity;sid:84669309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"89bqxcn.covenantbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806208/; classtype:trojan-activity;sid:84669308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"wlvyadr.covenantbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806207/; classtype:trojan-activity;sid:84669307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.231.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806206/; classtype:trojan-activity;sid:84669306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1p-field.covenantbloom.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806205/; classtype:trojan-activity;sid:84669305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"y4aw3.latticeventure.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806204/; classtype:trojan-activity;sid:84669304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.68.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806203/; classtype:trojan-activity;sid:84669303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"unit-frame.latticeventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806202/; classtype:trojan-activity;sid:84669302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"moss-spark.latticeventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806201/; classtype:trojan-activity;sid:84669301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.231.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806200/; classtype:trojan-activity;sid:84669300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.38.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806199/; classtype:trojan-activity;sid:84669299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.113.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806198/; classtype:trojan-activity;sid:84669298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"serspireal.latticeventure.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806197/; classtype:trojan-activity;sid:84669297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.76.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806196/; classtype:trojan-activity;sid:84669296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.123.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806195/; classtype:trojan-activity;sid:84669295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"daemonclear.latticeventure.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806194/; classtype:trojan-activity;sid:84669294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.52.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806193/; classtype:trojan-activity;sid:84669293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.i686"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806192/; classtype:trojan-activity;sid:84669292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arc"; depth:31; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806175/; classtype:trojan-activity;sid:84669275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm6"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806176/; classtype:trojan-activity;sid:84669276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.x86_64"; depth:34; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806177/; classtype:trojan-activity;sid:84669277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.m68k"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806178/; classtype:trojan-activity;sid:84669278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.x86"; depth:31; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806179/; classtype:trojan-activity;sid:84669279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm64"; depth:33; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806180/; classtype:trojan-activity;sid:84669280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.sh4"; depth:31; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806181/; classtype:trojan-activity;sid:84669281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.mpsl"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806182/; classtype:trojan-activity;sid:84669282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.mips"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806183/; classtype:trojan-activity;sid:84669283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.ppc"; depth:31; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806184/; classtype:trojan-activity;sid:84669284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kdngo8egh9oihgnpe9oahgliub/t"; depth:29; endswith; nocase; http.host; content:"89.19.223.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806185/; classtype:trojan-activity;sid:84669285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/dvr1.sh"; depth:18; endswith; nocase; http.host; content:"196.189.96.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806186/; classtype:trojan-activity;sid:84669286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm5"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806187/; classtype:trojan-activity;sid:84669287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm"; depth:31; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806188/; classtype:trojan-activity;sid:84669288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.spc"; depth:31; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806189/; classtype:trojan-activity;sid:84669289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.i468"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806190/; classtype:trojan-activity;sid:84669290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lemperluvkurayami/kurayami.arm7"; depth:32; endswith; nocase; http.host; content:"103.160.62.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806191/; classtype:trojan-activity;sid:84669291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"94.249.228.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806171/; classtype:trojan-activity;sid:84669271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"94.249.228.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806172/; classtype:trojan-activity;sid:84669272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"94.249.228.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806173/; classtype:trojan-activity;sid:84669273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"94.249.228.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806174/; classtype:trojan-activity;sid:84669274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/il24xgriequcys45"; depth:17; endswith; nocase; http.host; content:"91.92.242.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806169/; classtype:trojan-activity;sid:84669269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/dvr1.sh"; depth:18; endswith; nocase; http.host; content:"116.129.7.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806170/; classtype:trojan-activity;sid:84669270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.143.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806168/; classtype:trojan-activity;sid:84669268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.123.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806167/; classtype:trojan-activity;sid:84669267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.86.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806166/; classtype:trojan-activity;sid:84669266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.127.234.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806165/; classtype:trojan-activity;sid:84669265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.52.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806164/; classtype:trojan-activity;sid:84669264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.241.51.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806163/; classtype:trojan-activity;sid:84669263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"syigenc6.momentumharbor.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806162/; classtype:trojan-activity;sid:84669262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.3.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806161/; classtype:trojan-activity;sid:84669261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.232.75.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806159/; classtype:trojan-activity;sid:84669259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.232.75.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806160/; classtype:trojan-activity;sid:84669260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.86.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806158/; classtype:trojan-activity;sid:84669258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.56.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806157/; classtype:trojan-activity;sid:84669257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vor-tideet.momentumharbor.in.net"; depth:32; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806156/; classtype:trojan-activity;sid:84669256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.93.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806155/; classtype:trojan-activity;sid:84669255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.89.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806154/; classtype:trojan-activity;sid:84669254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.93.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806153/; classtype:trojan-activity;sid:84669253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"tri-forgeix.momentumharbor.in.net"; depth:33; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806152/; classtype:trojan-activity;sid:84669252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.250.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806150/; classtype:trojan-activity;sid:84669250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806151/; classtype:trojan-activity;sid:84669251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.127.234.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806149/; classtype:trojan-activity;sid:84669249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.3.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806148/; classtype:trojan-activity;sid:84669248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"trares.momentumharbor.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806147/; classtype:trojan-activity;sid:84669247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"nor-venen.momentumharbor.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806146/; classtype:trojan-activity;sid:84669246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.113.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806145/; classtype:trojan-activity;sid:84669245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.56.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806144/; classtype:trojan-activity;sid:84669244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.30.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806143/; classtype:trojan-activity;sid:84669243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"open-obser.dawnspire.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806142/; classtype:trojan-activity;sid:84669242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.39.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806141/; classtype:trojan-activity;sid:84669241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"kelforgear.amber-drift.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806140/; classtype:trojan-activity;sid:84669240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vel-spireix.gl1mmeroak.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806139/; classtype:trojan-activity;sid:84669239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806138/; classtype:trojan-activity;sid:84669238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california"; depth:11; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806131/; classtype:trojan-activity;sid:84669231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/colorado"; depth:9; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806132/; classtype:trojan-activity;sid:84669232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connecticut"; depth:12; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806133/; classtype:trojan-activity;sid:84669233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alaska"; depth:7; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806134/; classtype:trojan-activity;sid:84669234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/florida"; depth:8; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806135/; classtype:trojan-activity;sid:84669235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/georgia"; depth:8; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806136/; classtype:trojan-activity;sid:84669236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/illinois"; depth:9; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806137/; classtype:trojan-activity;sid:84669237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/delaware"; depth:9; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806126/; classtype:trojan-activity;sid:84669226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indiana"; depth:8; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806127/; classtype:trojan-activity;sid:84669227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idaho"; depth:6; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806128/; classtype:trojan-activity;sid:84669228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkansas"; depth:9; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806129/; classtype:trojan-activity;sid:84669229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alabama"; depth:8; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806130/; classtype:trojan-activity;sid:84669230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hawaii"; depth:7; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806123/; classtype:trojan-activity;sid:84669223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iowa"; depth:5; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806124/; classtype:trojan-activity;sid:84669224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arizona"; depth:8; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806125/; classtype:trojan-activity;sid:84669225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"re4g3-dock.crestfall.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806122/; classtype:trojan-activity;sid:84669222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"discov-sdk.velorune.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806121/; classtype:trojan-activity;sid:84669221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.26.48.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806120/; classtype:trojan-activity;sid:84669220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"flamefinal.brisklume.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806119/; classtype:trojan-activity;sid:84669219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.26.48.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806118/; classtype:trojan-activity;sid:84669218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806117/; classtype:trojan-activity;sid:84669217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"sectransi.f0xharbor.in.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806116/; classtype:trojan-activity;sid:84669216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a01/items.dll"; depth:14; endswith; nocase; http.host; content:"122.51.128.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806115/; classtype:trojan-activity;sid:84669215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12.bin"; depth:7; endswith; nocase; http.host; content:"38.76.194.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806113/; classtype:trojan-activity;sid:84669213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bendi.exe"; depth:10; endswith; nocase; http.host; content:"38.76.194.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806114/; classtype:trojan-activity;sid:84669214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/321.bin"; depth:8; endswith; nocase; http.host; content:"38.76.194.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806108/; classtype:trojan-activity;sid:84669208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.exe"; depth:6; endswith; nocase; http.host; content:"186.169.78.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806109/; classtype:trojan-activity;sid:84669209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/96cqmfy.bat"; depth:29; endswith; nocase; http.host; content:"158.94.208.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806110/; classtype:trojan-activity;sid:84669210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7281753217/2zvjacj.exe"; depth:29; endswith; nocase; http.host; content:"158.94.208.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806111/; classtype:trojan-activity;sid:84669211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellcode.bin"; depth:14; endswith; nocase; http.host; content:"38.76.194.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806112/; classtype:trojan-activity;sid:84669212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"whreceiverrrrrrrrr.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806099/; classtype:trojan-activity;sid:84669199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"whreceiverrrrrrrrr.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806100/; classtype:trojan-activity;sid:84669200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_linux64"; depth:14; endswith; nocase; http.host; content:"103.79.76.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806101/; classtype:trojan-activity;sid:84669201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_darwinarm"; depth:16; endswith; nocase; http.host; content:"103.79.76.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806102/; classtype:trojan-activity;sid:84669202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y04mz1jp/image.png"; depth:19; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806103/; classtype:trojan-activity;sid:84669203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/night-soul-1.21.11-43.jar"; depth:36; endswith; nocase; http.host; content:"night-client-hub.lovable.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806104/; classtype:trojan-activity;sid:84669204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/kryptonclient1.21.11-43.jar"; depth:38; endswith; nocase; http.host; content:"night-client-hub.lovable.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806105/; classtype:trojan-activity;sid:84669205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a01/meffect.dll"; depth:16; endswith; nocase; http.host; content:"122.51.128.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806106/; classtype:trojan-activity;sid:84669206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_win64.exe"; depth:16; endswith; nocase; http.host; content:"103.79.76.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806107/; classtype:trojan-activity;sid:84669207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"whreceiverrrrrrrrr.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806096/; classtype:trojan-activity;sid:84669196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/dupeclient1.21.11-1.21.11.jar"; depth:40; endswith; nocase; http.host; content:"night-client-hub.lovable.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806097/; classtype:trojan-activity;sid:84669197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"whreceiverrrrrrrrr.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806098/; classtype:trojan-activity;sid:84669198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"whreceiverrrrrrrrr.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806094/; classtype:trojan-activity;sid:84669194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806095/; classtype:trojan-activity;sid:84669195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806091/; classtype:trojan-activity;sid:84669191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a01/mfsvc2.dll"; depth:15; endswith; nocase; http.host; content:"122.51.128.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806092/; classtype:trojan-activity;sid:84669192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a01/login.dll"; depth:14; endswith; nocase; http.host; content:"122.51.128.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806093/; classtype:trojan-activity;sid:84669193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806090/; classtype:trojan-activity;sid:84669190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/krjf0cy.msi"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806077/; classtype:trojan-activity;sid:84669177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"64.89.163.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806078/; classtype:trojan-activity;sid:84669178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806079/; classtype:trojan-activity;sid:84669179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806080/; classtype:trojan-activity;sid:84669180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806081/; classtype:trojan-activity;sid:84669181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806082/; classtype:trojan-activity;sid:84669182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806083/; classtype:trojan-activity;sid:84669183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806084/; classtype:trojan-activity;sid:84669184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806085/; classtype:trojan-activity;sid:84669185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806086/; classtype:trojan-activity;sid:84669186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806087/; classtype:trojan-activity;sid:84669187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806088/; classtype:trojan-activity;sid:84669188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"194.59.30.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806089/; classtype:trojan-activity;sid:84669189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/eenfurg.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806076/; classtype:trojan-activity;sid:84669176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/kobo/beautifulgirlfriend.hta"; depth:33; endswith; nocase; http.host; content:"107.172.135.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806074/; classtype:trojan-activity;sid:84669174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugin"; depth:7; endswith; nocase; http.host; content:"41.216.188.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806075/; classtype:trojan-activity;sid:84669175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/random.exe"; depth:16; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806070/; classtype:trojan-activity;sid:84669170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/96cqmfy.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806071/; classtype:trojan-activity;sid:84669171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/files/8316621590/60tjimw.exe"; depth:35; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806072/; classtype:trojan-activity;sid:84669172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/files/8316621590/flsj7eq.exe"; depth:35; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806073/; classtype:trojan-activity;sid:84669173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/mdojagm.msi"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806066/; classtype:trojan-activity;sid:84669166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/rilx3pr.bat"; depth:29; endswith; nocase; http.host; content:"194.41.113.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806067/; classtype:trojan-activity;sid:84669167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/files/8316621590/qxeibgu.exe"; depth:35; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806068/; classtype:trojan-activity;sid:84669168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/files/8316621590/mjn2ass.bat"; depth:35; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806069/; classtype:trojan-activity;sid:84669169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"whreceiverrrrrrrrr.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806065/; classtype:trojan-activity;sid:84669165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mercore9a.cinderpeak.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806064/; classtype:trojan-activity;sid:84669164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"pzwvu.aurorift.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806063/; classtype:trojan-activity;sid:84669163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.215.120.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806062/; classtype:trojan-activity;sid:84669162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"layer3-graph.stonemuse.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806061/; classtype:trojan-activity;sid:84669161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.255.43.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806060/; classtype:trojan-activity;sid:84669160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.217.33.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806059/; classtype:trojan-activity;sid:84669159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.148.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806058/; classtype:trojan-activity;sid:84669158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"partnershape.n1ghtridge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806057/; classtype:trojan-activity;sid:84669157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806056/; classtype:trojan-activity;sid:84669156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.91.168.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806055/; classtype:trojan-activity;sid:84669155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.91.168.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806054/; classtype:trojan-activity;sid:84669154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ezjs.cl0udmere.in.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806053/; classtype:trojan-activity;sid:84669153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.215.120.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806052/; classtype:trojan-activity;sid:84669152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.206.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806051/; classtype:trojan-activity;sid:84669151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"balan-forge.thornbyte.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806050/; classtype:trojan-activity;sid:84669150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.148.184.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806049/; classtype:trojan-activity;sid:84669149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.253.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806048/; classtype:trojan-activity;sid:84669148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"aud1-frame.fablegrove.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806047/; classtype:trojan-activity;sid:84669147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806046/; classtype:trojan-activity;sid:84669146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806045/; classtype:trojan-activity;sid:84669145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"d3m4nd-wave.z7hire.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806044/; classtype:trojan-activity;sid:84669144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.95.44.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806043/; classtype:trojan-activity;sid:84669143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.168.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806042/; classtype:trojan-activity;sid:84669142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"urbanmicr.tires8f.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806041/; classtype:trojan-activity;sid:84669141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.206.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806040/; classtype:trojan-activity;sid:84669140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806039/; classtype:trojan-activity;sid:84669139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.144.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806038/; classtype:trojan-activity;sid:84669138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.13.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806037/; classtype:trojan-activity;sid:84669137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"timberbundle.cl0verbyte.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806036/; classtype:trojan-activity;sid:84669136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.253.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806035/; classtype:trojan-activity;sid:84669135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"talmark4a.foxglade.in.net"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806034/; classtype:trojan-activity;sid:84669134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.95.44.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806033/; classtype:trojan-activity;sid:84669133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.50.155.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806032/; classtype:trojan-activity;sid:84669132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/vxx2rop.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806031/; classtype:trojan-activity;sid:84669131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.241.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806030/; classtype:trojan-activity;sid:84669130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"vorspireos3.bramblepath.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806029/; classtype:trojan-activity;sid:84669129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.12.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806028/; classtype:trojan-activity;sid:84669128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.241.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806027/; classtype:trojan-activity;sid:84669127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"givs1.fabledock.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806026/; classtype:trojan-activity;sid:84669126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/g05mb4u.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806025/; classtype:trojan-activity;sid:84669125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.168.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806024/; classtype:trojan-activity;sid:84669124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.165.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806023/; classtype:trojan-activity;sid:84669123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.37.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806022/; classtype:trojan-activity;sid:84669122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/ioyfcju.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806021/; classtype:trojan-activity;sid:84669121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"mi5t-mount.x7lora.in.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806020/; classtype:trojan-activity;sid:84669120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.222.165.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806019/; classtype:trojan-activity;sid:84669119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/3v0svma.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806018/; classtype:trojan-activity;sid:84669118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/fifbyh6.msi"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806017/; classtype:trojan-activity;sid:84669117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.144.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806016/; classtype:trojan-activity;sid:84669116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"golbyte.ra8gera.in.net"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806015/; classtype:trojan-activity;sid:84669115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.synergybloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806014/; classtype:trojan-activity;sid:84669114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.12.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806013/; classtype:trojan-activity;sid:84669113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.218.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806012/; classtype:trojan-activity;sid:84669112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.0.104"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806011/; classtype:trojan-activity;sid:84669111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/bmpl5b7.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806010/; classtype:trojan-activity;sid:84669110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.synergybloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806009/; classtype:trojan-activity;sid:84669109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.219.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806008/; classtype:trojan-activity;sid:84669108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.199.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806007/; classtype:trojan-activity;sid:84669107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.60.225.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806006/; classtype:trojan-activity;sid:84669106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"193.169.209.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806005/; classtype:trojan-activity;sid:84669105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.synergybloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806004/; classtype:trojan-activity;sid:84669104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/d0sns9l.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806003/; classtype:trojan-activity;sid:84669103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/mbfssjn.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806002/; classtype:trojan-activity;sid:84669102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.synergybloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806001/; classtype:trojan-activity;sid:84669101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/kcbgpr4.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806000/; classtype:trojan-activity;sid:84669100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.199.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805999/; classtype:trojan-activity;sid:84669099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.elementpatron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805998/; classtype:trojan-activity;sid:84669098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/bjxckup.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805997/; classtype:trojan-activity;sid:84669097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.elementpatron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805996/; classtype:trojan-activity;sid:84669096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.34.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805995/; classtype:trojan-activity;sid:84669095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.0.104"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805994/; classtype:trojan-activity;sid:84669094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.elementpatron.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805993/; classtype:trojan-activity;sid:84669093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805992/; classtype:trojan-activity;sid:84669092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.elementpatron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805991/; classtype:trojan-activity;sid:84669091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.185.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805990/; classtype:trojan-activity;sid:84669090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.pinnacleforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805989/; classtype:trojan-activity;sid:84669089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.pinnacleforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805988/; classtype:trojan-activity;sid:84669088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/krjf0cy.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805987/; classtype:trojan-activity;sid:84669087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2outer.pinnacleforge.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805986/; classtype:trojan-activity;sid:84669086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.48.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805985/; classtype:trojan-activity;sid:84669085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/yxpifd2.msi"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805984/; classtype:trojan-activity;sid:84669084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.216.26.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805983/; classtype:trojan-activity;sid:84669083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.216.26.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805981/; classtype:trojan-activity;sid:84669081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.pinnacleforge.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805982/; classtype:trojan-activity;sid:84669082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/eenfurg.msi"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805980/; classtype:trojan-activity;sid:84669080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805979/; classtype:trojan-activity;sid:84669079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.21.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805978/; classtype:trojan-activity;sid:84669078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4path.quantumbeacon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805977/; classtype:trojan-activity;sid:84669077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/test/random.exe"; depth:22; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805976/; classtype:trojan-activity;sid:84669076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/final/random.exe"; depth:23; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805975/; classtype:trojan-activity;sid:84669075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.185.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805974/; classtype:trojan-activity;sid:84669074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3view.quantumbeacon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805973/; classtype:trojan-activity;sid:84669073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.182.155.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805972/; classtype:trojan-activity;sid:84669072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.54.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805971/; classtype:trojan-activity;sid:84669071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2point.quantumbeacon.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805970/; classtype:trojan-activity;sid:84669070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1proc.quantumbeacon.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805969/; classtype:trojan-activity;sid:84669069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/vid/random.exe"; depth:21; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805968/; classtype:trojan-activity;sid:84669068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4view.orbitprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805967/; classtype:trojan-activity;sid:84669067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3ghost.orbitprospera.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805966/; classtype:trojan-activity;sid:84669066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.54.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805965/; classtype:trojan-activity;sid:84669065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.182.155.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805964/; classtype:trojan-activity;sid:84669064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2core.orbitprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805963/; classtype:trojan-activity;sid:84669063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1proc.orbitprospera.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805962/; classtype:trojan-activity;sid:84669062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.234.28.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805961/; classtype:trojan-activity;sid:84669061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4link.nexusharvest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805960/; classtype:trojan-activity;sid:84669060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.125.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805959/; classtype:trojan-activity;sid:84669059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3user.nexusharvest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805958/; classtype:trojan-activity;sid:84669058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.33.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805957/; classtype:trojan-activity;sid:84669057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7281753217/qrtfbw7.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805955/; classtype:trojan-activity;sid:84669055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8525074840/mdojagm.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805956/; classtype:trojan-activity;sid:84669056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.78.77.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805954/; classtype:trojan-activity;sid:84669054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.234.28.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805953/; classtype:trojan-activity;sid:84669053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2base.nexusharvest.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805952/; classtype:trojan-activity;sid:84669052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1infra.nexusharvest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805951/; classtype:trojan-activity;sid:84669051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.116.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805950/; classtype:trojan-activity;sid:84669050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.179.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805949/; classtype:trojan-activity;sid:84669049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4work.vertexpatron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805948/; classtype:trojan-activity;sid:84669048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/suwg9a8.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805947/; classtype:trojan-activity;sid:84669047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3local.vertexpatron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805946/; classtype:trojan-activity;sid:84669046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.33.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805945/; classtype:trojan-activity;sid:84669045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev2power.vertexpatron.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805944/; classtype:trojan-activity;sid:84669044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/nwpc0gw.bat"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805943/; classtype:trojan-activity;sid:84669043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev1proc.vertexpatron.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805942/; classtype:trojan-activity;sid:84669042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805941/; classtype:trojan-activity;sid:84669041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl4link.catalystbloom.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805940/; classtype:trojan-activity;sid:84669040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl3dev.catalystbloom.in.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805939/; classtype:trojan-activity;sid:84669039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl2remote.catalystbloom.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805938/; classtype:trojan-activity;sid:84669038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8316621590/sqhzwpz.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805937/; classtype:trojan-activity;sid:84669037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.179.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805936/; classtype:trojan-activity;sid:84669036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"cl1store.catalystbloom.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805935/; classtype:trojan-activity;sid:84669035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805934/; classtype:trojan-activity;sid:84669034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4sync.vectorprosper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805933/; classtype:trojan-activity;sid:84669033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.134.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805932/; classtype:trojan-activity;sid:84669032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3gate.vectorprosper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805931/; classtype:trojan-activity;sid:84669031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.75.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805930/; classtype:trojan-activity;sid:84669030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proc.vectorprosper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805929/; classtype:trojan-activity;sid:84669029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1meta.vectorprosper.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805928/; classtype:trojan-activity;sid:84669028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4static.fusionharvest.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805927/; classtype:trojan-activity;sid:84669027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805926/; classtype:trojan-activity;sid:84669026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.134.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805925/; classtype:trojan-activity;sid:84669025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3edge.fusionharvest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805924/; classtype:trojan-activity;sid:84669024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2data.fusionharvest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805923/; classtype:trojan-activity;sid:84669023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.75.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805922/; classtype:trojan-activity;sid:84669022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1sync.fusionharvest.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805921/; classtype:trojan-activity;sid:84669021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.72.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805920/; classtype:trojan-activity;sid:84669020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.35.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805919/; classtype:trojan-activity;sid:84669019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/cred64.dll"; depth:30; endswith; nocase; http.host; content:"89.45.6.18"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805918/; classtype:trojan-activity;sid:84669018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/cred.dll"; depth:28; endswith; nocase; http.host; content:"89.45.6.18"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805917/; classtype:trojan-activity;sid:84669017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.80.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805916/; classtype:trojan-activity;sid:84669016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext4point.libertystage.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805915/; classtype:trojan-activity;sid:84669015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8317177049/7tdj9hz.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805914/; classtype:trojan-activity;sid:84669014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/s6xwuz1.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805913/; classtype:trojan-activity;sid:84669013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7341834371/bgatgh0.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805912/; classtype:trojan-activity;sid:84669012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/gop/random.exe"; depth:21; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805910/; classtype:trojan-activity;sid:84669010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6334661508/lzyfkos.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805911/; classtype:trojan-activity;sid:84669011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7281753217/2zvjacj.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805909/; classtype:trojan-activity;sid:84669009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.134.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805908/; classtype:trojan-activity;sid:84669008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5900855435/enle4nm.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805905/; classtype:trojan-activity;sid:84669005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8434554557/x8cqvra.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805906/; classtype:trojan-activity;sid:84669006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext3data.libertystage.in.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805907/; classtype:trojan-activity;sid:84669007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6608710704/ltjl6cp.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805904/; classtype:trojan-activity;sid:84669004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1032264266/qvqb5og.exe"; depth:29; endswith; nocase; http.host; content:"192.177.26.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805903/; classtype:trojan-activity;sid:84669003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.158.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805902/; classtype:trojan-activity;sid:84669002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext2proxy.libertystage.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805901/; classtype:trojan-activity;sid:84669001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.240.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805900/; classtype:trojan-activity;sid:84669000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.102.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805899/; classtype:trojan-activity;sid:84668999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.72.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805898/; classtype:trojan-activity;sid:84668998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"ext1infra.libertystage.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805897/; classtype:trojan-activity;sid:84668997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.189.28.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805896/; classtype:trojan-activity;sid:84668996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.193.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805895/; classtype:trojan-activity;sid:84668995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.158.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805894/; classtype:trojan-activity;sid:84668994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc4sat.beakprosperity.in.net"; depth:29; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805893/; classtype:trojan-activity;sid:84668993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.158.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805892/; classtype:trojan-activity;sid:84668992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc3core.beakprosperity.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805891/; classtype:trojan-activity;sid:84668991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.240.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805890/; classtype:trojan-activity;sid:84668990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.150.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805889/; classtype:trojan-activity;sid:84668989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.158.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805888/; classtype:trojan-activity;sid:84668988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.131.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805887/; classtype:trojan-activity;sid:84668987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.193.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805886/; classtype:trojan-activity;sid:84668986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc2steel.beakprosperity.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805885/; classtype:trojan-activity;sid:84668985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.30.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805884/; classtype:trojan-activity;sid:84668984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"svc1proc.beakprosperity.in.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805883/; classtype:trojan-activity;sid:84668983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.15.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805882/; classtype:trojan-activity;sid:84668982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.150.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805881/; classtype:trojan-activity;sid:84668981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev4space.patronageshelk.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805880/; classtype:trojan-activity;sid:84668980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.21.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805879/; classtype:trojan-activity;sid:84668979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.google"; depth:20; endswith; nocase; http.host; content:"dev3field.patronageshelk.in.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3805878/; classtype:trojan-activity;sid:84668978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/re.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805847/; classtype:trojan-activity;sid:84668947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/libsystem.so"; depth:13; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805839/; classtype:trojan-activity;sid:84668939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl-amd64"; depth:11; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805840/; classtype:trojan-activity;sid:84668940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl-aarch64"; depth:13; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805841/; classtype:trojan-activity;sid:84668941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acb.sh"; depth:7; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805837/; classtype:trojan-activity;sid:84668937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mt.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805838/; classtype:trojan-activity;sid:84668938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.208.164.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805755/; classtype:trojan-activity;sid:84668855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805559/; classtype:trojan-activity;sid:84668659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"94.26.106.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805292/; classtype:trojan-activity;sid:84668392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"94.26.106.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805298/; classtype:trojan-activity;sid:84668398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"94.26.106.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805289/; classtype:trojan-activity;sid:84668389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.205.226.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805277/; classtype:trojan-activity;sid:84668377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.205.226.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805167/; classtype:trojan-activity;sid:84668267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.197.137.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805149/; classtype:trojan-activity;sid:84668249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.197.137.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805134/; classtype:trojan-activity;sid:84668234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"silverhost.vg"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_25; reference:url, urlhaus.abuse.ch/url/3804928/; classtype:trojan-activity;sid:84668028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetxt0074751.png"; depth:20; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_25; reference:url, urlhaus.abuse.ch/url/3804863/; classtype:trojan-activity;sid:84667963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/bibguard/refs/heads/main/src/fetchers/guard-bib-bhoy.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804022/; classtype:trojan-activity;sid:84667122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/haucavn.github.io/refs/heads/main/purist/haucavn_github_io_v1.0.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804007/; classtype:trojan-activity;sid:84667107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/bibguard/raw/refs/heads/main/src/fetchers/guard-bib-bhoy.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804008/; classtype:trojan-activity;sid:84667108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/haucavn.github.io/raw/refs/heads/main/purist/haucavn_github_io_v1.0.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804012/; classtype:trojan-activity;sid:84667112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/julesjujuu/wpaudit/raw/refs/heads/main/config/software-2.2.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803910/; classtype:trojan-activity;sid:84667010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/ix-ghostprotocol/raw/refs/heads/main/core/identity/protocol_ghost_i_v2.3.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803903/; classtype:trojan-activity;sid:84667003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armaan29-09-2005/ai-osint-security-analyzer/raw/refs/heads/main/.streamlit/security_a_osin_analyzer_3.9.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803904/; classtype:trojan-activity;sid:84667004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/julesjujuu/wpaudit/refs/heads/main/config/software-2.2.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803905/; classtype:trojan-activity;sid:84667005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/omaespareparts.github.io/refs/heads/main/uncasked/github-om-spareparts-io-ae-v2.0-alpha.4.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803906/; classtype:trojan-activity;sid:84667006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rianna113/blackvault/refs/heads/main/src/core/encryption_engine/black_vault_v3.4-alpha.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803907/; classtype:trojan-activity;sid:84667007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rianna113/blackvault/raw/refs/heads/main/src/core/encryption_engine/black_vault_v3.4-alpha.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803908/; classtype:trojan-activity;sid:84667008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/omaespareparts.github.io/raw/refs/heads/main/uncasked/github-om-spareparts-io-ae-v2.0-alpha.4.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803909/; classtype:trojan-activity;sid:84667009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armaan29-09-2005/ai-osint-security-analyzer/refs/heads/main/.streamlit/security_a_osin_analyzer_3.9.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803901/; classtype:trojan-activity;sid:84667001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/ix-ghostprotocol/refs/heads/main/core/identity/protocol_ghost_i_v2.3.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803902/; classtype:trojan-activity;sid:84667002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modyd/kaggle-ai-agents-google-capstone/refs/heads/master/backend/agents/capstone_a_google_agents_kaggle_3.9-alpha.2.zip"; depth:120; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803891/; classtype:trojan-activity;sid:84666991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modyd/kaggle-ai-agents-google-capstone/raw/refs/heads/master/backend/agents/capstone_a_google_agents_kaggle_3.9-alpha.2.zip"; depth:124; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803892/; classtype:trojan-activity;sid:84666992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/caidonw/refs/heads/main/thermojunction/w-caidon-v3.4.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803855/; classtype:trojan-activity;sid:84666955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zukochris/ebyte-amsi-patchless-vehhwbp/raw/refs/heads/main/hwbp-amsibypass/vehhwbp-ebyte-patchless-amsi-3.8.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803847/; classtype:trojan-activity;sid:84666947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiagoalfaro2006/autopentestx/refs/heads/main/modules/x-auto-pentest-3.1.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803848/; classtype:trojan-activity;sid:84666948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/munem-1/file-integrity-checker-cybersecurity-tool/refs/heads/main/assets/integrity_tool_cybersecurity_checker_file_3.7-alpha.5.zip"; depth:131; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803849/; classtype:trojan-activity;sid:84666949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zukochris/ebyte-amsi-patchless-vehhwbp/refs/heads/main/hwbp-amsibypass/vehhwbp-ebyte-patchless-amsi-3.8.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803851/; classtype:trojan-activity;sid:84666951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ovifrn/llmverify-npm/refs/heads/main/src/security/npm_llmverify_3.3-beta.3.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803852/; classtype:trojan-activity;sid:84666952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/electrum-wallet-multi-crypto-secure-gui-multi-coin-storage-web-browser/refs/heads/main/electrum-wallet/properties/lib/secure-browser-storage-coin-wallet-web-gui-electrum-crypto-multi-1.7.zip"; depth:199; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803838/; classtype:trojan-activity;sid:84666938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elmamlaka/shopify-traffic-filter-block-bots/refs/heads/main/chernozem/bots_block_shopify_filter_traffic_v2.7.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803839/; classtype:trojan-activity;sid:84666939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiagoalfaro2006/autopentestx/raw/refs/heads/main/modules/x-auto-pentest-3.1.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803840/; classtype:trojan-activity;sid:84666940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ovifrn/llmverify-npm/raw/refs/heads/main/src/security/npm_llmverify_3.3-beta.3.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803841/; classtype:trojan-activity;sid:84666941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/electrum-wallet-multi-crypto-secure-gui-multi-coin-storage-web-browser/raw/refs/heads/main/electrum-wallet/properties/lib/secure-browser-storage-coin-wallet-web-gui-electrum-crypto-multi-1.7.zip"; depth:203; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803842/; classtype:trojan-activity;sid:84666942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elmamlaka/shopify-traffic-filter-block-bots/raw/refs/heads/main/chernozem/bots_block_shopify_filter_traffic_v2.7.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803843/; classtype:trojan-activity;sid:84666943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/caidonw/raw/refs/heads/main/thermojunction/w-caidon-v3.4.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803845/; classtype:trojan-activity;sid:84666945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/munem-1/file-integrity-checker-cybersecurity-tool/raw/refs/heads/main/assets/integrity_tool_cybersecurity_checker_file_3.7-alpha.5.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803846/; classtype:trojan-activity;sid:84666946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/varun4gv/pumpfun-risk-analyzer/refs/heads/main/backend/services/analyzer_pumpfun_risk_1.7.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803826/; classtype:trojan-activity;sid:84666926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/varun4gv/pumpfun-risk-analyzer/raw/refs/heads/main/backend/services/analyzer_pumpfun_risk_1.7.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803827/; classtype:trojan-activity;sid:84666927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stanayo/s3tk/raw/refs/heads/main/spinnable/s_tk_3.7.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803828/; classtype:trojan-activity;sid:84666928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stanayo/s3tk/refs/heads/main/spinnable/s_tk_3.7.zip"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803829/; classtype:trojan-activity;sid:84666929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feros0/commentcrusader-burp/refs/heads/main/media/commentcrusader_burp_cessor.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803808/; classtype:trojan-activity;sid:84666908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vorexcotusar/revguard-nlp/refs/heads/main/hogling/revguard_nlp_mailguard.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803809/; classtype:trojan-activity;sid:84666909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siyahkan0637/safehold/raw/refs/heads/main/.vscode/software_3.8-alpha.2.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803810/; classtype:trojan-activity;sid:84666910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feros0/commentcrusader-burp/raw/refs/heads/main/media/commentcrusader_burp_cessor.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803811/; classtype:trojan-activity;sid:84666911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/aar-act/raw/refs/heads/main/automation/aar_act_2.1.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803812/; classtype:trojan-activity;sid:84666912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siyahkan0637/safehold/refs/heads/main/.vscode/software_3.8-alpha.2.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803813/; classtype:trojan-activity;sid:84666913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/fraud-detection-modelling-and-reporting/raw/refs/heads/main/orthotolidin/and_modelling_fraud_detection_reporting_2.6-alpha.5.zip"; depth:139; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803814/; classtype:trojan-activity;sid:84666914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiz-ui/obex/refs/heads/main/ruby/software_trickment.zip"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803815/; classtype:trojan-activity;sid:84666915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiz-ui/obex/raw/refs/heads/main/ruby/software_trickment.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803816/; classtype:trojan-activity;sid:84666916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vorexcotusar/revguard-nlp/raw/refs/heads/main/hogling/revguard_nlp_mailguard.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803817/; classtype:trojan-activity;sid:84666917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karthik-reddy6/aegistrace-threat-intelligence/raw/refs/heads/main/docs/intelligence-threat-aegistrace-2.2.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803818/; classtype:trojan-activity;sid:84666918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karthik-reddy6/aegistrace-threat-intelligence/refs/heads/main/docs/intelligence-threat-aegistrace-2.2.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803819/; classtype:trojan-activity;sid:84666919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsntizka/23/raw/refs/heads/main/in/23.txt"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803799/; classtype:trojan-activity;sid:84666899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wangyanjun7954/cyberdefensex_demo/refs/heads/main/agent/demo-defense-cyber-1.3.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803800/; classtype:trojan-activity;sid:84666900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juwad65/npm-malware-scanner/refs/heads/main/messmate/malware-scanner-npm-1.9.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803801/; classtype:trojan-activity;sid:84666901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juwad65/npm-malware-scanner/raw/refs/heads/main/messmate/malware-scanner-npm-1.9.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803802/; classtype:trojan-activity;sid:84666902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/exilemodforge/refs/heads/main/occupative/forge-mod-exile-1.6.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803803/; classtype:trojan-activity;sid:84666903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/b0zrx.github.io/raw/refs/heads/main/bandstand/zrx_io_github_b_v2.6.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803804/; classtype:trojan-activity;sid:84666904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wangyanjun7954/cyberdefensex_demo/raw/refs/heads/main/agent/demo-defense-cyber-1.3.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803805/; classtype:trojan-activity;sid:84666905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/fraud-detection-modelling-and-reporting/refs/heads/main/orthotolidin/and_modelling_fraud_detection_reporting_2.6-alpha.5.zip"; depth:135; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803806/; classtype:trojan-activity;sid:84666906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/exilemodforge/raw/refs/heads/main/occupative/forge-mod-exile-1.6.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803807/; classtype:trojan-activity;sid:84666907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsntizka/23/refs/heads/main/in/23.txt"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803797/; classtype:trojan-activity;sid:84666897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/aar-act/refs/heads/main/automation/aar_act_2.1.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803773/; classtype:trojan-activity;sid:84666873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/shannon/raw/refs/heads/main/xben-benchmark-results/xben-079-24/audit-logs/prompts/software-3.9.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803774/; classtype:trojan-activity;sid:84666874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbookbackend/raw/refs/heads/main/models/calc_backend_book_3.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803775/; classtype:trojan-activity;sid:84666875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/shannon/refs/heads/main/xben-benchmark-results/xben-079-24/audit-logs/prompts/software-3.9.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803776/; classtype:trojan-activity;sid:84666876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/ins_sandstorm/refs/heads/master/insurgency/config/server/sandstorm_in_v2.0.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803777/; classtype:trojan-activity;sid:84666877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunny/refs/heads/main/src/lib/utils/software-3.6.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803778/; classtype:trojan-activity;sid:84666878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyrustmods/github.io/refs/heads/master/assets/mobirise/github_io_1.4.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803779/; classtype:trojan-activity;sid:84666879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbook/raw/refs/heads/main/public/images/logo/calc_book_2.1.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803780/; classtype:trojan-activity;sid:84666880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunnytweak/raw/refs/heads/main/.github/software_v1.4-alpha.1.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803781/; classtype:trojan-activity;sid:84666881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/moltbook-agent-guard/raw/refs/heads/main/integrations/guard_moltbook_agent_1.8.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803782/; classtype:trojan-activity;sid:84666882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbook/refs/heads/main/public/images/logo/calc_book_2.1.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803783/; classtype:trojan-activity;sid:84666883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyrustmods/github.io/raw/refs/heads/master/assets/mobirise/github_io_1.4.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803784/; classtype:trojan-activity;sid:84666884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/totp-otp-auth/refs/heads/main/src/auth-otp-totp-v3.2.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803785/; classtype:trojan-activity;sid:84666885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/exo/refs/heads/main/src/middleware/software-v3.0-beta.3.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803786/; classtype:trojan-activity;sid:84666886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/anti_phishing_email_detector_gui/raw/refs/heads/main/anti_phishing_email_detector/data/gui-anti-phishing-email-detector-v3.9.zip"; depth:142; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803787/; classtype:trojan-activity;sid:84666887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/ifearnohost.github.io/refs/heads/main/speciousness/github_ifearnohost_io_1.9-alpha.1.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803788/; classtype:trojan-activity;sid:84666888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyrustmods/openclaw-skill-safe/refs/heads/master/grandame/skil-safe-opencla-v3.4.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803789/; classtype:trojan-activity;sid:84666889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/ins_sandstorm/raw/refs/heads/master/insurgency/config/server/sandstorm_in_v2.0.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803790/; classtype:trojan-activity;sid:84666890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunny/raw/refs/heads/main/src/lib/utils/software-3.6.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803791/; classtype:trojan-activity;sid:84666891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/ifearnohost.github.io/raw/refs/heads/main/speciousness/github_ifearnohost_io_1.9-alpha.1.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803792/; classtype:trojan-activity;sid:84666892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/totp-otp-auth/raw/refs/heads/main/src/auth-otp-totp-v3.2.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803793/; classtype:trojan-activity;sid:84666893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyrustmods/openclaw-skill-safe/raw/refs/heads/master/grandame/skil-safe-opencla-v3.4.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803794/; classtype:trojan-activity;sid:84666894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/rationtrack/raw/refs/heads/main/docs/docs/docs/ration-track-2.6-beta.5.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803795/; classtype:trojan-activity;sid:84666895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/rationtrack/refs/heads/main/docs/docs/docs/ration-track-2.6-beta.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803796/; classtype:trojan-activity;sid:84666896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/b0zrx.github.io/refs/heads/main/bandstand/zrx_io_github_b_v2.6.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803761/; classtype:trojan-activity;sid:84666861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orangeok77/chrysalis-ioc-triage/refs/heads/master/docs/triage-chrysalis-ioc-1.6.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803762/; classtype:trojan-activity;sid:84666862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/eeveespotifyreborn/refs/heads/swift/.github/spotify-eevee-reborn-3.6.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803763/; classtype:trojan-activity;sid:84666863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orangeok77/chrysalis-ioc-triage/raw/refs/heads/master/docs/triage-chrysalis-ioc-1.6.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803764/; classtype:trojan-activity;sid:84666864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/exo/raw/refs/heads/main/src/middleware/software-v3.0-beta.3.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803765/; classtype:trojan-activity;sid:84666865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/sabinakhatun14588-ctrl.github.io/raw/refs/heads/main/aigialosaurus/github-sabinakhatun-ctrl-io-v3.0.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803766/; classtype:trojan-activity;sid:84666866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/sabinakhatun14588-ctrl.github.io/refs/heads/main/aigialosaurus/github-sabinakhatun-ctrl-io-v3.0.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803767/; classtype:trojan-activity;sid:84666867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/moltbook-agent-guard/refs/heads/main/integrations/guard_moltbook_agent_1.8.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803768/; classtype:trojan-activity;sid:84666868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/anti_phishing_email_detector_gui/refs/heads/main/anti_phishing_email_detector/data/gui-anti-phishing-email-detector-v3.9.zip"; depth:138; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803769/; classtype:trojan-activity;sid:84666869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbookbackend/refs/heads/main/models/calc_backend_book_3.8.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803770/; classtype:trojan-activity;sid:84666870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/eeveespotifyreborn/raw/refs/heads/swift/.github/spotify-eevee-reborn-3.6.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803771/; classtype:trojan-activity;sid:84666871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunnytweak/refs/heads/main/.github/software_v1.4-alpha.1.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803772/; classtype:trojan-activity;sid:84666872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/syro-theme/refs/heads/main/images/syro_theme_v3.7.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803738/; classtype:trojan-activity;sid:84666838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerfyjubay/phitto-phishing/refs/heads/main/lib/src/phitto-phishing-1.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803739/; classtype:trojan-activity;sid:84666839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kankertje2/anti-shannon/raw/refs/heads/main/src/wukong/anti_shannon_v2.9.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803740/; classtype:trojan-activity;sid:84666840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/anti-afk/refs/heads/main/anticrisis/anti-afk-v1.2.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803741/; classtype:trojan-activity;sid:84666841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/anti-afk/raw/refs/heads/main/anticrisis/anti-afk-v1.2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803742/; classtype:trojan-activity;sid:84666842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forgestudi0s/wagmiwars/refs/heads/main/backend/app/software-2.2.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803743/; classtype:trojan-activity;sid:84666843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/syro-theme/raw/refs/heads/main/images/syro_theme_v3.7.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803744/; classtype:trojan-activity;sid:84666844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krypton2355/rust-linuxgsm-watchdog/refs/heads/main/indogen/rust-watchdog-linuxgsm-bahut.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803745/; classtype:trojan-activity;sid:84666845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wileviking10/aws-security-scout/refs/heads/main/aws_scout/core/security_aws_scout_flightily.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803746/; classtype:trojan-activity;sid:84666846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/face-injector-v2-1/raw/refs/heads/main/face_injector_v2/v_face_injector_bubastite.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803747/; classtype:trojan-activity;sid:84666847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerfyjubay/phitto-phishing/raw/refs/heads/main/lib/src/phitto-phishing-1.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803748/; classtype:trojan-activity;sid:84666848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saeeed123/1af-starwars-theoldrepublicff/refs/heads/main/residentially/af_star_the_wars_old_republicff_2.5.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803749/; classtype:trojan-activity;sid:84666849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaggyt0701/prompt-shield/refs/heads/main/examples/prompt-shield-v1.3-alpha.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803750/; classtype:trojan-activity;sid:84666850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/face-injector-v2-1/refs/heads/main/face_injector_v2/v_face_injector_bubastite.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803751/; classtype:trojan-activity;sid:84666851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zidane109/cloud-honeypot-auto-block/raw/refs/heads/main/infra/terraform/auto-cloud-honeypot-block-3.5.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803752/; classtype:trojan-activity;sid:84666852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zidane109/cloud-honeypot-auto-block/refs/heads/main/infra/terraform/auto-cloud-honeypot-block-3.5.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803753/; classtype:trojan-activity;sid:84666853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaggyt0701/prompt-shield/raw/refs/heads/main/examples/prompt-shield-v1.3-alpha.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803754/; classtype:trojan-activity;sid:84666854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saeeed123/1af-starwars-theoldrepublicff/raw/refs/heads/main/residentially/af_star_the_wars_old_republicff_2.5.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803733/; classtype:trojan-activity;sid:84666833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wileviking10/aws-security-scout/raw/refs/heads/main/aws_scout/core/security_aws_scout_flightily.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803734/; classtype:trojan-activity;sid:84666834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kankertje2/anti-shannon/refs/heads/main/src/wukong/anti_shannon_v2.9.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803735/; classtype:trojan-activity;sid:84666835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krypton2355/rust-linuxgsm-watchdog/raw/refs/heads/main/indogen/rust-watchdog-linuxgsm-bahut.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803737/; classtype:trojan-activity;sid:84666837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/metasafe-guardian-/refs/heads/main/hydramnion/meta_guardian_safe_v3.0.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803730/; classtype:trojan-activity;sid:84666830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/metasafe-guardian-/raw/refs/heads/main/hydramnion/meta_guardian_safe_v3.0.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803731/; classtype:trojan-activity;sid:84666831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forgestudi0s/wagmiwars/raw/refs/heads/main/backend/app/software-2.2.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803729/; classtype:trojan-activity;sid:84666829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/ushd/raw/refs/heads/main/citharist/software-v3.9.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803720/; classtype:trojan-activity;sid:84666820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/code-audit/raw/refs/heads/main/references/frameworks/audit-code-v1.5.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803721/; classtype:trojan-activity;sid:84666821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/jeje/refs/heads/main/foreloper/software_2.7.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803718/; classtype:trojan-activity;sid:84666818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1nashiw2/nioh3-trainer-2026/raw/refs/heads/main/src/trainer-nioh-v1.9.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803719/; classtype:trojan-activity;sid:84666819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/script-/raw/refs/heads/main/platinize/script-1.3.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803708/; classtype:trojan-activity;sid:84666808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apgmightking/security-audit-framework-shell/refs/heads/main/auditreports/security_audit_shell_framework_3.8.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803709/; classtype:trojan-activity;sid:84666809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/script-/refs/heads/main/platinize/script-1.3.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803710/; classtype:trojan-activity;sid:84666810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/ushd/refs/heads/main/citharist/software-v3.9.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803711/; classtype:trojan-activity;sid:84666811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apgmightking/security-audit-framework-shell/raw/refs/heads/main/auditreports/security_audit_shell_framework_3.8.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803712/; classtype:trojan-activity;sid:84666812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/lilx/refs/heads/main/sexannulate/software_v2.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803713/; classtype:trojan-activity;sid:84666813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/code-audit/refs/heads/main/references/frameworks/audit-code-v1.5.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803714/; classtype:trojan-activity;sid:84666814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1nashiw2/nioh3-trainer-2026/refs/heads/main/src/trainer-nioh-v1.9.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803715/; classtype:trojan-activity;sid:84666815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/lilx/raw/refs/heads/main/sexannulate/software_v2.3.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803716/; classtype:trojan-activity;sid:84666816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/jeje/raw/refs/heads/main/foreloper/software_2.7.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803717/; classtype:trojan-activity;sid:84666817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfuhuu/nvidiacapture/raw/refs/heads/main/embind/nvidia_capture_1.8-alpha.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803705/; classtype:trojan-activity;sid:84666805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfuhuu/nvidiacapture/refs/heads/main/embind/nvidia_capture_1.8-alpha.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803706/; classtype:trojan-activity;sid:84666806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.68.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_23; reference:url, urlhaus.abuse.ch/url/3803472/; classtype:trojan-activity;sid:84666572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"bafybeidvgy76m4r347tpqg6plr3ac2p7o5bpcluicawc25nuh7mowtkssy.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_03_23; reference:url, urlhaus.abuse.ch/url/3803389/; classtype:trojan-activity;sid:84666489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmjs632/png/refs/heads/main/optimizedmsi.png"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_23; reference:url, urlhaus.abuse.ch/url/3803384/; classtype:trojan-activity;sid:84666484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3802108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/charliefloud-bot/testrepository/refs/heads/main/cryptifyv2upload.txt"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3802108/; classtype:trojan-activity;sid:84665208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64el"; depth:15; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801985/; classtype:trojan-activity;sid:84665085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801986/; classtype:trojan-activity;sid:84665086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64"; depth:12; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801987/; classtype:trojan-activity;sid:84665087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64el"; depth:14; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801988/; classtype:trojan-activity;sid:84665088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801989/; classtype:trojan-activity;sid:84665089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_softfloat"; depth:21; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801990/; classtype:trojan-activity;sid:84665090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801984/; classtype:trojan-activity;sid:84665084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801982/; classtype:trojan-activity;sid:84665082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801983/; classtype:trojan-activity;sid:84665083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_softfloat"; depth:23; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801978/; classtype:trojan-activity;sid:84665078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801979/; classtype:trojan-activity;sid:84665079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_hardfloat"; depth:23; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801980/; classtype:trojan-activity;sid:84665080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_hardfloat"; depth:21; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801981/; classtype:trojan-activity;sid:84665081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801977/; classtype:trojan-activity;sid:84665077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cccc.sh"; depth:8; endswith; nocase; http.host; content:"libss.0x504.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801970/; classtype:trojan-activity;sid:84665070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/refs/heads/main/das/io-github-algobytesolutions-v1.7-beta.4.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801904/; classtype:trojan-activity;sid:84665004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/raw/refs/heads/main/das/io-github-algobytesolutions-v1.7-beta.4.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801893/; classtype:trojan-activity;sid:84664993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/raw/refs/heads/main/das/algobytesolutions-github-io-1.8.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801862/; classtype:trojan-activity;sid:84664962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/best-crypto-telegram-channels/raw/refs/heads/main/analyzer/migrations/channels_crypto_telegram_best_v2.7.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801866/; classtype:trojan-activity;sid:84664966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/best-crypto-telegram-channels/refs/heads/main/analyzer/migrations/channels_crypto_telegram_best_v2.7.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801868/; classtype:trojan-activity;sid:84664968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/refs/heads/main/das/algobytesolutions-github-io-1.8.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801876/; classtype:trojan-activity;sid:84664976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/tma-llms-txt/raw/refs/heads/main/technolithic/txt-tma-llms-v1.7.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801845/; classtype:trojan-activity;sid:84664945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/eridanux.github.io/raw/refs/heads/main/excentral/github-eridanux-io-v1.7-beta.2.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801846/; classtype:trojan-activity;sid:84664946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajkumarsingh23/nestjs-demo/refs/heads/main/nous/demo_nestjs_v2.0.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801847/; classtype:trojan-activity;sid:84664947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/savagegodfather.github.io/raw/refs/heads/main/proctorling/savagegodfather-github-io-v2.8-beta.2.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801848/; classtype:trojan-activity;sid:84664948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajkumarsingh23/nestjs-demo/raw/refs/heads/main/nous/demo_nestjs_v2.0.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801849/; classtype:trojan-activity;sid:84664949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/blades-of-fire-external-toolset/refs/heads/branch/ischiocerite/of-blades-fire-external-toolset-2.0.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801838/; classtype:trojan-activity;sid:84664938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/tma-llms-txt/refs/heads/main/technolithic/txt-tma-llms-v1.7.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801839/; classtype:trojan-activity;sid:84664939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/eridanux.github.io/refs/heads/main/excentral/github-eridanux-io-v1.7-beta.2.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801840/; classtype:trojan-activity;sid:84664940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/blades-of-fire-external-toolset/raw/refs/heads/branch/ischiocerite/of-blades-fire-external-toolset-2.0.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801841/; classtype:trojan-activity;sid:84664941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/cashu-skill/raw/refs/heads/main/cli/cashu-skill-v3.6.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801842/; classtype:trojan-activity;sid:84664942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/savagegodfather.github.io/refs/heads/main/proctorling/savagegodfather-github-io-v2.8-beta.2.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801843/; classtype:trojan-activity;sid:84664943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/cashu-skill/refs/heads/main/cli/cashu-skill-v3.6.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801844/; classtype:trojan-activity;sid:84664944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.219.216.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_21; reference:url, urlhaus.abuse.ch/url/3801037/; classtype:trojan-activity;sid:84664137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.219.216.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_21; reference:url, urlhaus.abuse.ch/url/3801005/; classtype:trojan-activity;sid:84664105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/raw/refs/heads/main/herbivore/b-power-sq-projects-v1.6.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800856/; classtype:trojan-activity;sid:84663956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/raw/refs/heads/main/herbivore/projects_sq_power_b_v3.4.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800857/; classtype:trojan-activity;sid:84663957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/umarmoin22.github.io/raw/refs/heads/main/palpableness/umarmoin_github_io_2.6.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800855/; classtype:trojan-activity;sid:84663955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/refs/heads/main/herbivore/projects_sq_power_b_v3.4.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800854/; classtype:trojan-activity;sid:84663954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/claude-code-startup-skills/refs/heads/main/skills/compress-images/skills_claude_code_startup_v1.3.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800848/; classtype:trojan-activity;sid:84663948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/umarmoin22.github.io/refs/heads/main/palpableness/io_github_umarmoin_3.0.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800849/; classtype:trojan-activity;sid:84663949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/claude-code-startup-skills/raw/refs/heads/main/skills/compress-images/skills_claude_code_startup_v1.3.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800850/; classtype:trojan-activity;sid:84663950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/umarmoin22.github.io/refs/heads/main/palpableness/umarmoin_github_io_2.6.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800851/; classtype:trojan-activity;sid:84663951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/refs/heads/main/herbivore/b-power-sq-projects-v1.6.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800852/; classtype:trojan-activity;sid:84663952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/umarmoin22.github.io/raw/refs/heads/main/palpableness/io_github_umarmoin_3.0.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800853/; classtype:trojan-activity;sid:84663953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/vllm-skills/refs/heads/main/skills/skills_vllm_2.3.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800844/; classtype:trojan-activity;sid:84663944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/lr-s/refs/heads/master/gamesv/src/logic/level/s_l_1.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800842/; classtype:trojan-activity;sid:84663942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/lr-s/raw/refs/heads/master/gamesv/src/logic/level/s_l_1.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800843/; classtype:trojan-activity;sid:84663943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/xrecentx.github.io/refs/heads/main/carpentry/io-github-xrecentx-v2.7.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800834/; classtype:trojan-activity;sid:84663934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/refs/heads/main/telewriter/io-davirenner-rgb-github-v2.6-alpha.2.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800835/; classtype:trojan-activity;sid:84663935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/xrecentx.github.io/refs/heads/main/carpentry/github_xrecentx_io_burnisher.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800836/; classtype:trojan-activity;sid:84663936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/refs/heads/main/telewriter/io_davirenner_rgb_github_2.8.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800837/; classtype:trojan-activity;sid:84663937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/raw/refs/heads/main/telewriter/io_davirenner_rgb_github_2.8.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800838/; classtype:trojan-activity;sid:84663938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/xrecentx.github.io/raw/refs/heads/main/carpentry/github_xrecentx_io_burnisher.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800839/; classtype:trojan-activity;sid:84663939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/xrecentx.github.io/raw/refs/heads/main/carpentry/io-github-xrecentx-v2.7.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800840/; classtype:trojan-activity;sid:84663940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/vllm-skills/raw/refs/heads/main/skills/skills_vllm_2.3.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800841/; classtype:trojan-activity;sid:84663941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/raw/refs/heads/main/telewriter/io-davirenner-rgb-github-v2.6-alpha.2.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800833/; classtype:trojan-activity;sid:84663933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/kontolkambings.github.io/raw/refs/heads/main/drawfiling/io_kontolkambings_github_2.7.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800825/; classtype:trojan-activity;sid:84663925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/sablive25.github.io/raw/refs/heads/main/tumor/io-github-sablive-1.8.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800822/; classtype:trojan-activity;sid:84663922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/sablive25.github.io/refs/heads/main/tumor/io-github-sablive-1.8.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800823/; classtype:trojan-activity;sid:84663923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/ai-inference-resources/raw/refs/heads/main/android/app/src/profile/resources_inference_ai_1.0.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800824/; classtype:trojan-activity;sid:84663924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longtengsiha/arbitrum-dapp-skill/refs/heads/main/references/arbitrum_dapp_skill_2.7-beta.2.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800813/; classtype:trojan-activity;sid:84663913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/kontolkambings.github.io/refs/heads/main/drawfiling/io_kontolkambings_github_2.7.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800814/; classtype:trojan-activity;sid:84663914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longtengsiha/arbitrum-dapp-skill/raw/refs/heads/main/references/arbitrum_dapp_skill_2.7-beta.2.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800815/; classtype:trojan-activity;sid:84663915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/ai-inference-resources/refs/heads/main/android/app/src/profile/resources_inference_ai_1.0.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800816/; classtype:trojan-activity;sid:84663916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/iranpipfix/refs/heads/main/spangled/fix-pip-iran-1.2.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800817/; classtype:trojan-activity;sid:84663917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/iranpipfix/raw/refs/heads/main/spangled/fix-pip-iran-1.2.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800818/; classtype:trojan-activity;sid:84663918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/2332245.github.io/refs/heads/main/endlichite/github_io_v3.5.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800802/; classtype:trojan-activity;sid:84663902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/starspring/raw/refs/heads/main/starspring/decorators/software-v3.8-beta.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800803/; classtype:trojan-activity;sid:84663903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/2332245.github.io/raw/refs/heads/main/endlichite/github_io_v3.5.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800804/; classtype:trojan-activity;sid:84663904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/opensem/raw/refs/heads/main/configs/sem_open_v2.2.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800805/; classtype:trojan-activity;sid:84663905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/opensem/refs/heads/main/configs/sem_open_v2.2.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800806/; classtype:trojan-activity;sid:84663906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/69ir.github.io/refs/heads/main/outbring/io_github_ir_v3.3.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800807/; classtype:trojan-activity;sid:84663907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/starspring/refs/heads/main/starspring/decorators/software-v3.8-beta.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800808/; classtype:trojan-activity;sid:84663908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkaih/vps_bot_x/refs/heads/main/vps_bot-x/modules/x_bo_vp_pitying.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800809/; classtype:trojan-activity;sid:84663909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkaih/arkaih.github.io/raw/refs/heads/main/untractably/github-io-arkaih-v1.4.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800810/; classtype:trojan-activity;sid:84663910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/69ir.github.io/raw/refs/heads/main/outbring/io_github_ir_v3.3.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800811/; classtype:trojan-activity;sid:84663911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkaih/arkaih.github.io/refs/heads/main/untractably/github-io-arkaih-v1.4.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800801/; classtype:trojan-activity;sid:84663901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/assignment/refs/heads/main/pluricipital/software_v1.8.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800757/; classtype:trojan-activity;sid:84663857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/ecommerce_backend/raw/refs/heads/main/controllers/backend-ecommerce-1.4-beta.1.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800759/; classtype:trojan-activity;sid:84663859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/ecommerce_backend/refs/heads/main/controllers/backend-ecommerce-1.4-beta.1.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800760/; classtype:trojan-activity;sid:84663860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/players123/soenneker.gen.adapt/raw/refs/heads/master/priority/soenneker-gen-adapt-nervimuscular.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800753/; classtype:trojan-activity;sid:84663853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/assignment/raw/refs/heads/main/pluricipital/software_v1.8.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800754/; classtype:trojan-activity;sid:84663854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/ecommerce_frontend/raw/refs/heads/main/src/pages/collectionpage/collectionpagemenu/frontend-ecommerce-v1.0.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800755/; classtype:trojan-activity;sid:84663855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/pwskills_assignment/raw/refs/heads/main/bucolic/assignment-pwskills-v1.6.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800746/; classtype:trojan-activity;sid:84663846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilorasovic/powersub-demo-1807/refs/heads/main/smilax/demo-powersub-v2.1.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800747/; classtype:trojan-activity;sid:84663847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/pwskills_assignment/refs/heads/main/bucolic/assignment-pwskills-v1.6.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800748/; classtype:trojan-activity;sid:84663848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/ecommerce_frontend/refs/heads/main/src/pages/collectionpage/collectionpagemenu/frontend-ecommerce-v1.0.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800749/; classtype:trojan-activity;sid:84663849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/players123/soenneker.gen.adapt/refs/heads/master/priority/soenneker-gen-adapt-nervimuscular.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800750/; classtype:trojan-activity;sid:84663850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/open-webui-rust/refs/heads/main/static/assets/fonts/open_rust_webui_1.4-beta.5.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800751/; classtype:trojan-activity;sid:84663851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/open-webui-rust/raw/refs/heads/main/static/assets/fonts/open_rust_webui_1.4-beta.5.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800752/; classtype:trojan-activity;sid:84663852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilorasovic/powersub-demo-1807/raw/refs/heads/main/smilax/demo-powersub-v2.1.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800744/; classtype:trojan-activity;sid:84663844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"112.78.191.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800659/; classtype:trojan-activity;sid:84663759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/portfoilio/refs/heads/main/.vscode/software-1.9.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800583/; classtype:trojan-activity;sid:84663683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/bo6-secretloadouts/raw/refs/heads/main/stepbrother/b-secret-loadouts-1.7.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800584/; classtype:trojan-activity;sid:84663684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/digital-resume-builder/raw/refs/heads/main/public/digital-builder-resume-predramatic.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800579/; classtype:trojan-activity;sid:84663679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/portfoilio/raw/refs/heads/main/.vscode/software-1.9.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800580/; classtype:trojan-activity;sid:84663680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/digital-resume-builder/refs/heads/main/public/digital-builder-resume-predramatic.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800581/; classtype:trojan-activity;sid:84663681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/bo6-secretloadouts/refs/heads/main/stepbrother/b-secret-loadouts-1.7.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800582/; classtype:trojan-activity;sid:84663682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/powersub-demo-1078/refs/heads/main/shufflingly/demo_powersub_v2.0.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800577/; classtype:trojan-activity;sid:84663677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/powersub-demo-1078/raw/refs/heads/main/shufflingly/demo_powersub_v2.0.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800578/; classtype:trojan-activity;sid:84663678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dellarwalter/throttleai/refs/heads/main/examples/ai_throttle_2.2-beta.2.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800569/; classtype:trojan-activity;sid:84663669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/charlieallen16/vibeshell/raw/refs/heads/master/src/components/editserverdialog/software_v3.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800567/; classtype:trojan-activity;sid:84663667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dellarwalter/throttleai/raw/refs/heads/main/examples/ai_throttle_2.2-beta.2.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800568/; classtype:trojan-activity;sid:84663668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/charlieallen16/vibeshell/refs/heads/master/src/components/editserverdialog/software_v3.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800566/; classtype:trojan-activity;sid:84663666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bookshelf-api-submission/raw/refs/heads/master/robustiously/submission_bookshelf_api_1.0.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800558/; classtype:trojan-activity;sid:84663658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bit-of-business-os/raw/refs/heads/master/images/os_bit_of_business_v2.9.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800559/; classtype:trojan-activity;sid:84663659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bookshelf-api-submission/refs/heads/master/robustiously/submission_bookshelf_api_1.0.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800560/; classtype:trojan-activity;sid:84663660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/rest-api-app/raw/refs/heads/main/flaskr/rest_app_api_2.7.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800561/; classtype:trojan-activity;sid:84663661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/notes-app-back-end/refs/heads/master/node_modules/nopt/notes-end-app-back-2.4.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800562/; classtype:trojan-activity;sid:84663662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/rest-api-app/refs/heads/main/flaskr/rest_app_api_2.7.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800563/; classtype:trojan-activity;sid:84663663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bramskiee/fishxcode/raw/refs/heads/main/es/software_v2.9.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800550/; classtype:trojan-activity;sid:84663650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bramskiee/fishxcode/refs/heads/main/es/software_v2.9.zip"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800551/; classtype:trojan-activity;sid:84663651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kattimatti22/vibecode-playground/refs/heads/main/hooks/playground_vibecode_2.8.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800552/; classtype:trojan-activity;sid:84663652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bit-of-business-os/refs/heads/master/images/os_bit_of_business_v2.9.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800553/; classtype:trojan-activity;sid:84663653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kattimatti22/vibecode-playground/raw/refs/heads/main/hooks/playground_vibecode_2.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800554/; classtype:trojan-activity;sid:84663654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/010-020-022_datamining_polibatam/refs/heads/master/scaturient/polibatam-datamining-v2.5.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800555/; classtype:trojan-activity;sid:84663655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/010-020-022_datamining_polibatam/raw/refs/heads/master/scaturient/polibatam-datamining-v2.5.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800556/; classtype:trojan-activity;sid:84663656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/notes-app-back-end/raw/refs/heads/master/node_modules/nopt/notes-end-app-back-2.4.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800557/; classtype:trojan-activity;sid:84663657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"62.94.13.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800440/; classtype:trojan-activity;sid:84663540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"176.165.146.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800405/; classtype:trojan-activity;sid:84663505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eskarlet78/terraform-aws-3tier-architecture/refs/heads/main/modules/alb/aws-tier-architecture-terraform-potentness.zip"; depth:119; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800253/; classtype:trojan-activity;sid:84663353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/hospitalbedmanagementsystem/refs/heads/main/node_modules/date-fns/fp/getweekofmonthwithoptions/hospital_system_bed_management_v2.5-alpha.4.zip"; depth:154; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800249/; classtype:trojan-activity;sid:84663349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/hospitalbedmanagementsystem/raw/refs/heads/main/node_modules/date-fns/fp/getweekofmonthwithoptions/hospital_system_bed_management_v2.5-alpha.4.zip"; depth:158; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800248/; classtype:trojan-activity;sid:84663348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eduxxhdfgfd/react-view-import/raw/refs/heads/main/src/import-react-view-tristiloquy.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800243/; classtype:trojan-activity;sid:84663343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/stargate/refs/heads/main/demography/star_gate_v3.4.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800244/; classtype:trojan-activity;sid:84663344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anjdjwjf/fastuator/refs/heads/main/examples/software-1.5.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800245/; classtype:trojan-activity;sid:84663345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/stargate/raw/refs/heads/main/demography/star_gate_v3.4.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800246/; classtype:trojan-activity;sid:84663346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anjdjwjf/fastuator/raw/refs/heads/main/examples/software-1.5.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800247/; classtype:trojan-activity;sid:84663347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/tts/refs/heads/master/sugarless/software-2.2-beta.2.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800236/; classtype:trojan-activity;sid:84663336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/tts/raw/refs/heads/master/sugarless/software-2.2-beta.2.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800237/; classtype:trojan-activity;sid:84663337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eduxxhdfgfd/react-view-import/refs/heads/main/src/import-react-view-tristiloquy.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800238/; classtype:trojan-activity;sid:84663338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okesing/neergz-web-app/refs/heads/main/canel/app-neergz-web-v2.9.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800239/; classtype:trojan-activity;sid:84663339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasjan2137/azure-ml-pipeline/refs/heads/main/components/pipeline-azure-ml-3.8.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800240/; classtype:trojan-activity;sid:84663340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okesing/neergz-web-app/raw/refs/heads/main/canel/app-neergz-web-v2.9.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800241/; classtype:trojan-activity;sid:84663341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasjan2137/azure-ml-pipeline/raw/refs/heads/main/components/pipeline-azure-ml-3.8.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800242/; classtype:trojan-activity;sid:84663342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eskarlet78/terraform-aws-3tier-architecture/raw/refs/heads/main/modules/alb/aws-tier-architecture-terraform-potentness.zip"; depth:123; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800231/; classtype:trojan-activity;sid:84663331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rainmeriloo/cf-browser-cdp/raw/refs/heads/master/src/cdp-browser-cf-1.2-beta.4.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800223/; classtype:trojan-activity;sid:84663323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rainmeriloo/cf-browser-cdp/refs/heads/master/src/cdp-browser-cf-1.2-beta.4.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800219/; classtype:trojan-activity;sid:84663319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jahanllol/kotlin-fpv/raw/refs/heads/main/radiotherapeutist/kotlin-fpv-2.6.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3800159/; classtype:trojan-activity;sid:84663259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jahanllol/kotlin-fpv/refs/heads/main/radiotherapeutist/kotlin-fpv-2.6.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3800156/; classtype:trojan-activity;sid:84663256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/rematch-open-source-release/raw/refs/heads/branch/phrynoid/source-open-release-rematch-1.5.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799995/; classtype:trojan-activity;sid:84663095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/rematch-open-source-release/refs/heads/branch/phrynoid/source-open-release-rematch-1.5.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799997/; classtype:trojan-activity;sid:84663097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/python-group-2/raw/refs/heads/master/data/group-python-notidanian.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799998/; classtype:trojan-activity;sid:84663098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/f959.github.io/raw/refs/heads/main/coelomesoblast/github_f_io_2.2.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799991/; classtype:trojan-activity;sid:84663091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/f959.github.io/refs/heads/main/coelomesoblast/github_f_io_2.2.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799993/; classtype:trojan-activity;sid:84663093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/python-group-2/refs/heads/master/data/group-python-notidanian.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799994/; classtype:trojan-activity;sid:84663094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pirateshadow/nan111de/raw/refs/heads/main/spiketop/na_de_presentably.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799901/; classtype:trojan-activity;sid:84663001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pirateshadow/nan111de/refs/heads/main/spiketop/na_de_presentably.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799902/; classtype:trojan-activity;sid:84663002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fezarecool/mcp-claude-hackernews/raw/refs/heads/master/entach/hackernews_mcp_claude_v1.9.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799874/; classtype:trojan-activity;sid:84662974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohame524z/bagsfun-bundler-dbc/refs/heads/main/joola/bagsfun-bundler-dbc-1.5.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799872/; classtype:trojan-activity;sid:84662972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fezarecool/mcp-claude-hackernews/refs/heads/master/entach/hackernews_mcp_claude_v1.9.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799873/; classtype:trojan-activity;sid:84662973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohame524z/bagsfun-bundler-dbc/raw/refs/heads/main/joola/bagsfun-bundler-dbc-1.5.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799871/; classtype:trojan-activity;sid:84662971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leozin143/ai-terminal-x/raw/refs/heads/main/img/x-terminal-ai-v2.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799870/; classtype:trojan-activity;sid:84662970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muturi-kelvin/free-algorithm-learning/raw/refs/heads/master/archpresbyter/free_algorithm_learning_2.0.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799869/; classtype:trojan-activity;sid:84662969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muturi-kelvin/free-algorithm-learning/refs/heads/master/archpresbyter/free_algorithm_learning_2.0.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799867/; classtype:trojan-activity;sid:84662967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leozin143/ai-terminal-x/refs/heads/main/img/x-terminal-ai-v2.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799868/; classtype:trojan-activity;sid:84662968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lennor-tan/openrouter-free-model/raw/refs/heads/main/messages/free_openrouter_model_1.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799864/; classtype:trojan-activity;sid:84662964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lennor-tan/openrouter-free-model/refs/heads/main/messages/free_openrouter_model_1.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799863/; classtype:trojan-activity;sid:84662963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/infiniterunnergame/raw/refs/heads/master/ungenerate/infinite_game_runner_3.4.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799860/; classtype:trojan-activity;sid:84662960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/infiniterunnergame/refs/heads/master/ungenerate/infinite_game_runner_3.4.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799859/; classtype:trojan-activity;sid:84662959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/les-moders/raw/refs/heads/main/les-modern/les_moders_v2.2.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799856/; classtype:trojan-activity;sid:84662956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/pong/raw/refs/heads/master/pong_game/software-v2.0.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799857/; classtype:trojan-activity;sid:84662957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/homework/raw/refs/heads/master/heteroeciousness/software-1.8.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799858/; classtype:trojan-activity;sid:84662958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/pong/refs/heads/master/pong_game/software-v2.0.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799855/; classtype:trojan-activity;sid:84662955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/les-moders/refs/heads/main/les-modern/les_moders_v2.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799851/; classtype:trojan-activity;sid:84662951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/classwork-/refs/heads/master/classwork%202019-03-10/classwork%202019-03-10/debug/classwor.929ce1fa.tlog/classwork_v1.4-alpha.5.zip"; depth:143; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799852/; classtype:trojan-activity;sid:84662952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/homework/refs/heads/master/heteroeciousness/software-1.8.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799853/; classtype:trojan-activity;sid:84662953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/classwork-/raw/refs/heads/master/classwork%202019-03-10/classwork%202019-03-10/debug/classwor.929ce1fa.tlog/classwork_v1.4-alpha.5.zip"; depth:147; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799854/; classtype:trojan-activity;sid:84662954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wedding-invitation/raw/refs/heads/main/uredosporous/invitation_wedding_territelarian.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799339/; classtype:trojan-activity;sid:84662439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/tech-educa/raw/refs/heads/main/annoyment/tech-educa-wried.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799330/; classtype:trojan-activity;sid:84662430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/sistem-cis/raw/refs/heads/main/assets/js/core/cis_siste_v1.4.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799332/; classtype:trojan-activity;sid:84662432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/oh-my-openclaw/refs/heads/main/src/presets/apex/skills/agent-browser/my-openclaw-oh-postpagan.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799333/; classtype:trojan-activity;sid:84662433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/sistem-cis/refs/heads/main/assets/js/core/cis_siste_v1.4.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799335/; classtype:trojan-activity;sid:84662435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wordpress/refs/heads/main/standard/software_v1.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799336/; classtype:trojan-activity;sid:84662436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/test-pull/refs/heads/main/volucrine/test-pull-v2.3.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799337/; classtype:trojan-activity;sid:84662437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/test-pull/raw/refs/heads/main/volucrine/test-pull-v2.3.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799338/; classtype:trojan-activity;sid:84662438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/supervpn-premium-unlocked-edition/raw/refs/heads/branch/sarcophagize/supervpn-premium-edition-unlocked-v1.4.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799323/; classtype:trojan-activity;sid:84662423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/php/raw/refs/heads/main/kerbstone/software_v1.4.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799324/; classtype:trojan-activity;sid:84662424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/php/refs/heads/main/kerbstone/software_v1.4.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799325/; classtype:trojan-activity;sid:84662425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/tech-educa/refs/heads/main/annoyment/tech-educa-wried.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799326/; classtype:trojan-activity;sid:84662426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/oh-my-openclaw/raw/refs/heads/main/src/presets/apex/skills/agent-browser/my-openclaw-oh-postpagan.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799327/; classtype:trojan-activity;sid:84662427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/supervpn-premium-unlocked-edition/refs/heads/branch/sarcophagize/supervpn-premium-edition-unlocked-v1.4.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799328/; classtype:trojan-activity;sid:84662428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wordpress/raw/refs/heads/main/standard/software_v1.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799329/; classtype:trojan-activity;sid:84662429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wedding-invitation/refs/heads/main/uredosporous/invitation_wedding_territelarian.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799320/; classtype:trojan-activity;sid:84662420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milescarson/milescarson.github.io/refs/heads/main/acarophobia/github-io-milescarson-v3.6-alpha.2.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799224/; classtype:trojan-activity;sid:84662324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/1-20-assignment/raw/refs/heads/master/isandrous/assignment_1.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799218/; classtype:trojan-activity;sid:84662318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/testing1/raw/refs/heads/master/mullidae/testing-romanesque.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799219/; classtype:trojan-activity;sid:84662319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/universalvideotranscriber/raw/refs/heads/main/universalvideotranscriber/assets.xcassets/appicon.appiconset/video-universal-transcriber-antisoporific.zip"; depth:163; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799208/; classtype:trojan-activity;sid:84662308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/facebook-sign-up-page/refs/heads/main/facebook%20sign%20up%20page/sig_faceboo_u_page_3.8.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799209/; classtype:trojan-activity;sid:84662309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/1-20-assignment/refs/heads/master/isandrous/assignment_1.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799210/; classtype:trojan-activity;sid:84662310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/facebook-sign-up-page/raw/refs/heads/main/facebook%20sign%20up%20page/sig_faceboo_u_page_3.8.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799211/; classtype:trojan-activity;sid:84662311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/21-40-assignment/raw/refs/heads/main/21-40%20assignment/assignment-sphagnologist.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799213/; classtype:trojan-activity;sid:84662313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milescarson/milescarson.github.io/raw/refs/heads/main/acarophobia/github-io-milescarson-v3.6-alpha.2.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799214/; classtype:trojan-activity;sid:84662314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/21-40-assignment/refs/heads/main/21-40%20assignment/assignment-sphagnologist.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799215/; classtype:trojan-activity;sid:84662315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/universalvideotranscriber/refs/heads/main/universalvideotranscriber/assets.xcassets/appicon.appiconset/video-universal-transcriber-antisoporific.zip"; depth:159; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799216/; classtype:trojan-activity;sid:84662316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/testing1/refs/heads/master/mullidae/testing-romanesque.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799217/; classtype:trojan-activity;sid:84662317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/rmisimplebanksystem/raw/refs/heads/master/src/bank-system-rmi-simple-2.8.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799207/; classtype:trojan-activity;sid:84662307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nassimos19/skill-bridge/refs/heads/main/server/bootstrap/bridge-skill-2.3-beta.5.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799202/; classtype:trojan-activity;sid:84662302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/warrior/raw/refs/heads/main/teapotful/software_2.2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799182/; classtype:trojan-activity;sid:84662282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/xsinopx.github.io/raw/refs/heads/main/tenemental/github_io_xsinopx_v1.2.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799183/; classtype:trojan-activity;sid:84662283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/not-anybody-ever/tower-vib/raw/refs/heads/main/results/vib-tower-3.9.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799184/; classtype:trojan-activity;sid:84662284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/go2rtc/raw/refs/heads/master/internal/gopro/rtc-go-depraver.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799185/; classtype:trojan-activity;sid:84662285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adammtn/wincam-no-trial/raw/refs/heads/main/bandrol/trial-win-no-cam-2.1.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799186/; classtype:trojan-activity;sid:84662286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/txt-to-video-leech-uploader/raw/refs/heads/main/dodecahydrated/t_tx_vide_leec_uploader_3.7.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799187/; classtype:trojan-activity;sid:84662287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nassimos19/skill-bridge/raw/refs/heads/main/server/bootstrap/bridge-skill-2.3-beta.5.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799188/; classtype:trojan-activity;sid:84662288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsnicuur/youtube-work-/raw/refs/heads/main/consulage/youtube-work-pensively.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799189/; classtype:trojan-activity;sid:84662289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unresponsive-in384/temporal_reasoning_vision_system/raw/refs/heads/main/utils/reasoning-vision-system-temporal-inauration.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799190/; classtype:trojan-activity;sid:84662290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/aifeedtracker/raw/refs/heads/main/docs/ai_feed_tracker_2.6.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799191/; classtype:trojan-activity;sid:84662291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/go2rtc/refs/heads/master/internal/gopro/rtc-go-depraver.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799192/; classtype:trojan-activity;sid:84662292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/not-anybody-ever/tower-vib/refs/heads/main/results/vib-tower-3.9.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799193/; classtype:trojan-activity;sid:84662293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsnicuur/youtube-work-/refs/heads/main/consulage/youtube-work-pensively.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799194/; classtype:trojan-activity;sid:84662294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/warrior/refs/heads/main/teapotful/software_2.2.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799195/; classtype:trojan-activity;sid:84662295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/xsinopx.github.io/refs/heads/main/tenemental/github_io_xsinopx_v1.2.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799196/; classtype:trojan-activity;sid:84662296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/aifeedtracker/refs/heads/main/docs/ai_feed_tracker_2.6.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799197/; classtype:trojan-activity;sid:84662297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adammtn/wincam-no-trial/refs/heads/main/bandrol/trial-win-no-cam-2.1.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799198/; classtype:trojan-activity;sid:84662298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/rmisimplebanksystem/refs/heads/master/src/bank-system-rmi-simple-2.8.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799199/; classtype:trojan-activity;sid:84662299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unresponsive-in384/temporal_reasoning_vision_system/refs/heads/main/utils/reasoning-vision-system-temporal-inauration.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799200/; classtype:trojan-activity;sid:84662300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/txt-to-video-leech-uploader/refs/heads/main/dodecahydrated/t_tx_vide_leec_uploader_3.7.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799201/; classtype:trojan-activity;sid:84662301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameer2135/offcam/refs/heads/main/opinable/cam_off_v2.2.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799177/; classtype:trojan-activity;sid:84662277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameer2135/offcam/raw/refs/heads/main/opinable/cam_off_v2.2.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799178/; classtype:trojan-activity;sid:84662278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shivansh-aiml/vuejs-cicd-deploy-on-github-pages/refs/heads/main/src/github_on_cicd_deploy_vuejs_pages_3.6-beta.2.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799155/; classtype:trojan-activity;sid:84662255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shivansh-aiml/vuejs-cicd-deploy-on-github-pages/raw/refs/heads/main/src/github_on_cicd_deploy_vuejs_pages_3.6-beta.2.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799156/; classtype:trojan-activity;sid:84662256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roop81/interlink-multi-bot/refs/heads/main/chiwere/interlink_bot_multi_2.7.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799153/; classtype:trojan-activity;sid:84662253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roop81/interlink-multi-bot/raw/refs/heads/main/chiwere/interlink_bot_multi_2.7.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799152/; classtype:trojan-activity;sid:84662252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/philiplaurence123/brilliant-crypto-bot-crypto-game-auto-farm-clicker-cheat-token-hack-api/raw/refs/heads/main/brilliantcrypto-bot/minigames/cheat-clicker-crypto-game-api-hack-farm-auto-bot-brilliant-token-3.3-alpha.3.zip"; depth:221; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799139/; classtype:trojan-activity;sid:84662239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/philiplaurence123/brilliant-crypto-bot-crypto-game-auto-farm-clicker-cheat-token-hack-api/refs/heads/main/brilliantcrypto-bot/minigames/cheat-clicker-crypto-game-api-hack-farm-auto-bot-brilliant-token-3.3-alpha.3.zip"; depth:217; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799138/; classtype:trojan-activity;sid:84662238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lop435/gata-auto-farmer/refs/heads/main/schemy/gata-farmer-auto-photoconductivity.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799133/; classtype:trojan-activity;sid:84662233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lop435/gata-auto-farmer/raw/refs/heads/main/schemy/gata-farmer-auto-photoconductivity.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799134/; classtype:trojan-activity;sid:84662234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiliams11h/forgotten-runiverse-crypto-bot-crypto-game-auto-farm-clicker-cheat-api-1v/refs/heads/main/glycolylurea/farm_cheat_crypto_clicker_bot_api_auto_forgotten_v_runiverse_game_2.3.zip"; depth:188; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799130/; classtype:trojan-activity;sid:84662230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiliams11h/forgotten-runiverse-crypto-bot-crypto-game-auto-farm-clicker-cheat-api-1v/raw/refs/heads/main/glycolylurea/farm_cheat_crypto_clicker_bot_api_auto_forgotten_v_runiverse_game_2.3.zip"; depth:192; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799131/; classtype:trojan-activity;sid:84662231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/izeredon/pixels-bot-autofarm/refs/heads/main/sample/pixels_bot_farm_auto_electioneer.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799129/; classtype:trojan-activity;sid:84662229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/izeredon/pixels-bot-autofarm/raw/refs/heads/main/sample/pixels_bot_farm_auto_electioneer.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799128/; classtype:trojan-activity;sid:84662228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atabey9860/axie-infinity-bot-crypto-cheat-auto-farm-clicker-game-api-hack/refs/heads/main/axie-infinity-exp/axieenergycounter/properties/auto_hack_cheat_infinity_bot_api_axie_clicker_farm_game_crypto_3.3.zip"; depth:208; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799120/; classtype:trojan-activity;sid:84662220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atabey9860/axie-infinity-bot-crypto-cheat-auto-farm-clicker-game-api-hack/raw/refs/heads/main/axie-infinity-exp/axieenergycounter/properties/auto_hack_cheat_infinity_bot_api_axie_clicker_farm_game_crypto_3.3.zip"; depth:212; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799121/; classtype:trojan-activity;sid:84662221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roter515stuhl/aavegotchi-cheat-crypto-bot-auto-farm-clicker-game-api-hack/raw/refs/heads/main/aavegotchi-autoplay/aavegotchi-app/properties/cheat_game_auto_bot_hack_aavegotchi_crypto_api_clicker_farm_2.4.zip"; depth:208; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799114/; classtype:trojan-activity;sid:84662214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roter515stuhl/aavegotchi-cheat-crypto-bot-auto-farm-clicker-game-api-hack/refs/heads/main/aavegotchi-autoplay/aavegotchi-app/properties/cheat_game_auto_bot_hack_aavegotchi_crypto_api_clicker_farm_2.4.zip"; depth:204; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799113/; classtype:trojan-activity;sid:84662213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeptr67/gashero-finance-game-bot-auto-farm-clicker-crypto-blockchain-hack-cheat/refs/heads/main/.vs/farm_hack_crypto_hero_cheat_auto_finance_gas_game_blockchain_clicker_bot_1.1.zip"; depth:181; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799112/; classtype:trojan-activity;sid:84662212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeptr67/gashero-finance-game-bot-auto-farm-clicker-crypto-blockchain-hack-cheat/raw/refs/heads/main/.vs/farm_hack_crypto_hero_cheat_auto_finance_gas_game_blockchain_clicker_bot_1.1.zip"; depth:185; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799111/; classtype:trojan-activity;sid:84662211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-muhammadahmad/best-blox-fruits-auto-farming-2025/raw/refs/heads/master/src/views/activitymanagement/reports/mylogsummaryreport/list/components/columns/farming-blox-auto-fruits-best-v3.0.zip"; depth:192; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799108/; classtype:trojan-activity;sid:84662208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-muhammadahmad/best-blox-fruits-auto-farming-2025/refs/heads/master/src/views/activitymanagement/reports/mylogsummaryreport/list/components/columns/farming-blox-auto-fruits-best-v3.0.zip"; depth:188; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799109/; classtype:trojan-activity;sid:84662209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/kelasdeb.github.io/refs/heads/main/whun/kelasdeb-github-io-2.8.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799099/; classtype:trojan-activity;sid:84662199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/kelasdeb.github.io/raw/refs/heads/main/whun/kelasdeb-github-io-2.8.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799098/; classtype:trojan-activity;sid:84662198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/customnamesforgeysermc/refs/heads/main/verby/for-geyser-custom-names-mc-v3.5.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799096/; classtype:trojan-activity;sid:84662196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/customnamesforgeysermc/raw/refs/heads/main/verby/for-geyser-custom-names-mc-v3.5.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799097/; classtype:trojan-activity;sid:84662197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/fitworrior/refs/heads/main/css/software-v1.0.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799095/; classtype:trojan-activity;sid:84662195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/rl-name-changer/raw/refs/heads/main/src/name-r-changer-v2.3.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799092/; classtype:trojan-activity;sid:84662192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/rl-name-changer/refs/heads/main/src/name-r-changer-v2.3.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799093/; classtype:trojan-activity;sid:84662193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/fitworrior/raw/refs/heads/main/css/software-v1.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799094/; classtype:trojan-activity;sid:84662194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josemaq/5536/raw/refs/heads/main/26/85.txt"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799090/; classtype:trojan-activity;sid:84662190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josemaq/5536/refs/heads/main/26/85.txt"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799089/; classtype:trojan-activity;sid:84662189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swathigoud/whispernet/refs/heads/main/assets/net-whisper-v3.0.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799087/; classtype:trojan-activity;sid:84662187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swathigoud/whispernet/raw/refs/heads/main/assets/net-whisper-v3.0.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799086/; classtype:trojan-activity;sid:84662186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lolo10201/trial-project/refs/heads/main/login_page.txt"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798895/; classtype:trojan-activity;sid:84661995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lolo10201/trial-project/raw/refs/heads/main/login_page.txt"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798896/; classtype:trojan-activity;sid:84661996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/159zhx/pet-simulator-99/refs/heads/main/barbasco/pet_simulator_v2.5.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798873/; classtype:trojan-activity;sid:84661973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/159zhx/pet-simulator-99/raw/refs/heads/main/barbasco/pet_simulator_v2.5.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798874/; classtype:trojan-activity;sid:84661974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skata123a/roblox-fisch-script/raw/refs/heads/main/overchief/script_fisch_roblox_v3.3.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798870/; classtype:trojan-activity;sid:84661970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skata123a/roblox-fisch-script/refs/heads/main/overchief/script_fisch_roblox_v3.3.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798871/; classtype:trojan-activity;sid:84661971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paul111-beep/roblox-murder-mystery/raw/refs/heads/main/sanballat/mystery_roblox_murder_v2.2-alpha.5.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798868/; classtype:trojan-activity;sid:84661968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paul111-beep/roblox-murder-mystery/refs/heads/main/sanballat/mystery_roblox_murder_v2.2-alpha.5.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798867/; classtype:trojan-activity;sid:84661967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artistic-minds9/roblox-death-ball-script/raw/refs/heads/main/vesiculose/ball-roblox-script-death-2.2.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798850/; classtype:trojan-activity;sid:84661950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artistic-minds9/roblox-death-ball-script/refs/heads/main/vesiculose/ball-roblox-script-death-2.2.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798849/; classtype:trojan-activity;sid:84661949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marik201517/roblox-death-ball-script/refs/heads/main/perpera/ball_roblox_script_death_v3.4.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798847/; classtype:trojan-activity;sid:84661947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marik201517/roblox-death-ball-script/raw/refs/heads/main/perpera/ball_roblox_script_death_v3.4.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798848/; classtype:trojan-activity;sid:84661948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/igmp24184/roblox-macro-v3.0.0/raw/refs/heads/main/language/roblo-macr-v2.1.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798845/; classtype:trojan-activity;sid:84661945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/igmp24184/roblox-macro-v3.0.0/refs/heads/main/language/roblo-macr-v2.1.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798844/; classtype:trojan-activity;sid:84661944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/gsc-project/refs/heads/backend/packages/portable.bouncycastle.1.9.0/project-gs-v1.3.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798843/; classtype:trojan-activity;sid:84661943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/gsc-project/raw/refs/heads/backend/packages/portable.bouncycastle.1.9.0/project-gs-v1.3.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798840/; classtype:trojan-activity;sid:84661940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/studentchecklist/raw/refs/heads/api/fileschecklist/bin/debug/net8.0/zh-hant/check-student-list-v3.3.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798841/; classtype:trojan-activity;sid:84661941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/example/raw/refs/heads/main/fileschecklist/bin/debug/net8.0/software_2.5.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798842/; classtype:trojan-activity;sid:84661942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/version8project/raw/refs/heads/main/gsc-inventoryproject/obj/release/project-version-v3.1.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798836/; classtype:trojan-activity;sid:84661936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/version8project/refs/heads/main/gsc-inventoryproject/obj/release/project-version-v3.1.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798837/; classtype:trojan-activity;sid:84661937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/studentchecklist/refs/heads/api/fileschecklist/bin/debug/net8.0/zh-hant/check-student-list-v3.3.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798838/; classtype:trojan-activity;sid:84661938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/example/refs/heads/main/fileschecklist/bin/debug/net8.0/software_2.5.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798839/; classtype:trojan-activity;sid:84661939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/roblox-executor/refs/heads/master/inventorybackend/packages/k4os.hash.xxhash.1.0.6/roblox-executor-kayles.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798833/; classtype:trojan-activity;sid:84661933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/roblox-executor/raw/refs/heads/master/inventorybackend/packages/k4os.hash.xxhash.1.0.6/roblox-executor-kayles.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798834/; classtype:trojan-activity;sid:84661934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edwinango/synchronizer/raw/refs/heads/main/docs-site/software_2.7-beta.1.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798830/; classtype:trojan-activity;sid:84661930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edwinango/synchronizer/refs/heads/main/docs-site/software_2.7-beta.1.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798831/; classtype:trojan-activity;sid:84661931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damartr23/fischroblox/raw/refs/heads/main/assure/fisch-roblox-3.4-alpha.3.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798829/; classtype:trojan-activity;sid:84661929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naruto1233958/roblox-fisch-script/refs/heads/main/mull/script-roblox-fisch-v1.0-beta.5.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798823/; classtype:trojan-activity;sid:84661923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naruto1233958/roblox-fisch-script/raw/refs/heads/main/mull/script-roblox-fisch-v1.0-beta.5.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798824/; classtype:trojan-activity;sid:84661924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localdumbass2112/adoptmescript/raw/refs/heads/main/marshalman/software-v3.9.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798825/; classtype:trojan-activity;sid:84661925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvcj503/permission_studio/refs/heads/main/permission_studio/config/studio-permission-2.9.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798826/; classtype:trojan-activity;sid:84661926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvcj503/permission_studio/raw/refs/heads/main/permission_studio/config/studio-permission-2.9.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798827/; classtype:trojan-activity;sid:84661927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localdumbass2112/adoptmescript/refs/heads/main/marshalman/software-v3.9.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798828/; classtype:trojan-activity;sid:84661928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damartr23/fischroblox/refs/heads/main/assure/fisch-roblox-3.4-alpha.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798822/; classtype:trojan-activity;sid:84661922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jazzman08/adopt-me-script/refs/heads/main/cornification/me_adopt_script_2.0.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798819/; classtype:trojan-activity;sid:84661919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jazzman08/adopt-me-script/raw/refs/heads/main/cornification/me_adopt_script_2.0.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798820/; classtype:trojan-activity;sid:84661920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/cv/raw/refs/heads/main/relayman/software-v3.3.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798813/; classtype:trojan-activity;sid:84661913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/cv/refs/heads/main/relayman/software-v3.3.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798812/; classtype:trojan-activity;sid:84661912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/drumkit/refs/heads/main/images/kit_drum_v2.7.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798810/; classtype:trojan-activity;sid:84661910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/drumkit/raw/refs/heads/main/images/kit_drum_v2.7.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798811/; classtype:trojan-activity;sid:84661911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/rbxfpsunlocker/refs/heads/main/sheepwalker/software_v2.5.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798808/; classtype:trojan-activity;sid:84661908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/rbxfpsunlocker/raw/refs/heads/main/sheepwalker/software_v2.5.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798809/; classtype:trojan-activity;sid:84661909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fraze76/open-aimbot/raw/refs/heads/main/tremulant/open-aimbot-1.7.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798804/; classtype:trojan-activity;sid:84661904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fraze76/open-aimbot/refs/heads/main/tremulant/open-aimbot-1.7.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798803/; classtype:trojan-activity;sid:84661903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qouzk/now.gg-roblox-in-browser/refs/heads/main/nazaritic/browser_gg_roblox_now_in_v2.4.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798801/; classtype:trojan-activity;sid:84661901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qouzk/now.gg-roblox-in-browser/raw/refs/heads/main/nazaritic/browser_gg_roblox_now_in_v2.4.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798802/; classtype:trojan-activity;sid:84661902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ishu-276/adoptmescript/refs/heads/main/archduchy/software_v3.0.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798799/; classtype:trojan-activity;sid:84661899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ishu-276/adoptmescript/raw/refs/heads/main/archduchy/software_v3.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798800/; classtype:trojan-activity;sid:84661900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oceanremodeling/fischroblox/refs/heads/main/trichroic/fisch-roblox-3.5.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798797/; classtype:trojan-activity;sid:84661897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oceanremodeling/fischroblox/raw/refs/heads/main/trichroic/fisch-roblox-3.5.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798796/; classtype:trojan-activity;sid:84661896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayuxxxxx/build-a-truck-roblox-toolkit/refs/heads/branch/icelandic/a_truck_toolkit_build_roblox_v2.4.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798794/; classtype:trojan-activity;sid:84661894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ibrahim832023/adoptme-script-download/raw/refs/heads/main/palingenesy/script_m_adopt_download_v1.6.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798795/; classtype:trojan-activity;sid:84661895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayuxxxxx/build-a-truck-roblox-toolkit/raw/refs/heads/branch/icelandic/a_truck_toolkit_build_roblox_v2.4.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798793/; classtype:trojan-activity;sid:84661893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ibrahim832023/adoptme-script-download/refs/heads/main/palingenesy/script_m_adopt_download_v1.6.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798792/; classtype:trojan-activity;sid:84661892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/expect8iondev/towersim-hardcore-evolution/raw/refs/heads/branch/capitolium/hardcore_towersim_evolution_2.1.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798789/; classtype:trojan-activity;sid:84661889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/expect8iondev/towersim-hardcore-evolution/refs/heads/branch/capitolium/hardcore_towersim_evolution_2.1.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798790/; classtype:trojan-activity;sid:84661890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mahmoudwagih1/ant-man-simulator-toolkit/refs/heads/branch/barrabkie/toolkit_simulator_ant_man_pursily.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798787/; classtype:trojan-activity;sid:84661887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mahmoudwagih1/ant-man-simulator-toolkit/raw/refs/heads/branch/barrabkie/toolkit_simulator_ant_man_pursily.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798788/; classtype:trojan-activity;sid:84661888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"174.105.154.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798745/; classtype:trojan-activity;sid:84661845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_140830.png"; depth:15; endswith; nocase; http.host; content:"controliumbt.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798726/; classtype:trojan-activity;sid:84661826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_182028.png"; depth:15; endswith; nocase; http.host; content:"controliumbt.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798727/; classtype:trojan-activity;sid:84661827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amuthan1808/valorant-efi-drivver-cheat-hack/refs/heads/main/hyprism/valoran_drivve_hack_cheat_ef_nephrosclerosis.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798630/; classtype:trojan-activity;sid:84661730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amuthan1808/valorant-efi-drivver-cheat-hack/raw/refs/heads/main/hyprism/valoran_drivve_hack_cheat_ef_nephrosclerosis.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798629/; classtype:trojan-activity;sid:84661729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inverstorrneeepng.png"; depth:22; endswith; nocase; http.host; content:"172.245.95.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798621/; classtype:trojan-activity;sid:84661721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ethd0"; depth:6; endswith; nocase; http.host; content:"103.98.212.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798524/; classtype:trojan-activity;sid:84661624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"125.46.45.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798525/; classtype:trojan-activity;sid:84661625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"65.186.8.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798522/; classtype:trojan-activity;sid:84661622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.x86_64"; depth:15; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798503/; classtype:trojan-activity;sid:84661603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm7"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798504/; classtype:trojan-activity;sid:84661604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.ppc"; depth:12; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798505/; classtype:trojan-activity;sid:84661605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mips"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798506/; classtype:trojan-activity;sid:84661606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mpsl"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798507/; classtype:trojan-activity;sid:84661607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arc"; depth:12; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798499/; classtype:trojan-activity;sid:84661599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.spc"; depth:12; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798500/; classtype:trojan-activity;sid:84661600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.m68k"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798501/; classtype:trojan-activity;sid:84661601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.i686"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798487/; classtype:trojan-activity;sid:84661587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm"; depth:12; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798488/; classtype:trojan-activity;sid:84661588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm5"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798483/; classtype:trojan-activity;sid:84661583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.sh4"; depth:12; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798484/; classtype:trojan-activity;sid:84661584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm6"; depth:13; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798485/; classtype:trojan-activity;sid:84661585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.x86"; depth:12; endswith; nocase; http.host; content:"raw.flameblox.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798486/; classtype:trojan-activity;sid:84661586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.87.112.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797992/; classtype:trojan-activity;sid:84661092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.93.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797949/; classtype:trojan-activity;sid:84661049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q8348.exe"; depth:10; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797939/; classtype:trojan-activity;sid:84661039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n743.exe"; depth:9; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797934/; classtype:trojan-activity;sid:84661034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x834.exe"; depth:9; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797935/; classtype:trojan-activity;sid:84661035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v38438.exe"; depth:11; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797936/; classtype:trojan-activity;sid:84661036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/universalbrowser.exe"; depth:21; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797937/; classtype:trojan-activity;sid:84661037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s287.exe"; depth:9; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797938/; classtype:trojan-activity;sid:84661038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/mis-archivos-2026-4b0c7.firebasestorage.app/o/tumfuf.txt|3f|alt=media|7c|26|7c|token=1fcca767-bf37-4570-9a19-e24cdf9ba210"; depth:127; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797932/; classtype:trojan-activity;sid:84661032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.93.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797922/; classtype:trojan-activity;sid:84661022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecopy0956.png"; depth:18; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_17; reference:url, urlhaus.abuse.ch/url/3797917/; classtype:trojan-activity;sid:84661017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3797083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"121.142.70.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_16; reference:url, urlhaus.abuse.ch/url/3797083/; classtype:trojan-activity;sid:84660183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"174.105.154.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_15; reference:url, urlhaus.abuse.ch/url/3796886/; classtype:trojan-activity;sid:84659986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googlechr1.18.9.83.zip"; depth:23; endswith; nocase; http.host; content:"sgnfyn.oss-cn-shenzhen.aliyuncs.com"; depth:35; isdataat:!1,relative; metadata:created_at 2026_03_15; reference:url, urlhaus.abuse.ch/url/3796606/; classtype:trojan-activity;sid:84659706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-website/refs/heads/main/src/website_my_v1.2.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796292/; classtype:trojan-activity;sid:84659392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-website/raw/refs/heads/main/src/website_my_v1.2.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796291/; classtype:trojan-activity;sid:84659391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/gabssama12.github.io/raw/refs/heads/main/paganishly/github-gabssama-io-3.7-beta.1.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796281/; classtype:trojan-activity;sid:84659381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/gabssama12.github.io/refs/heads/main/paganishly/github-gabssama-io-3.7-beta.1.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796278/; classtype:trojan-activity;sid:84659378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/plugin.video.netflix/refs/heads/master/docs/netflix-video-plugin-3.0-beta.1.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796279/; classtype:trojan-activity;sid:84659379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/plugin.video.netflix/raw/refs/heads/master/docs/netflix-video-plugin-3.0-beta.1.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796280/; classtype:trojan-activity;sid:84659380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/spoon-awesome-skill/raw/refs/heads/master/spoonos-skills/platform-integration/scripts/spoon_awesome_skill_1.0.zip"; depth:125; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796277/; classtype:trojan-activity;sid:84659377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/spoon-awesome-skill/refs/heads/master/spoonos-skills/platform-integration/scripts/spoon_awesome_skill_1.0.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796276/; classtype:trojan-activity;sid:84659376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nirmallimbachiya/ignite/raw/refs/heads/main/js/software-2.5.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796273/; classtype:trojan-activity;sid:84659373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nirmallimbachiya/ignite/refs/heads/main/js/software-2.5.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796274/; classtype:trojan-activity;sid:84659374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/capitaltaser/qwen3-tts-dubflow/raw/refs/heads/main/dramaturge/dub-qwen-flow-tt-v1.1.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796271/; classtype:trojan-activity;sid:84659371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/capitaltaser/qwen3-tts-dubflow/refs/heads/main/dramaturge/dub-qwen-flow-tt-v1.1.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796272/; classtype:trojan-activity;sid:84659372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tianlanyb/gemini-in-chrome/raw/refs/heads/master/eighteen/in_gemini_chrome_preadherent.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796266/; classtype:trojan-activity;sid:84659366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tianlanyb/gemini-in-chrome/refs/heads/master/eighteen/in_gemini_chrome_preadherent.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796267/; classtype:trojan-activity;sid:84659367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhonatanait14/dictate.sh/refs/heads/main/docs/sh-dictate-2.9-alpha.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796264/; classtype:trojan-activity;sid:84659364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhonatanait14/dictate.sh/raw/refs/heads/main/docs/sh-dictate-2.9-alpha.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796265/; classtype:trojan-activity;sid:84659365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hggodhand33/skills/refs/heads/main/skills/.curated/doc/scripts/software_v3.3.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796261/; classtype:trojan-activity;sid:84659361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hggodhand33/skills/raw/refs/heads/main/skills/.curated/doc/scripts/software_v3.3.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796262/; classtype:trojan-activity;sid:84659362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theking1212wr/db_tools/refs/heads/main/opencode/skills/db_tools_v2.2.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796260/; classtype:trojan-activity;sid:84659360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theking1212wr/db_tools/raw/refs/heads/main/opencode/skills/db_tools_v2.2.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796259/; classtype:trojan-activity;sid:84659359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|filename=optimized_msi.png"; depth:31; endswith; nocase; http.host; content:"bafybeiccl6irsru52xsyiuy4pqlitflw4f57xovkfpk5w2wnhtmeaqpjuy.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796235/; classtype:trojan-activity;sid:84659335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aksejif.txt"; depth:12; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796231/; classtype:trojan-activity;sid:84659331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_163251.png"; depth:15; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796221/; classtype:trojan-activity;sid:84659321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_173622.png"; depth:15; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796222/; classtype:trojan-activity;sid:84659322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/optimized_msi.png"; depth:25; endswith; nocase; http.host; content:"inmbau.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796202/; classtype:trojan-activity;sid:84659302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kubota/ausweis.js"; depth:18; endswith; nocase; http.host; content:"80.253.251.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796201/; classtype:trojan-activity;sid:84659301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samuelhaxk/41369/refs/heads/main/256/233.txt"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796092/; classtype:trojan-activity;sid:84659192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samuelhaxk/41369/raw/refs/heads/main/256/233.txt"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796087/; classtype:trojan-activity;sid:84659187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-crazy-skills/raw/refs/heads/main/skills/workflows/skills_crazy_my_1.7.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796080/; classtype:trojan-activity;sid:84659180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-crazy-skills/refs/heads/main/skills/workflows/skills_crazy_my_1.7.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796058/; classtype:trojan-activity;sid:84659158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"geo-foundation.vg"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795984/; classtype:trojan-activity;sid:84659084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795849/; classtype:trojan-activity;sid:84658949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795847/; classtype:trojan-activity;sid:84658947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795848/; classtype:trojan-activity;sid:84658948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795843/; classtype:trojan-activity;sid:84658943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795837/; classtype:trojan-activity;sid:84658937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795838/; classtype:trojan-activity;sid:84658938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795833/; classtype:trojan-activity;sid:84658933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795834/; classtype:trojan-activity;sid:84658934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795826/; classtype:trojan-activity;sid:84658926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795823/; classtype:trojan-activity;sid:84658923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795824/; classtype:trojan-activity;sid:84658924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pardufrigi_installer_1.0.p1.exe"; depth:32; endswith; nocase; http.host; content:"pardu.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795199/; classtype:trojan-activity;sid:84658299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/1yan6rsv"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795193/; classtype:trojan-activity;sid:84658293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1-nc/roukii/main/up.png"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795149/; classtype:trojan-activity;sid:84658249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mu126-afk/um/main/ud.txt"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795144/; classtype:trojan-activity;sid:84658244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1-nc/roukii/main/ud.txt"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795145/; classtype:trojan-activity;sid:84658245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v4343.exe"; depth:10; endswith; nocase; http.host; content:"196.251.107.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_12; reference:url, urlhaus.abuse.ch/url/3794673/; classtype:trojan-activity;sid:84657773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1827897262/mh/inject3.ps1"; depth:26; endswith; nocase; http.host; content:"1827897262.v.123pan.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_12; reference:url, urlhaus.abuse.ch/url/3794604/; classtype:trojan-activity;sid:84657704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rustdesk-1.2.3-2-x86_64.exe"; depth:28; endswith; nocase; http.host; content:"www.150.co.il"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_12; reference:url, urlhaus.abuse.ch/url/3794598/; classtype:trojan-activity;sid:84657698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.233.204.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_12; reference:url, urlhaus.abuse.ch/url/3794532/; classtype:trojan-activity;sid:84657632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.233.204.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_12; reference:url, urlhaus.abuse.ch/url/3794522/; classtype:trojan-activity;sid:84657622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asyncdecenimg_050306.png"; depth:25; endswith; nocase; http.host; content:"compimento.ba"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_11; reference:url, urlhaus.abuse.ch/url/3794104/; classtype:trojan-activity;sid:84657204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/setup/autocad_v1.4.exe"; depth:30; endswith; nocase; http.host; content:"cad.659t.cn"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_11; reference:url, urlhaus.abuse.ch/url/3794079/; classtype:trojan-activity;sid:84657179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"96.66.24.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793666/; classtype:trojan-activity;sid:84656766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"96.66.24.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793628/; classtype:trojan-activity;sid:84656728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"86.127.241.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793404/; classtype:trojan-activity;sid:84656504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"42.98.214.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793408/; classtype:trojan-activity;sid:84656508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sodal"; depth:6; endswith; nocase; http.host; content:"158.94.211.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3793218/; classtype:trojan-activity;sid:84656318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/plugin3.plg"; depth:19; endswith; nocase; http.host; content:"marsalek.cy"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3793143/; classtype:trojan-activity;sid:84656243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p"; depth:2; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792979/; classtype:trojan-activity;sid:84656079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/busybox"; depth:8; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792980/; classtype:trojan-activity;sid:84656080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/for"; depth:4; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792977/; classtype:trojan-activity;sid:84656077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"magnusworkspace.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792914/; classtype:trojan-activity;sid:84656014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/republicofbotv109/llm-engineering-cheatsheet/raw/refs/heads/main/byreman/llm_engineering_cheatsheet_v3.4.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792798/; classtype:trojan-activity;sid:84655898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/republicofbotv109/llm-engineering-cheatsheet/refs/heads/main/byreman/llm_engineering_cheatsheet_v3.4.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792799/; classtype:trojan-activity;sid:84655899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kinsing"; depth:8; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3792566/; classtype:trojan-activity;sid:84655666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kinsing_aarch64"; depth:16; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3792567/; classtype:trojan-activity;sid:84655667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrget.exe"; depth:11; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3792474/; classtype:trojan-activity;sid:84655574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|filename=optimized_msi.png"; depth:31; endswith; nocase; http.host; content:"bafybeibqcivjhwg2msil5g62did64uhtptlf7epidbrat4gexerzfv5mmq.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3791971/; classtype:trojan-activity;sid:84655071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umari4u2get-cmd/encoder/raw/refs/heads/main/include/encoder1.txt"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3791876/; classtype:trojan-activity;sid:84654976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umari4u2get-cmd/encoder/refs/heads/main/include/encoder1.txt"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3791877/; classtype:trojan-activity;sid:84654977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/twizt.exe"; depth:10; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791680/; classtype:trojan-activity;sid:84654780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fish.txt"; depth:9; endswith; nocase; http.host; content:"fertas.com.tr"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791595/; classtype:trojan-activity;sid:84654695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla.sh"; depth:12; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791302/; classtype:trojan-activity;sid:84654402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery.min-4.0.2.js"; depth:20; endswith; nocase; http.host; content:"union.macoms.la"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791280/; classtype:trojan-activity;sid:84654380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791149/; classtype:trojan-activity;sid:84654249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791150/; classtype:trojan-activity;sid:84654250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791146/; classtype:trojan-activity;sid:84654246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791147/; classtype:trojan-activity;sid:84654247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791145/; classtype:trojan-activity;sid:84654245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791142/; classtype:trojan-activity;sid:84654242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791143/; classtype:trojan-activity;sid:84654243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"196.251.107.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791144/; classtype:trojan-activity;sid:84654244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/poop"; depth:10; endswith; nocase; http.host; content:"107.175.89.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790743/; classtype:trojan-activity;sid:84653843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/bolts"; depth:11; endswith; nocase; http.host; content:"107.175.89.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790733/; classtype:trojan-activity;sid:84653833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w1/lib/autoit3.exe"; depth:19; endswith; nocase; http.host; content:"176.190.153.160.host.secureserver.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790490/; classtype:trojan-activity;sid:84653590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/encrypt.ps1"; depth:16; endswith; nocase; http.host; content:"shahamanatme.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_05; reference:url, urlhaus.abuse.ch/url/3789876/; classtype:trojan-activity;sid:84652976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"203.203.81.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_05; reference:url, urlhaus.abuse.ch/url/3789780/; classtype:trojan-activity;sid:84652880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aplikasi/spacemanslot88.apk"; depth:28; endswith; nocase; http.host; content:"spacemanslot88.games"; depth:20; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789465/; classtype:trojan-activity;sid:84652565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ti/dajoke2.exe"; depth:15; endswith; nocase; http.host; content:"imagefiles-backup.oss-ap-southeast-7.aliyuncs.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789461/; classtype:trojan-activity;sid:84652561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbikdoe.txt"; depth:12; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789369/; classtype:trojan-activity;sid:84652469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/force/win_driver_ssl_support_v43.22.209.44.exe"; depth:47; endswith; nocase; http.host; content:"mgtms.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789365/; classtype:trojan-activity;sid:84652465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/force/printer_driver_ssl_support_v43.22.209.99.exe"; depth:51; endswith; nocase; http.host; content:"mgtms.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789363/; classtype:trojan-activity;sid:84652463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|filename=optimized_msi.png"; depth:31; endswith; nocase; http.host; content:"bafybeihamvbzrm2tsifa4s7xruhfnsgnkzgtk2jqwj6cwgmdxj4wqe5lm4.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_03_03; reference:url, urlhaus.abuse.ch/url/3789128/; classtype:trojan-activity;sid:84652228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media/txmclygo.exe"; depth:19; endswith; nocase; http.host; content:"kokorostore.it"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_03; reference:url, urlhaus.abuse.ch/url/3789027/; classtype:trojan-activity;sid:84652127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.248.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_03; reference:url, urlhaus.abuse.ch/url/3789020/; classtype:trojan-activity;sid:84652120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"71.194.158.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_03; reference:url, urlhaus.abuse.ch/url/3789011/; classtype:trojan-activity;sid:84652111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"explorer.vg"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_03; reference:url, urlhaus.abuse.ch/url/3788912/; classtype:trojan-activity;sid:84652012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788407/; classtype:trojan-activity;sid:84651507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/components/com_media/m1vebzk/jt1wulk/wxhmvac/new/optimized_msi.png"; depth:67; endswith; nocase; http.host; content:"chungminhtaichinhsaigon.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788389/; classtype:trojan-activity;sid:84651489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"coralasargetia.ro"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788379/; classtype:trojan-activity;sid:84651479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"separadordecc.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788376/; classtype:trojan-activity;sid:84651476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pg.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_01; reference:url, urlhaus.abuse.ch/url/3788070/; classtype:trojan-activity;sid:84651170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.js"; depth:12; endswith; nocase; http.host; content:"oficialrem.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_02_28; reference:url, urlhaus.abuse.ch/url/3787544/; classtype:trojan-activity;sid:84650644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.bat"; depth:13; endswith; nocase; http.host; content:"oficialrem.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_02_28; reference:url, urlhaus.abuse.ch/url/3787543/; classtype:trojan-activity;sid:84650643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|filename=xxwconvertedfile.txt"; depth:34; endswith; nocase; http.host; content:"bafybeidp7zdy2lu6yxvbgoev4b6xokuaa6jljr34vkflxzel2ya2gc3plm.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_02_28; reference:url, urlhaus.abuse.ch/url/3787416/; classtype:trojan-activity;sid:84650516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"137.175.205.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3787075/; classtype:trojan-activity;sid:84650175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"37.142.77.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3787077/; classtype:trojan-activity;sid:84650177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.86.246.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3787067/; classtype:trojan-activity;sid:84650167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/upl/aih2q8_tdpwa9w6hskn5/539869.pdf"; depth:43; endswith; nocase; http.host; content:"www.kotojuki.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786987/; classtype:trojan-activity;sid:84650087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jack5tr.sh"; depth:11; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786982/; classtype:trojan-activity;sid:84650082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc1.sh"; depth:8; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786983/; classtype:trojan-activity;sid:84650083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc3.sh"; depth:8; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786984/; classtype:trojan-activity;sid:84650084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc2.sh"; depth:8; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786985/; classtype:trojan-activity;sid:84650085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786981/; classtype:trojan-activity;sid:84650081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_statement.msi"; depth:18; endswith; nocase; http.host; content:"bnet.playm8ru.win"; depth:17; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786888/; classtype:trojan-activity;sid:84649988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_statement.msi"; depth:18; endswith; nocase; http.host; content:"bnet-api.playm8ru.win"; depth:21; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786879/; classtype:trojan-activity;sid:84649979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_statement.msi"; depth:18; endswith; nocase; http.host; content:"212.224.107.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786841/; classtype:trojan-activity;sid:84649941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jyng2002/cracked-enhancer-for-trello-extension/raw/refs/heads/main/hangworthy/cracked_trello_enhancer_for_extension_v1.3.zip"; depth:125; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786727/; classtype:trojan-activity;sid:84649827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jyng2002/cracked-enhancer-for-trello-extension/refs/heads/main/hangworthy/cracked_trello_enhancer_for_extension_v1.3.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786726/; classtype:trojan-activity;sid:84649826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teskkkkk/cracked-todoist-for-chrome/raw/refs/heads/main/fieldworker/cracked-chrome-for-todoist-v3.0.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786725/; classtype:trojan-activity;sid:84649825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teskkkkk/cracked-todoist-for-chrome/refs/heads/main/fieldworker/cracked-chrome-for-todoist-v3.0.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786724/; classtype:trojan-activity;sid:84649824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maybedesxie7/cracked-webpage-annotator-extension/refs/heads/main/decrepitation/cracked-annotator-webpage-extension-2.1-beta.4.zip"; depth:130; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786721/; classtype:trojan-activity;sid:84649821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maybedesxie7/cracked-webpage-annotator-extension/raw/refs/heads/main/decrepitation/cracked-annotator-webpage-extension-2.1-beta.4.zip"; depth:134; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786720/; classtype:trojan-activity;sid:84649820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkphatom/cracked-awesome-autocomplete-for-git-hub-extension/refs/heads/main/elegit/cracked_autocomplete_for_git_extension_awesome_hub_2.5.zip"; depth:144; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786715/; classtype:trojan-activity;sid:84649815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkphatom/cracked-awesome-autocomplete-for-git-hub-extension/raw/refs/heads/main/elegit/cracked_autocomplete_for_git_extension_awesome_hub_2.5.zip"; depth:148; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786714/; classtype:trojan-activity;sid:84649814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameeronwheels/cracked-save-to-milanote-extension/main/nonnucleated/to-extension-save-cracked-milanote-revalidate.zip"; depth:118; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786712/; classtype:trojan-activity;sid:84649812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameeronwheels/cracked-save-to-milanote-extension/raw/refs/heads/main/nonnucleated/to-extension-save-cracked-milanote-revalidate.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786713/; classtype:trojan-activity;sid:84649813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"121.147.179.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786651/; classtype:trojan-activity;sid:84649751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.250.28"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786364/; classtype:trojan-activity;sid:84649464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"37.142.77.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786353/; classtype:trojan-activity;sid:84649453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/186def/%e7%bd%91%e6%98%93%e4%ba%91%e9%9f%b3%e4%b9%90.exe"; depth:59; endswith; nocase; http.host; content:"dubapkg.cmcmcdn.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786320/; classtype:trojan-activity;sid:84649420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"203.57.109.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786317/; classtype:trojan-activity;sid:84649417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786136/; classtype:trojan-activity;sid:84649236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786137/; classtype:trojan-activity;sid:84649237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786138/; classtype:trojan-activity;sid:84649238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786139/; classtype:trojan-activity;sid:84649239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786140/; classtype:trojan-activity;sid:84649240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786141/; classtype:trojan-activity;sid:84649241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786142/; classtype:trojan-activity;sid:84649242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786143/; classtype:trojan-activity;sid:84649243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786144/; classtype:trojan-activity;sid:84649244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786145/; classtype:trojan-activity;sid:84649245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786146/; classtype:trojan-activity;sid:84649246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786135/; classtype:trojan-activity;sid:84649235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/sshd/ubuntu/log"; depth:26; endswith; nocase; http.host; content:"77.221.157.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786055/; classtype:trojan-activity;sid:84649155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.3.45.42"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785492/; classtype:trojan-activity;sid:84648592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"47.152.112.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785486/; classtype:trojan-activity;sid:84648586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.166.91.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785484/; classtype:trojan-activity;sid:84648584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.149.93.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785485/; classtype:trojan-activity;sid:84648585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blackwall0220/roblox-discord-status-bot/raw/refs/heads/master/pelodytes/status-roblox-discord-bot-v2.8.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785421/; classtype:trojan-activity;sid:84648521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/satish-ss/roblox-matcha/raw/refs/heads/master/bacula/matcha-roblox-v3.9-beta.1.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785380/; classtype:trojan-activity;sid:84648480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cacti/ns1.jpg"; depth:14; endswith; nocase; http.host; content:"103.56.149.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3785101/; classtype:trojan-activity;sid:84648201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/666666.png"; depth:11; endswith; nocase; http.host; content:"c.fi3.me"; depth:8; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784955/; classtype:trojan-activity;sid:84648055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16784059/p.zip"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784859/; classtype:trojan-activity;sid:84647959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16784059/p.zip"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784860/; classtype:trojan-activity;sid:84647960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build1.exe"; depth:11; endswith; nocase; http.host; content:"196.251.107.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_23; reference:url, urlhaus.abuse.ch/url/3784513/; classtype:trojan-activity;sid:84647613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.118.128.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_23; reference:url, urlhaus.abuse.ch/url/3784413/; classtype:trojan-activity;sid:84647513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client"; depth:7; endswith; nocase; http.host; content:"156.224.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783701/; classtype:trojan-activity;sid:84646801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"156.224.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783687/; classtype:trojan-activity;sid:84646787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"156.224.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783680/; classtype:trojan-activity;sid:84646780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"156.224.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783681/; classtype:trojan-activity;sid:84646781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"156.224.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783675/; classtype:trojan-activity;sid:84646775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/6/6/20180724185728_petk_uc_1.4.0.apk"; depth:39; endswith; nocase; http.host; content:"downali.game.uc.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783631/; classtype:trojan-activity;sid:84646731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e5%88%92%e5%ad%a6%e5%8f%b7v2--%e6%9e%81%e9%80%9f%e7%89%88.exe"; depth:63; endswith; nocase; http.host; content:"xn--h6qpop2cq9nl9c.pages.dev"; depth:28; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783627/; classtype:trojan-activity;sid:84646727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/approved%20document%23d53lu.msi"; depth:32; endswith; nocase; http.host; content:"pub-bbbdebc2599c4d74b04c5d53e439f7a7.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783624/; classtype:trojan-activity;sid:84646724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/approved%20document%23402.vbs"; depth:30; endswith; nocase; http.host; content:"pub-bbbdebc2599c4d74b04c5d53e439f7a7.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783597/; classtype:trojan-activity;sid:84646697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qbix01.exe"; depth:11; endswith; nocase; http.host; content:"sutterpoint.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783601/; classtype:trojan-activity;sid:84646701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"89.155.135.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783435/; classtype:trojan-activity;sid:84646535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"153.169.125.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783429/; classtype:trojan-activity;sid:84646529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.60.107.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783423/; classtype:trojan-activity;sid:84646523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"87.138.104.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783426/; classtype:trojan-activity;sid:84646526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.228"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783422/; classtype:trojan-activity;sid:84646522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"159.196.16.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783414/; classtype:trojan-activity;sid:84646514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.152.141.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783412/; classtype:trojan-activity;sid:84646512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"90.180.227.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783409/; classtype:trojan-activity;sid:84646509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"176.35.149.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783406/; classtype:trojan-activity;sid:84646506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"82.139.95.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783405/; classtype:trojan-activity;sid:84646505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.237.41.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783402/; classtype:trojan-activity;sid:84646502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"124.36.156.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783403/; classtype:trojan-activity;sid:84646503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.129.16.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783397/; classtype:trojan-activity;sid:84646497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"66.232.181.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783394/; classtype:trojan-activity;sid:84646494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"218.103.122.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783395/; classtype:trojan-activity;sid:84646495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"176.222.224.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783377/; classtype:trojan-activity;sid:84646477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.226"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783378/; classtype:trojan-activity;sid:84646478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"77.174.79.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783379/; classtype:trojan-activity;sid:84646479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"62.45.171.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783380/; classtype:trojan-activity;sid:84646480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"193.165.245.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783384/; classtype:trojan-activity;sid:84646484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"218.103.129.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783388/; classtype:trojan-activity;sid:84646488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"92.43.24.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783372/; classtype:trojan-activity;sid:84646472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.101.79.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783369/; classtype:trojan-activity;sid:84646469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.175.181.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783366/; classtype:trojan-activity;sid:84646466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"109.167.133.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783363/; classtype:trojan-activity;sid:84646463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"182.54.141.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783365/; classtype:trojan-activity;sid:84646465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.231"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783361/; classtype:trojan-activity;sid:84646461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"84.86.236.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783352/; classtype:trojan-activity;sid:84646452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"210.149.155.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783354/; classtype:trojan-activity;sid:84646454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"84.243.234.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783342/; classtype:trojan-activity;sid:84646442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.44.199.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783343/; classtype:trojan-activity;sid:84646443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"79.150.114.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783344/; classtype:trojan-activity;sid:84646444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"208.180.21.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783346/; classtype:trojan-activity;sid:84646446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"58.146.67.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783348/; classtype:trojan-activity;sid:84646448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.160.19.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783350/; classtype:trojan-activity;sid:84646450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"203.38.121.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783351/; classtype:trojan-activity;sid:84646451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"88.180.236.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783332/; classtype:trojan-activity;sid:84646432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"49.176.254.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783331/; classtype:trojan-activity;sid:84646431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.230"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783328/; classtype:trojan-activity;sid:84646428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"116.91.125.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783324/; classtype:trojan-activity;sid:84646424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"75.214.255.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783326/; classtype:trojan-activity;sid:84646426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783320/; classtype:trojan-activity;sid:84646420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"180.35.14.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783310/; classtype:trojan-activity;sid:84646410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.1.138.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783302/; classtype:trojan-activity;sid:84646402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"108.41.80.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783304/; classtype:trojan-activity;sid:84646404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"2.238.146.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783306/; classtype:trojan-activity;sid:84646406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"213.165.183.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783296/; classtype:trojan-activity;sid:84646396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"90.90.205.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783287/; classtype:trojan-activity;sid:84646387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"42.200.182.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783274/; classtype:trojan-activity;sid:84646374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"182.93.58.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783275/; classtype:trojan-activity;sid:84646375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"58.185.111.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783276/; classtype:trojan-activity;sid:84646376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"203.218.119.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783281/; classtype:trojan-activity;sid:84646381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"203.198.17.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783282/; classtype:trojan-activity;sid:84646382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"190.115.114.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783270/; classtype:trojan-activity;sid:84646370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.6.210.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783266/; classtype:trojan-activity;sid:84646366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"180.57.46.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783262/; classtype:trojan-activity;sid:84646362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"42.200.170.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783259/; classtype:trojan-activity;sid:84646359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.111.82.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783256/; classtype:trojan-activity;sid:84646356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"188.167.179.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783257/; classtype:trojan-activity;sid:84646357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.140.76.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783253/; classtype:trojan-activity;sid:84646353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.123.98.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783251/; classtype:trojan-activity;sid:84646351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"153.136.164.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783252/; classtype:trojan-activity;sid:84646352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"158.140.167.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783248/; classtype:trojan-activity;sid:84646348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"174.71.238.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783244/; classtype:trojan-activity;sid:84646344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"109.129.108.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783246/; classtype:trojan-activity;sid:84646346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"93.51.102.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783242/; classtype:trojan-activity;sid:84646342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.224"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783236/; classtype:trojan-activity;sid:84646336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"153.179.12.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783232/; classtype:trojan-activity;sid:84646332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"96.49.197.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783230/; classtype:trojan-activity;sid:84646330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"220.246.34.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783231/; classtype:trojan-activity;sid:84646331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"73.179.119.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783225/; classtype:trojan-activity;sid:84646325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.229"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783219/; classtype:trojan-activity;sid:84646319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"176.12.124.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783218/; classtype:trojan-activity;sid:84646318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"71.32.43.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783214/; classtype:trojan-activity;sid:84646314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"180.235.37.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783215/; classtype:trojan-activity;sid:84646315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"80.147.3.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783213/; classtype:trojan-activity;sid:84646313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"218.188.43.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783202/; classtype:trojan-activity;sid:84646302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.6.96.248"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783206/; classtype:trojan-activity;sid:84646306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"116.86.50.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783209/; classtype:trojan-activity;sid:84646309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"222.154.246.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783211/; classtype:trojan-activity;sid:84646311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.168.120.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783196/; classtype:trojan-activity;sid:84646296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"141.134.214.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783197/; classtype:trojan-activity;sid:84646297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"99.53.69.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783184/; classtype:trojan-activity;sid:84646284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"58.87.231.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783187/; classtype:trojan-activity;sid:84646287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.200.67.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783189/; classtype:trojan-activity;sid:84646289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.94.31.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783166/; classtype:trojan-activity;sid:84646266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.94.31.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783159/; classtype:trojan-activity;sid:84646259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"124.198.131.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783160/; classtype:trojan-activity;sid:84646260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"185.241.208.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783156/; classtype:trojan-activity;sid:84646256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.94.31.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783158/; classtype:trojan-activity;sid:84646258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.88.186.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783142/; classtype:trojan-activity;sid:84646242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"193.26.115.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783145/; classtype:trojan-activity;sid:84646245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"193.26.115.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783119/; classtype:trojan-activity;sid:84646219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.88.186.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783116/; classtype:trojan-activity;sid:84646216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"84.54.33.188"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783112/; classtype:trojan-activity;sid:84646212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.94.31.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783107/; classtype:trojan-activity;sid:84646207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.88.186.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783103/; classtype:trojan-activity;sid:84646203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"124.198.131.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783086/; classtype:trojan-activity;sid:84646186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"124.198.132.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783077/; classtype:trojan-activity;sid:84646177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.83.31.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783078/; classtype:trojan-activity;sid:84646178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"45.88.186.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783082/; classtype:trojan-activity;sid:84646182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"124.198.132.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783073/; classtype:trojan-activity;sid:84646173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"192.159.99.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783064/; classtype:trojan-activity;sid:84646164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"124.198.131.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783060/; classtype:trojan-activity;sid:84646160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"124.198.131.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783058/; classtype:trojan-activity;sid:84646158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"124.198.132.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783044/; classtype:trojan-activity;sid:84646144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.88.186.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783039/; classtype:trojan-activity;sid:84646139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"124.198.131.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783030/; classtype:trojan-activity;sid:84646130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"124.198.131.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783002/; classtype:trojan-activity;sid:84646102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.94.31.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783025/; classtype:trojan-activity;sid:84646125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.88.186.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783029/; classtype:trojan-activity;sid:84646129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"185.241.208.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782996/; classtype:trojan-activity;sid:84646096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.88.186.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782998/; classtype:trojan-activity;sid:84646098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.94.31.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782999/; classtype:trojan-activity;sid:84646099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"124.198.131.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782970/; classtype:trojan-activity;sid:84646070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"193.26.115.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782972/; classtype:trojan-activity;sid:84646072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"124.198.132.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782979/; classtype:trojan-activity;sid:84646079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.94.31.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782982/; classtype:trojan-activity;sid:84646082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.94.31.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782984/; classtype:trojan-activity;sid:84646084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"84.54.33.188"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782956/; classtype:trojan-activity;sid:84646056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"124.198.131.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782957/; classtype:trojan-activity;sid:84646057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"91.206.169.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782948/; classtype:trojan-activity;sid:84646048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"45.83.31.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782950/; classtype:trojan-activity;sid:84646050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"192.159.99.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782930/; classtype:trojan-activity;sid:84646030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.sh4"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782795/; classtype:trojan-activity;sid:84645895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782784/; classtype:trojan-activity;sid:84645884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.x86"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782785/; classtype:trojan-activity;sid:84645885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.ppc"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782787/; classtype:trojan-activity;sid:84645887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm6"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782773/; classtype:trojan-activity;sid:84645873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.spc"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782783/; classtype:trojan-activity;sid:84645883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm5"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782756/; classtype:trojan-activity;sid:84645856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.mips"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782758/; classtype:trojan-activity;sid:84645858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.m68k"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782759/; classtype:trojan-activity;sid:84645859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.mpsl"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782764/; classtype:trojan-activity;sid:84645864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.x86_64"; depth:19; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782745/; classtype:trojan-activity;sid:84645845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm7"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782746/; classtype:trojan-activity;sid:84645846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782695/; classtype:trojan-activity;sid:84645795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782689/; classtype:trojan-activity;sid:84645789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.196.206.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_21; reference:url, urlhaus.abuse.ch/url/3782299/; classtype:trojan-activity;sid:84645399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"81.68.89.216"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781950/; classtype:trojan-activity;sid:84645050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.106.141.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781948/; classtype:trojan-activity;sid:84645048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.89.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781942/; classtype:trojan-activity;sid:84645042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cacti/ns3.jpg"; depth:14; endswith; nocase; http.host; content:"103.56.149.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781641/; classtype:trojan-activity;sid:84644741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h64.exe"; depth:8; endswith; nocase; http.host; content:"aaronart.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781617/; classtype:trojan-activity;sid:84644717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m64.exe"; depth:8; endswith; nocase; http.host; content:"creativevoltage.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781614/; classtype:trojan-activity;sid:84644714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"111.228.4.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781331/; classtype:trojan-activity;sid:84644431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.104.195.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781329/; classtype:trojan-activity;sid:84644429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.89.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781328/; classtype:trojan-activity;sid:84644428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.120.220.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781321/; classtype:trojan-activity;sid:84644421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.90.206.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781323/; classtype:trojan-activity;sid:84644423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.106.63.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781324/; classtype:trojan-activity;sid:84644424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780767/; classtype:trojan-activity;sid:84643867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.118.103.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780550/; classtype:trojan-activity;sid:84643650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.15.155.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780546/; classtype:trojan-activity;sid:84643646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view_archive.php|3f|archive=/35/items/201004011329/201004011329.iso|7c|26|7c|file=activation%20%26%20serial%20for%20windows%20xp%2frockxp4.exe"; depth:143; endswith; nocase; http.host; content:"ia802801.us.archive.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780504/; classtype:trojan-activity;sid:84643604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.64.227.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780332/; classtype:trojan-activity;sid:84643432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.54.221.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780319/; classtype:trojan-activity;sid:84643419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/widgets/class-wp-widget-index.html"; depth:47; endswith; nocase; http.host; content:"mistralkorea.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780281/; classtype:trojan-activity;sid:84643381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a9e6e0a.msi"; depth:13; endswith; nocase; http.host; content:"kavacanada.ca"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780278/; classtype:trojan-activity;sid:84643378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghost.bot.apk.v13.apk"; depth:22; endswith; nocase; http.host; content:"shadowbot-dih.pages.dev"; depth:23; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780170/; classtype:trojan-activity;sid:84643270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shadow-bot-v11.apk"; depth:19; endswith; nocase; http.host; content:"shadowbot-dih.pages.dev"; depth:23; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780164/; classtype:trojan-activity;sid:84643264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.247.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779939/; classtype:trojan-activity;sid:84643039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.90.206.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779935/; classtype:trojan-activity;sid:84643035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.93.200.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779937/; classtype:trojan-activity;sid:84643037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filepath.mp4"; depth:13; endswith; nocase; http.host; content:"kavacanada.ca"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779909/; classtype:trojan-activity;sid:84643009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.67.246.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779755/; classtype:trojan-activity;sid:84642855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc2.sh"; depth:8; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779635/; classtype:trojan-activity;sid:84642735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc1.sh"; depth:8; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779637/; classtype:trojan-activity;sid:84642737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc3.sh"; depth:8; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779638/; classtype:trojan-activity;sid:84642738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jack5tr.sh"; depth:11; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779631/; classtype:trojan-activity;sid:84642731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779630/; classtype:trojan-activity;sid:84642730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779626/; classtype:trojan-activity;sid:84642726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779622/; classtype:trojan-activity;sid:84642722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779621/; classtype:trojan-activity;sid:84642721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779620/; classtype:trojan-activity;sid:84642720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779617/; classtype:trojan-activity;sid:84642717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779618/; classtype:trojan-activity;sid:84642718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779606/; classtype:trojan-activity;sid:84642706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779608/; classtype:trojan-activity;sid:84642708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779615/; classtype:trojan-activity;sid:84642715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779603/; classtype:trojan-activity;sid:84642703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779604/; classtype:trojan-activity;sid:84642704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779605/; classtype:trojan-activity;sid:84642705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.238.254.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779357/; classtype:trojan-activity;sid:84642457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.209.57.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779262/; classtype:trojan-activity;sid:84642362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.209.57.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779259/; classtype:trojan-activity;sid:84642359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.186.90.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778861/; classtype:trojan-activity;sid:84641961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/ueditor/php/upload/file/20250114/x1/ref-cli%20v1.0.3.exe"; depth:62; endswith; nocase; http.host; content:"m.meta-dm.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778793/; classtype:trojan-activity;sid:84641893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.15.155.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778789/; classtype:trojan-activity;sid:84641889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15%ec%8b%ac%ed%94%8c%ec%8a%a4%ec%ba%94.exe"; depth:43; endswith; nocase; http.host; content:"m.jkoa.co.kr"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778746/; classtype:trojan-activity;sid:84641846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cacti/aminer.gz"; depth:16; endswith; nocase; http.host; content:"103.56.149.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778741/; classtype:trojan-activity;sid:84641841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cacti/install.tgz"; depth:18; endswith; nocase; http.host; content:"103.56.149.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778710/; classtype:trojan-activity;sid:84641810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.191.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_15; reference:url, urlhaus.abuse.ch/url/3778490/; classtype:trojan-activity;sid:84641590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.80.244.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_15; reference:url, urlhaus.abuse.ch/url/3778063/; classtype:trojan-activity;sid:84641163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.74.5.124"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777931/; classtype:trojan-activity;sid:84641031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"162.240.96.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777921/; classtype:trojan-activity;sid:84641021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"162.240.96.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777922/; classtype:trojan-activity;sid:84641022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.139.167.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777918/; classtype:trojan-activity;sid:84641018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"172.96.189.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777919/; classtype:trojan-activity;sid:84641019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins/cloudflare/challenge/ishuman/id53728/"; depth:46; endswith; nocase; http.host; content:"widexenmexico.com.mx"; depth:20; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777916/; classtype:trojan-activity;sid:84641016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.148.18.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777793/; classtype:trojan-activity;sid:84640893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"120.76.143.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777249/; classtype:trojan-activity;sid:84640349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"118.107.0.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777258/; classtype:trojan-activity;sid:84640358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.217.84.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777245/; classtype:trojan-activity;sid:84640345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.158.90.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777241/; classtype:trojan-activity;sid:84640341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.55.251.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777243/; classtype:trojan-activity;sid:84640343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"136.228.163.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777237/; classtype:trojan-activity;sid:84640337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.109.73.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777222/; classtype:trojan-activity;sid:84640322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.173.12.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777214/; classtype:trojan-activity;sid:84640314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.82.158.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777201/; classtype:trojan-activity;sid:84640301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"184.160.27.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777197/; classtype:trojan-activity;sid:84640297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.20.75"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777182/; classtype:trojan-activity;sid:84640282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.101.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777183/; classtype:trojan-activity;sid:84640283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777171/; classtype:trojan-activity;sid:84640271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777173/; classtype:trojan-activity;sid:84640273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777174/; classtype:trojan-activity;sid:84640274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777175/; classtype:trojan-activity;sid:84640275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777176/; classtype:trojan-activity;sid:84640276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777170/; classtype:trojan-activity;sid:84640270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fscan32.exe"; depth:12; endswith; nocase; http.host; content:"124.44.3.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777084/; classtype:trojan-activity;sid:84640184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.exe"; depth:11; endswith; nocase; http.host; content:"124.44.3.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777069/; classtype:trojan-activity;sid:84640169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/re45766712.msi"; depth:15; endswith; nocase; http.host; content:"drevos.ro"; depth:9; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777050/; classtype:trojan-activity;sid:84640150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scr/omgo/approval3546.msi"; depth:26; endswith; nocase; http.host; content:"luizmatoso.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777049/; classtype:trojan-activity;sid:84640149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ref62535.msi"; depth:13; endswith; nocase; http.host; content:"vizyonuniversitesi.web.tr"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777048/; classtype:trojan-activity;sid:84640148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3776653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joh/encrypted.ps1"; depth:18; endswith; nocase; http.host; content:"refaccionesalma.com.mx"; depth:22; isdataat:!1,relative; metadata:created_at 2026_02_12; reference:url, urlhaus.abuse.ch/url/3776653/; classtype:trojan-activity;sid:84639753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3775926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.158.90.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_11; reference:url, urlhaus.abuse.ch/url/3775926/; classtype:trojan-activity;sid:84639026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watching"; depth:9; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774774/; classtype:trojan-activity;sid:84637874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs-netcat_linux-x86_64"; depth:23; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774775/; classtype:trojan-activity;sid:84637875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ss"; depth:3; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774739/; classtype:trojan-activity;sid:84637839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/busybox-armv7l"; depth:15; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774709/; classtype:trojan-activity;sid:84637809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"13.41.96.167"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774679/; classtype:trojan-activity;sid:84637779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.181.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774678/; classtype:trojan-activity;sid:84637778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.140.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774677/; classtype:trojan-activity;sid:84637777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"123.58.64.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774676/; classtype:trojan-activity;sid:84637776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.219.76.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774640/; classtype:trojan-activity;sid:84637740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.105.36.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774642/; classtype:trojan-activity;sid:84637742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"52.248.41.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774628/; classtype:trojan-activity;sid:84637728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"192.3.233.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774635/; classtype:trojan-activity;sid:84637735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774447/; classtype:trojan-activity;sid:84637547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2025/09/27/1758984967-5707.jpeg"; depth:32; endswith; nocase; http.host; content:"i.404.pm"; depth:8; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774338/; classtype:trojan-activity;sid:84637438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2025/11/12/1762933913-224.jpeg"; depth:31; endswith; nocase; http.host; content:"i.404.pm"; depth:8; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774350/; classtype:trojan-activity;sid:84637450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"87.119.108.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774274/; classtype:trojan-activity;sid:84637374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.217.84.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774258/; classtype:trojan-activity;sid:84637358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.29.91.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774255/; classtype:trojan-activity;sid:84637355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.220.163.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774245/; classtype:trojan-activity;sid:84637345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.171.188.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774247/; classtype:trojan-activity;sid:84637347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.109.73.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774248/; classtype:trojan-activity;sid:84637348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/armv4l"; depth:18; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774076/; classtype:trojan-activity;sid:84637176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/mips"; depth:16; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774074/; classtype:trojan-activity;sid:84637174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/aarch64"; depth:19; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774075/; classtype:trojan-activity;sid:84637175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/mpsl"; depth:16; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774073/; classtype:trojan-activity;sid:84637173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/armv6l"; depth:18; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774071/; classtype:trojan-activity;sid:84637171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/x86"; depth:15; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774072/; classtype:trojan-activity;sid:84637172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/armv7l"; depth:18; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774070/; classtype:trojan-activity;sid:84637170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/armv5l"; depth:18; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774069/; classtype:trojan-activity;sid:84637169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gif.gif"; depth:8; endswith; nocase; http.host; content:"pjsn.hi2.ro"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773540/; classtype:trojan-activity;sid:84636640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"43.229.20.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773435/; classtype:trojan-activity;sid:84636535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.50.222.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773429/; classtype:trojan-activity;sid:84636529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.154.87.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773430/; classtype:trojan-activity;sid:84636530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"146.120.97.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773284/; classtype:trojan-activity;sid:84636384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"87.247.202.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773286/; classtype:trojan-activity;sid:84636386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"24.37.71.230"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773274/; classtype:trojan-activity;sid:84636374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"45.173.12.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773268/; classtype:trojan-activity;sid:84636368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"83.218.189.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773251/; classtype:trojan-activity;sid:84636351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.185.1.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773253/; classtype:trojan-activity;sid:84636353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.135.26.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773239/; classtype:trojan-activity;sid:84636339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"62.99.58.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773225/; classtype:trojan-activity;sid:84636325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773129/; classtype:trojan-activity;sid:84636229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download_invitee.php"; depth:21; endswith; nocase; http.host; content:"biducaconfeitos.com.br"; depth:22; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3772916/; classtype:trojan-activity;sid:84636016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"50.43.160.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772764/; classtype:trojan-activity;sid:84635864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.1.110.226"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772754/; classtype:trojan-activity;sid:84635854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"112.124.33.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772607/; classtype:trojan-activity;sid:84635707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772582/; classtype:trojan-activity;sid:84635682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772577/; classtype:trojan-activity;sid:84635677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772575/; classtype:trojan-activity;sid:84635675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"196.39.143.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772572/; classtype:trojan-activity;sid:84635672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.5.194.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772548/; classtype:trojan-activity;sid:84635648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"136.228.163.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772546/; classtype:trojan-activity;sid:84635646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.46.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772543/; classtype:trojan-activity;sid:84635643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"184.185.30.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772528/; classtype:trojan-activity;sid:84635628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.130.248.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772518/; classtype:trojan-activity;sid:84635618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftteamupdate.msi"; depth:24; endswith; nocase; http.host; content:"vrajras.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772510/; classtype:trojan-activity;sid:84635610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"114.215.193.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772458/; classtype:trojan-activity;sid:84635558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.186.90.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772365/; classtype:trojan-activity;sid:84635465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"128.127.102.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772359/; classtype:trojan-activity;sid:84635459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/original/chrome_144.exe"; depth:24; endswith; nocase; http.host; content:"panychurasc0.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_02_04; reference:url, urlhaus.abuse.ch/url/3771987/; classtype:trojan-activity;sid:84635087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.40.178.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771747/; classtype:trojan-activity;sid:84634847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.62.202.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771741/; classtype:trojan-activity;sid:84634841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771510/; classtype:trojan-activity;sid:84634610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.121.236.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771493/; classtype:trojan-activity;sid:84634593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771480/; classtype:trojan-activity;sid:84634580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771458/; classtype:trojan-activity;sid:84634558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771442/; classtype:trojan-activity;sid:84634542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771437/; classtype:trojan-activity;sid:84634537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"201.16.194.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771429/; classtype:trojan-activity;sid:84634529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771420/; classtype:trojan-activity;sid:84634520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771416/; classtype:trojan-activity;sid:84634516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771410/; classtype:trojan-activity;sid:84634510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771405/; classtype:trojan-activity;sid:84634505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771394/; classtype:trojan-activity;sid:84634494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771393/; classtype:trojan-activity;sid:84634493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771383/; classtype:trojan-activity;sid:84634483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771373/; classtype:trojan-activity;sid:84634473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771357/; classtype:trojan-activity;sid:84634457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771346/; classtype:trojan-activity;sid:84634446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.121.236.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771336/; classtype:trojan-activity;sid:84634436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771319/; classtype:trojan-activity;sid:84634419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771292/; classtype:trojan-activity;sid:84634392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771284/; classtype:trojan-activity;sid:84634384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771258/; classtype:trojan-activity;sid:84634358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.226.249.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771242/; classtype:trojan-activity;sid:84634342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771234/; classtype:trojan-activity;sid:84634334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771237/; classtype:trojan-activity;sid:84634337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771218/; classtype:trojan-activity;sid:84634318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771220/; classtype:trojan-activity;sid:84634320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771206/; classtype:trojan-activity;sid:84634306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771190/; classtype:trojan-activity;sid:84634290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/31%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771061/; classtype:trojan-activity;sid:84634161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/08%2008%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771062/; classtype:trojan-activity;sid:84634162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/24%2010%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771063/; classtype:trojan-activity;sid:84634163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/11%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771060/; classtype:trojan-activity;sid:84634160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/10%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771059/; classtype:trojan-activity;sid:84634159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/07%2010%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771056/; classtype:trojan-activity;sid:84634156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/27%2007%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771057/; classtype:trojan-activity;sid:84634157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/30%2009%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771058/; classtype:trojan-activity;sid:84634158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/10%2001%202026/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771054/; classtype:trojan-activity;sid:84634154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/20%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771055/; classtype:trojan-activity;sid:84634155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/20%2009%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771050/; classtype:trojan-activity;sid:84634150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/24%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771051/; classtype:trojan-activity;sid:84634151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/15%2010%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771052/; classtype:trojan-activity;sid:84634152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/16%2001%202026/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771053/; classtype:trojan-activity;sid:84634153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/20%2007%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771048/; classtype:trojan-activity;sid:84634148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/12%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771045/; classtype:trojan-activity;sid:84634145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/02%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771039/; classtype:trojan-activity;sid:84634139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bitrix/cache/js/s1/universe_s1/kernel_main/kernel_main_v1.js"; depth:61; endswith; nocase; http.host; content:"alternativas.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771036/; classtype:trojan-activity;sid:84634136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3770968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/scc.msi"; depth:12; endswith; nocase; http.host; content:"krisidev.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3770968/; classtype:trojan-activity;sid:84634068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3770100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3770100/; classtype:trojan-activity;sid:84633200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767404/; classtype:trojan-activity;sid:84630504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.83.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767389/; classtype:trojan-activity;sid:84630489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.exe"; depth:11; endswith; nocase; http.host; content:"196.251.107.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767348/; classtype:trojan-activity;sid:84630448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"62.99.58.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767197/; classtype:trojan-activity;sid:84630297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bhekinko/test/main/notepad2.dll"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767101/; classtype:trojan-activity;sid:84630201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.exe"; depth:10; endswith; nocase; http.host; content:"196.251.107.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766869/; classtype:trojan-activity;sid:84629969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"chanchanmiraixd.duckdns.org"; depth:27; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766760/; classtype:trojan-activity;sid:84629860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty2"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766633/; classtype:trojan-activity;sid:84629733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty3"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766628/; classtype:trojan-activity;sid:84629728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty1"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766629/; classtype:trojan-activity;sid:84629729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty4"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766630/; classtype:trojan-activity;sid:84629730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty5"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766631/; classtype:trojan-activity;sid:84629731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty10"; depth:6; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766632/; classtype:trojan-activity;sid:84629732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.5.194.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766587/; classtype:trojan-activity;sid:84629687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.196.95.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766584/; classtype:trojan-activity;sid:84629684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get/cl.msi"; depth:11; endswith; nocase; http.host; content:"corporacioncrf.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766226/; classtype:trojan-activity;sid:84629326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filejantn.txt"; depth:14; endswith; nocase; http.host; content:"bafybeiffpkay6l7heq55epccneb563p5chjzclxnso3vkozyorphlz6ana.ipfs.w3s.link"; depth:73; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766219/; classtype:trojan-activity;sid:84629319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armful/activity_list.js"; depth:24; endswith; nocase; http.host; content:"studiogioeli.it"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766079/; classtype:trojan-activity;sid:84629179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armful/activity_list.js"; depth:24; endswith; nocase; http.host; content:"studiogioeli.it"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766078/; classtype:trojan-activity;sid:84629178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"separadordecc.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766053/; classtype:trojan-activity;sid:84629153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"bafybeibfoyi7ruuyoncarf4xr55qa3lthsjjjgrktk4ia4z3upesawb4ry.ipfs.w3s.link"; depth:73; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766021/; classtype:trojan-activity;sid:84629121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/myanmar.txt"; depth:12; endswith; nocase; http.host; content:"pub-ce02802067934e0eb072f69bf6427bf6.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766002/; classtype:trojan-activity;sid:84629102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3765723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"220.83.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_29; reference:url, urlhaus.abuse.ch/url/3765723/; classtype:trojan-activity;sid:84628823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3765537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.96.228.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_29; reference:url, urlhaus.abuse.ch/url/3765537/; classtype:trojan-activity;sid:84628637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3765534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.96.228.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_29; reference:url, urlhaus.abuse.ch/url/3765534/; classtype:trojan-activity;sid:84628634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3765490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/linux/arm"; depth:19; endswith; nocase; http.host; content:"101.32.206.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_29; reference:url, urlhaus.abuse.ch/url/3765490/; classtype:trojan-activity;sid:84628590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3765258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"120.196.95.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_28; reference:url, urlhaus.abuse.ch/url/3765258/; classtype:trojan-activity;sid:84628358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3764383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/order2390.msi"; depth:25; endswith; nocase; http.host; content:"audicontadores.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_26; reference:url, urlhaus.abuse.ch/url/3764383/; classtype:trojan-activity;sid:84627483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.147.202.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_25; reference:url, urlhaus.abuse.ch/url/3763659/; classtype:trojan-activity;sid:84626759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/cr.sh"; depth:38; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763338/; classtype:trojan-activity;sid:84626438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/javae"; depth:38; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763336/; classtype:trojan-activity;sid:84626436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/pnscan-1.14.1.tar.gz"; depth:53; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763333/; classtype:trojan-activity;sid:84626433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/1.0.5.tar.gz"; depth:45; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763334/; classtype:trojan-activity;sid:84626434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.90.205.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763137/; classtype:trojan-activity;sid:84626237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.228.239.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3762969/; classtype:trojan-activity;sid:84626069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.228.239.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3762953/; classtype:trojan-activity;sid:84626053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.120.32.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762681/; classtype:trojan-activity;sid:84625781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.163.117.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762677/; classtype:trojan-activity;sid:84625777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.251.254.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762679/; classtype:trojan-activity;sid:84625779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.23.89.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762674/; classtype:trojan-activity;sid:84625774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.155.243.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762403/; classtype:trojan-activity;sid:84625503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.155.243.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762391/; classtype:trojan-activity;sid:84625491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hamzaabiadi/cracked-tab-organizer-extension/main/altisonous/cracked-tab-organizer-extension.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762176/; classtype:trojan-activity;sid:84625276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"121.4.92.72"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762091/; classtype:trojan-activity;sid:84625191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.23.89.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762083/; classtype:trojan-activity;sid:84625183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762054/; classtype:trojan-activity;sid:84625154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762049/; classtype:trojan-activity;sid:84625149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762050/; classtype:trojan-activity;sid:84625150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"45.147.202.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761968/; classtype:trojan-activity;sid:84625068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caio-arc/links/raw/refs/heads/main/application.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761843/; classtype:trojan-activity;sid:84624943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keyur-m/hometask/raw/refs/heads/main/application.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761841/; classtype:trojan-activity;sid:84624941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teeeeeeeeeellkall/cracked-tab-groups-extension/main/clackety/cracked-tab-groups-extension.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761824/; classtype:trojan-activity;sid:84624924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teskkkkk/cracked-todoist-for-chrome/main/fieldworker/cracked-todoist-for-chrome.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761823/; classtype:trojan-activity;sid:84624923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/class1k/cracked-save-to-mondaycom-extension/main/textbookless/cracked-save-to-mondaycom-extension.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761822/; classtype:trojan-activity;sid:84624922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsm2raj/cracked-webpage-highlighter-extension/main/innkeeper/cracked-webpage-highlighter-extension.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761818/; classtype:trojan-activity;sid:84624918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shifaishfaque/cracked-save-to-click-up-extension/raw/refs/heads/main/doddart/cracked-save-to-click-up-extension.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761819/; classtype:trojan-activity;sid:84624919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lazzydave/cracked-webpage-snapshot-extension/main/sketchiness/cracked-webpage-snapshot-extension.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761816/; classtype:trojan-activity;sid:84624916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bibabiboreal/cracked-save-to-airtable-base-extension/main/rectifiable/cracked-save-to-airtable-base-extension.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761813/; classtype:trojan-activity;sid:84624913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kayraizm3131/cracked-webpage-tag-manager-extension/main/pteroclomorphic/cracked-webpage-tag-manager-extension.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761807/; classtype:trojan-activity;sid:84624907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crandd1/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761795/; classtype:trojan-activity;sid:84624895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"112.163.117.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_21; reference:url, urlhaus.abuse.ch/url/3761350/; classtype:trojan-activity;sid:84624450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3760838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lounger678/lapce/releases/download/1.0.0/lapce-windows.msi"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_20; reference:url, urlhaus.abuse.ch/url/3760838/; classtype:trojan-activity;sid:84623938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3760734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"www.backupallfresh2030.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_01_20; reference:url, urlhaus.abuse.ch/url/3760734/; classtype:trojan-activity;sid:84623834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3759759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.178.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_18; reference:url, urlhaus.abuse.ch/url/3759759/; classtype:trojan-activity;sid:84622859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3759320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receiveharsh/changebusiness"; depth:28; endswith; nocase; http.host; content:"co-emas.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_17; reference:url, urlhaus.abuse.ch/url/3759320/; classtype:trojan-activity;sid:84622420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3759319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x/s"; depth:4; endswith; nocase; http.host; content:"co-emas.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_17; reference:url, urlhaus.abuse.ch/url/3759319/; classtype:trojan-activity;sid:84622419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa/saa.php"; depth:11; endswith; nocase; http.host; content:"thebrandmantra.in"; depth:17; isdataat:!1,relative; metadata:created_at 2026_01_16; reference:url, urlhaus.abuse.ch/url/3758945/; classtype:trojan-activity;sid:84622045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/upload/other/20220313/1647160611412907.apk"; depth:50; endswith; nocase; http.host; content:"www.longfeng188.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_16; reference:url, urlhaus.abuse.ch/url/3758944/; classtype:trojan-activity;sid:84622044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/laizi_wzzdh.apk"; depth:21; endswith; nocase; http.host; content:"n.vs108.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_16; reference:url, urlhaus.abuse.ch/url/3758943/; classtype:trojan-activity;sid:84622043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbs/upload/1000/2017/03/16/202395_1101210.apk"; depth:46; endswith; nocase; http.host; content:"jlwz.cn"; depth:7; isdataat:!1,relative; metadata:created_at 2026_01_16; reference:url, urlhaus.abuse.ch/url/3758942/; classtype:trojan-activity;sid:84622042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.scr"; depth:15; endswith; nocase; http.host; content:"101.127.184.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_15; reference:url, urlhaus.abuse.ch/url/3758671/; classtype:trojan-activity;sid:84621771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.scr"; depth:15; endswith; nocase; http.host; content:"101.127.184.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_15; reference:url, urlhaus.abuse.ch/url/3758670/; classtype:trojan-activity;sid:84621770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.scr"; depth:12; endswith; nocase; http.host; content:"101.127.184.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_15; reference:url, urlhaus.abuse.ch/url/3758669/; classtype:trojan-activity;sid:84621769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/imgs.exe"; depth:13; endswith; nocase; http.host; content:"wittenhorst.eu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757953/; classtype:trojan-activity;sid:84621053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syrins/chatgpt-app/raw/9d9a3d9ce5ba4eb03b7738f99458773e3b4ce7de/inat%20tv.apk"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757907/; classtype:trojan-activity;sid:84621007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757803/; classtype:trojan-activity;sid:84620903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757804/; classtype:trojan-activity;sid:84620904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2010%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757805/; classtype:trojan-activity;sid:84620905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757806/; classtype:trojan-activity;sid:84620906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2009%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757808/; classtype:trojan-activity;sid:84620908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/02%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757809/; classtype:trojan-activity;sid:84620909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2008%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757811/; classtype:trojan-activity;sid:84620911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2010%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757802/; classtype:trojan-activity;sid:84620902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757799/; classtype:trojan-activity;sid:84620899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/info.zip"; depth:14; endswith; nocase; http.host; content:"182.163.114.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757800/; classtype:trojan-activity;sid:84620900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2009%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757796/; classtype:trojan-activity;sid:84620896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2008%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757797/; classtype:trojan-activity;sid:84620897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2009%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757792/; classtype:trojan-activity;sid:84620892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757794/; classtype:trojan-activity;sid:84620894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2008%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757791/; classtype:trojan-activity;sid:84620891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"139.224.16.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757403/; classtype:trojan-activity;sid:84620503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.158.100.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757384/; classtype:trojan-activity;sid:84620484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.197.62.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757377/; classtype:trojan-activity;sid:84620477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netsyst81.dll"; depth:14; endswith; nocase; http.host; content:"steam66.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757074/; classtype:trojan-activity;sid:84620174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3756062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.txt"; depth:12; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3756062/; classtype:trojan-activity;sid:84619162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t36"; depth:4; endswith; nocase; http.host; content:"42.192.39.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3755992/; classtype:trojan-activity;sid:84619092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload_universal.txt"; depth:22; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3755948/; classtype:trojan-activity;sid:84619048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload_direct.txt"; depth:19; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3755921/; classtype:trojan-activity;sid:84619021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload_wget.txt"; depth:17; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3755903/; classtype:trojan-activity;sid:84619003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755219/; classtype:trojan-activity;sid:84618319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755194/; classtype:trojan-activity;sid:84618294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755193/; classtype:trojan-activity;sid:84618293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755157/; classtype:trojan-activity;sid:84618257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755090/; classtype:trojan-activity;sid:84618190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"175.209.135.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755064/; classtype:trojan-activity;sid:84618164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"181.193.59.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754767/; classtype:trojan-activity;sid:84617867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"79.175.42.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754752/; classtype:trojan-activity;sid:84617852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"217.150.78.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754757/; classtype:trojan-activity;sid:84617857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"37.157.212.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754761/; classtype:trojan-activity;sid:84617861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"82.114.200.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754762/; classtype:trojan-activity;sid:84617862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/reynold/video.scr"; depth:23; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754742/; classtype:trojan-activity;sid:84617842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/reynold/photo.scr"; depth:23; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754743/; classtype:trojan-activity;sid:84617843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/%24recycle.bin/photo.scr"; depth:30; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754744/; classtype:trojan-activity;sid:84617844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/reynold/av.scr"; depth:20; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754745/; classtype:trojan-activity;sid:84617845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/%24recycle.bin/s-1-5-21-513737667-1919666884-561045330-1001/%24rs1r5lt.scr"; depth:80; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754741/; classtype:trojan-activity;sid:84617841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"128.127.102.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754708/; classtype:trojan-activity;sid:84617808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.140.32.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754695/; classtype:trojan-activity;sid:84617795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"172.85.143.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754701/; classtype:trojan-activity;sid:84617801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"146.66.163.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754705/; classtype:trojan-activity;sid:84617805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"195.158.88.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754690/; classtype:trojan-activity;sid:84617790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoldownload/"; depth:13; endswith; nocase; http.host; content:"down10d.zol.com.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754685/; classtype:trojan-activity;sid:84617785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754684/; classtype:trojan-activity;sid:84617784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"31.210.217.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754676/; classtype:trojan-activity;sid:84617776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.164.117.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754677/; classtype:trojan-activity;sid:84617777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"83.218.189.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754656/; classtype:trojan-activity;sid:84617756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"200.54.221.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754662/; classtype:trojan-activity;sid:84617762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"31.28.10.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754664/; classtype:trojan-activity;sid:84617764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"181.193.62.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754665/; classtype:trojan-activity;sid:84617765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.158.100.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754618/; classtype:trojan-activity;sid:84617718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"88.119.151.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754551/; classtype:trojan-activity;sid:84617651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754552/; classtype:trojan-activity;sid:84617652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpnxp.exe"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754555/; classtype:trojan-activity;sid:84617655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754556/; classtype:trojan-activity;sid:84617656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"178.77.228.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754547/; classtype:trojan-activity;sid:84617647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn7.exe"; depth:26; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754542/; classtype:trojan-activity;sid:84617642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpnx2.exe"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754543/; classtype:trojan-activity;sid:84617643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimidrv.sys"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754540/; classtype:trojan-activity;sid:84617640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"212.107.232.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754534/; classtype:trojan-activity;sid:84617634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"217.75.193.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754530/; classtype:trojan-activity;sid:84617630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"81.16.250.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754532/; classtype:trojan-activity;sid:84617632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"5.198.242.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754525/; classtype:trojan-activity;sid:84617625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"190.128.195.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754520/; classtype:trojan-activity;sid:84617620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"190.12.99.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754521/; classtype:trojan-activity;sid:84617621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"87.119.108.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754517/; classtype:trojan-activity;sid:84617617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"37.252.69.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754511/; classtype:trojan-activity;sid:84617611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"193.242.149.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754512/; classtype:trojan-activity;sid:84617612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.148.20.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754510/; classtype:trojan-activity;sid:84617610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.244.113.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754438/; classtype:trojan-activity;sid:84617538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"181.129.182.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754425/; classtype:trojan-activity;sid:84617525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.173.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754427/; classtype:trojan-activity;sid:84617527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754432/; classtype:trojan-activity;sid:84617532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"5.181.28.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754409/; classtype:trojan-activity;sid:84617509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"213.149.178.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754391/; classtype:trojan-activity;sid:84617491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"171.231.131.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754390/; classtype:trojan-activity;sid:84617490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754384/; classtype:trojan-activity;sid:84617484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"83.166.197.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754378/; classtype:trojan-activity;sid:84617478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptography_module/base_library.zip"; depth:37; endswith; nocase; http.host; content:"122.170.110.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754379/; classtype:trojan-activity;sid:84617479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"151.248.56.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754365/; classtype:trojan-activity;sid:84617465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"109.69.79.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754355/; classtype:trojan-activity;sid:84617455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.154.84.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754356/; classtype:trojan-activity;sid:84617456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpnx2.zip"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754359/; classtype:trojan-activity;sid:84617459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namuvpn32.exe"; depth:22; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754340/; classtype:trojan-activity;sid:84617440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"178.214.241.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754334/; classtype:trojan-activity;sid:84617434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pc/pdfconvert/"; depth:15; endswith; nocase; http.host; content:"download.pdf00.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754331/; classtype:trojan-activity;sid:84617431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namu864.exe"; depth:20; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754327/; classtype:trojan-activity;sid:84617427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn32.zip"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754328/; classtype:trojan-activity;sid:84617428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"37.9.25.206"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754324/; classtype:trojan-activity;sid:84617424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpnx2/namuvpnx2.exe"; depth:37; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754325/; classtype:trojan-activity;sid:84617425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"46.151.56.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754299/; classtype:trojan-activity;sid:84617399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namuxp.zip"; depth:19; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754282/; classtype:trojan-activity;sid:84617382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"80.89.131.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754275/; classtype:trojan-activity;sid:84617375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namuvpn7.exe"; depth:21; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754274/; classtype:trojan-activity;sid:84617374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debugview%2b%2b.exe"; depth:20; endswith; nocase; http.host; content:"119.91.58.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754265/; classtype:trojan-activity;sid:84617365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn7.zip"; depth:26; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754262/; classtype:trojan-activity;sid:84617362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"83.218.189.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754263/; classtype:trojan-activity;sid:84617363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"212.154.209.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754251/; classtype:trojan-activity;sid:84617351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754253/; classtype:trojan-activity;sid:84617353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn7/namuvpn7.exe"; depth:35; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754238/; classtype:trojan-activity;sid:84617338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"212.154.135.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754234/; classtype:trojan-activity;sid:84617334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"89.28.58.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754221/; classtype:trojan-activity;sid:84617321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn32.exe"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754218/; classtype:trojan-activity;sid:84617318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"223.197.231.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754202/; classtype:trojan-activity;sid:84617302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptodata/archive_to_send_decr.zip"; depth:36; endswith; nocase; http.host; content:"122.170.110.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754194/; classtype:trojan-activity;sid:84617294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debugview%2b%2b.exe"; depth:20; endswith; nocase; http.host; content:"114.132.86.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754176/; classtype:trojan-activity;sid:84617276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"115.127.68.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754170/; classtype:trojan-activity;sid:84617270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"120.50.10.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754174/; classtype:trojan-activity;sid:84617274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"141.149.36.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754165/; classtype:trojan-activity;sid:84617265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimilib.dll"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754156/; classtype:trojan-activity;sid:84617256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3753765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/img001.exe"; depth:15; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3753765/; classtype:trojan-activity;sid:84616865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"meetvideogoogle.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752359/; classtype:trojan-activity;sid:84615459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"videomeetgoogle.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752363/; classtype:trojan-activity;sid:84615463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"194.67.127.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752358/; classtype:trojan-activity;sid:84615458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.203.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752304/; classtype:trojan-activity;sid:84615404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3751589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.229.60.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_06; reference:url, urlhaus.abuse.ch/url/3751589/; classtype:trojan-activity;sid:84614689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3750631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security/wizvera/delfino-g3/delfino-g3.exe"; depth:43; endswith; nocase; http.host; content:"download.kbcard.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_05; reference:url, urlhaus.abuse.ch/url/3750631/; classtype:trojan-activity;sid:84613731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3750625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luckypatcher/luckypatcherinstaller.apk"; depth:39; endswith; nocase; http.host; content:"chelpus.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_05; reference:url, urlhaus.abuse.ch/url/3750625/; classtype:trojan-activity;sid:84613725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3750143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.49.202.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_04; reference:url, urlhaus.abuse.ch/url/3750143/; classtype:trojan-activity;sid:84613243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding1/139assicc.dll"; depth:22; endswith; nocase; http.host; content:"58.87.92.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749794/; classtype:trojan-activity;sid:84612894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding/139assicc.dll"; depth:21; endswith; nocase; http.host; content:"114.66.51.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749779/; classtype:trojan-activity;sid:84612879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding/139assicc.dll"; depth:21; endswith; nocase; http.host; content:"58.87.92.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749780/; classtype:trojan-activity;sid:84612880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding/dbghelp.dll"; depth:19; endswith; nocase; http.host; content:"59.56.110.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749775/; classtype:trojan-activity;sid:84612875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding/dbghelp.dll"; depth:19; endswith; nocase; http.host; content:"45.125.44.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749771/; classtype:trojan-activity;sid:84612871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.179.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749598/; classtype:trojan-activity;sid:84612698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.195.26.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749166/; classtype:trojan-activity;sid:84612266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.134.8.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749167/; classtype:trojan-activity;sid:84612267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.249.107.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749168/; classtype:trojan-activity;sid:84612268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.145.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749159/; classtype:trojan-activity;sid:84612259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"14.49.202.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3748996/; classtype:trojan-activity;sid:84612096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.229.60.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3748863/; classtype:trojan-activity;sid:84611963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"93.215.23.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748483/; classtype:trojan-activity;sid:84611583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"14.53.123.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748394/; classtype:trojan-activity;sid:84611494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"93.215.23.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748383/; classtype:trojan-activity;sid:84611483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.179.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748352/; classtype:trojan-activity;sid:84611452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.241.42.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748325/; classtype:trojan-activity;sid:84611425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"162.215.130.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748326/; classtype:trojan-activity;sid:84611426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"104.199.248.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748285/; classtype:trojan-activity;sid:84611385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"199.168.184.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748279/; classtype:trojan-activity;sid:84611379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"167.99.0.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748274/; classtype:trojan-activity;sid:84611374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.74.75.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748275/; classtype:trojan-activity;sid:84611375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"165.73.81.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748261/; classtype:trojan-activity;sid:84611361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"167.99.0.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748259/; classtype:trojan-activity;sid:84611359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"199.168.184.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748253/; classtype:trojan-activity;sid:84611353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"69.48.143.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748255/; classtype:trojan-activity;sid:84611355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"3.18.128.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748247/; classtype:trojan-activity;sid:84611347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.139.167.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748243/; classtype:trojan-activity;sid:84611343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"18.176.47.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748235/; classtype:trojan-activity;sid:84611335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"5.35.124.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748204/; classtype:trojan-activity;sid:84611304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.130.229.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748205/; classtype:trojan-activity;sid:84611305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"144.208.73.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748200/; classtype:trojan-activity;sid:84611300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"112.220.72.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748201/; classtype:trojan-activity;sid:84611301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"165.73.81.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748193/; classtype:trojan-activity;sid:84611293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"98.70.13.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748194/; classtype:trojan-activity;sid:84611294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"5.63.157.201"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748189/; classtype:trojan-activity;sid:84611289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.80.0.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748180/; classtype:trojan-activity;sid:84611280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.241.42.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748166/; classtype:trojan-activity;sid:84611266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"13.113.8.105"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748169/; classtype:trojan-activity;sid:84611269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"209.250.2.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748152/; classtype:trojan-activity;sid:84611252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"144.22.251.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748154/; classtype:trojan-activity;sid:84611254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"112.220.72.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748159/; classtype:trojan-activity;sid:84611259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"201.182.25.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748165/; classtype:trojan-activity;sid:84611265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"209.250.2.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748137/; classtype:trojan-activity;sid:84611237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"150.95.27.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748127/; classtype:trojan-activity;sid:84611227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"173.231.196.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748131/; classtype:trojan-activity;sid:84611231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"162.215.130.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748133/; classtype:trojan-activity;sid:84611233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.214.192.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748100/; classtype:trojan-activity;sid:84611200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"18.176.47.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748104/; classtype:trojan-activity;sid:84611204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"3.141.75.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748106/; classtype:trojan-activity;sid:84611206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"44.208.147.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748110/; classtype:trojan-activity;sid:84611210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"95.154.194.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748112/; classtype:trojan-activity;sid:84611212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"192.155.93.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748115/; classtype:trojan-activity;sid:84611215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"35.226.92.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748119/; classtype:trojan-activity;sid:84611219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"69.57.163.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748122/; classtype:trojan-activity;sid:84611222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"164.160.41.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748096/; classtype:trojan-activity;sid:84611196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"178.210.83.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748069/; classtype:trojan-activity;sid:84611169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"74.50.99.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748074/; classtype:trojan-activity;sid:84611174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.214.192.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748087/; classtype:trojan-activity;sid:84611187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.lnk"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747725/; classtype:trojan-activity;sid:84610825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.scr"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747694/; classtype:trojan-activity;sid:84610794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.lnk"; depth:12; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747690/; classtype:trojan-activity;sid:84610790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.scr"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747685/; classtype:trojan-activity;sid:84610785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.scr"; depth:12; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747686/; classtype:trojan-activity;sid:84610786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.lnk"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747684/; classtype:trojan-activity;sid:84610784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"175.195.26.115"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_31; reference:url, urlhaus.abuse.ch/url/3747141/; classtype:trojan-activity;sid:84610241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"14.249.107.216"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_31; reference:url, urlhaus.abuse.ch/url/3747082/; classtype:trojan-activity;sid:84610182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3746867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_30; reference:url, urlhaus.abuse.ch/url/3746867/; classtype:trojan-activity;sid:84609967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3746316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxp/i/522f8dbab717f669a06afa9122107971.js"; depth:42; endswith; nocase; http.host; content:"ob.youstarsbuilding.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_12_30; reference:url, urlhaus.abuse.ch/url/3746316/; classtype:trojan-activity;sid:84609416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3746314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxp/i/522f8dbab717f669a06afa9122107971.js"; depth:42; endswith; nocase; http.host; content:"euob.youstarsbuilding.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_12_30; reference:url, urlhaus.abuse.ch/url/3746314/; classtype:trojan-activity;sid:84609414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745195/; classtype:trojan-activity;sid:84608295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745196/; classtype:trojan-activity;sid:84608296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745197/; classtype:trojan-activity;sid:84608297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745192/; classtype:trojan-activity;sid:84608292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745193/; classtype:trojan-activity;sid:84608293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3744164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.213.252.26"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_26; reference:url, urlhaus.abuse.ch/url/3744164/; classtype:trojan-activity;sid:84607264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; endswith; nocase; http.host; content:"152.89.247.153"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743457/; classtype:trojan-activity;sid:84606557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxp/i/522f8dbab717f669a06afa9122107971.js"; depth:42; endswith; nocase; http.host; content:"euob.youstarsbuilding.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743405/; classtype:trojan-activity;sid:84606505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%80%80%e6%97%a7%e8%af%9b%e4%bb%99.exe"; depth:41; endswith; nocase; http.host; content:"202.189.11.21"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743375/; classtype:trojan-activity;sid:84606475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743354/; classtype:trojan-activity;sid:84606454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/plugins/sess1594985553/sessiontools/uvsodsae.msi"; depth:55; endswith; nocase; http.host; content:"royalindiancurryclub.com"; depth:24; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743323/; classtype:trojan-activity;sid:84606423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743272/; classtype:trojan-activity;sid:84606372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743271/; classtype:trojan-activity;sid:84606371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%83%85%e7%bc%98%e6%80%80%e6%97%a7/%e6%83%85%e6%84%bf%e6%80%80%e6%97%a7.exe"; depth:78; endswith; nocase; http.host; content:"139.199.191.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743175/; classtype:trojan-activity;sid:84606275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e7%8c%b4%e5%ad%90/%e6%a2%a6%e5%b9%bb%e9%ad%94%e7%95%8c%e7%94%b5%e8%84%91%e7%ab%af.exe"; depth:87; endswith; nocase; http.host; content:"139.199.191.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743173/; classtype:trojan-activity;sid:84606273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/%e6%a2%a6%e5%b9%bb%e9%ad%94%e7%95%8c%e7%94%b5%e8%84%91%e7%ab%af.exe"; depth:70; endswith; nocase; http.host; content:"139.199.191.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743168/; classtype:trojan-activity;sid:84606268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3742020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3742020/; classtype:trojan-activity;sid:84605120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3742013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3742013/; classtype:trojan-activity;sid:84605113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3742007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3742007/; classtype:trojan-activity;sid:84605107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3742005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3742005/; classtype:trojan-activity;sid:84605105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741991/; classtype:trojan-activity;sid:84605091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741975/; classtype:trojan-activity;sid:84605075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741976/; classtype:trojan-activity;sid:84605076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741974/; classtype:trojan-activity;sid:84605074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741972/; classtype:trojan-activity;sid:84605072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741971/; classtype:trojan-activity;sid:84605071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741968/; classtype:trojan-activity;sid:84605068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250811/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741966/; classtype:trojan-activity;sid:84605066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250809/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741967/; classtype:trojan-activity;sid:84605067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741965/; classtype:trojan-activity;sid:84605065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741962/; classtype:trojan-activity;sid:84605062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741963/; classtype:trojan-activity;sid:84605063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741947/; classtype:trojan-activity;sid:84605047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741948/; classtype:trojan-activity;sid:84605048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741949/; classtype:trojan-activity;sid:84605049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741940/; classtype:trojan-activity;sid:84605040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.231.131.90"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741528/; classtype:trojan-activity;sid:84604628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.187.54.142"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741523/; classtype:trojan-activity;sid:84604623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.187.54.142"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741524/; classtype:trojan-activity;sid:84604624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/auhavkiq.msi"; depth:19; endswith; nocase; http.host; content:"royalindiancurryclub.com"; depth:24; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741336/; classtype:trojan-activity;sid:84604436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741204/; classtype:trojan-activity;sid:84604304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741201/; classtype:trojan-activity;sid:84604301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741202/; classtype:trojan-activity;sid:84604302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741193/; classtype:trojan-activity;sid:84604293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741182/; classtype:trojan-activity;sid:84604282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741183/; classtype:trojan-activity;sid:84604283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741186/; classtype:trojan-activity;sid:84604286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741153/; classtype:trojan-activity;sid:84604253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741109/; classtype:trojan-activity;sid:84604209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741086/; classtype:trojan-activity;sid:84604186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741068/; classtype:trojan-activity;sid:84604168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741049/; classtype:trojan-activity;sid:84604149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"182.163.114.232"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741029/; classtype:trojan-activity;sid:84604129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741026/; classtype:trojan-activity;sid:84604126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741024/; classtype:trojan-activity;sid:84604124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741009/; classtype:trojan-activity;sid:84604109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3740979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3740979/; classtype:trojan-activity;sid:84604079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3740945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3740945/; classtype:trojan-activity;sid:84604045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3739840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"171.231.131.90"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_22; reference:url, urlhaus.abuse.ch/url/3739840/; classtype:trojan-activity;sid:84602940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3739558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/4thepool_miner.sh"; depth:26; endswith; nocase; http.host; content:"31.57.109.131"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_21; reference:url, urlhaus.abuse.ch/url/3739558/; classtype:trojan-activity;sid:84602658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3738164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.81.169"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_20; reference:url, urlhaus.abuse.ch/url/3738164/; classtype:trojan-activity;sid:84601264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3736902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/public/01/tun/tun.hta"; depth:29; endswith; nocase; http.host; content:"innlive.in"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_19; reference:url, urlhaus.abuse.ch/url/3736902/; classtype:trojan-activity;sid:84600002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3736211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"hotelsep.blogspot.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_18; reference:url, urlhaus.abuse.ch/url/3736211/; classtype:trojan-activity;sid:84599311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3736212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nimper.pdf"; depth:11; endswith; nocase; http.host; content:"www.backupallfresh2030.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_12_18; reference:url, urlhaus.abuse.ch/url/3736212/; classtype:trojan-activity;sid:84599312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3736098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.149.206.91"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_18; reference:url, urlhaus.abuse.ch/url/3736098/; classtype:trojan-activity;sid:84599198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rv32"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735640/; classtype:trojan-activity;sid:84598740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm64"; depth:11; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735641/; classtype:trojan-activity;sid:84598741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735632/; classtype:trojan-activity;sid:84598732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gay.sh"; depth:7; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735633/; classtype:trojan-activity;sid:84598733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735606/; classtype:trojan-activity;sid:84598706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735607/; classtype:trojan-activity;sid:84598707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735608/; classtype:trojan-activity;sid:84598708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735611/; classtype:trojan-activity;sid:84598711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735600/; classtype:trojan-activity;sid:84598700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735599/; classtype:trojan-activity;sid:84598699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735580/; classtype:trojan-activity;sid:84598680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735583/; classtype:trojan-activity;sid:84598683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rv64"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735584/; classtype:trojan-activity;sid:84598684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735590/; classtype:trojan-activity;sid:84598690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735593/; classtype:trojan-activity;sid:84598693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rv32"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735594/; classtype:trojan-activity;sid:84598694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735572/; classtype:trojan-activity;sid:84598672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735575/; classtype:trojan-activity;sid:84598675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735578/; classtype:trojan-activity;sid:84598678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735570/; classtype:trojan-activity;sid:84598670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rv64"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735566/; classtype:trojan-activity;sid:84598666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735539/; classtype:trojan-activity;sid:84598639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735540/; classtype:trojan-activity;sid:84598640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infect.sh"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735541/; classtype:trojan-activity;sid:84598641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735543/; classtype:trojan-activity;sid:84598643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735544/; classtype:trojan-activity;sid:84598644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735548/; classtype:trojan-activity;sid:84598648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735550/; classtype:trojan-activity;sid:84598650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735553/; classtype:trojan-activity;sid:84598653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"89.32.41.172"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735558/; classtype:trojan-activity;sid:84598658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.110.182.187"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735377/; classtype:trojan-activity;sid:84598477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samoto/annrqsjdtjwz230.bin"; depth:27; endswith; nocase; http.host; content:"polonyauniversiteleri.com.tr"; depth:28; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735145/; classtype:trojan-activity;sid:84598245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samoto/juveltwr.lpk"; depth:20; endswith; nocase; http.host; content:"polonyauniversiteleri.com.tr"; depth:28; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735144/; classtype:trojan-activity;sid:84598244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3734705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.109.198.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_16; reference:url, urlhaus.abuse.ch/url/3734705/; classtype:trojan-activity;sid:84597805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3734700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.6.196.230"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_16; reference:url, urlhaus.abuse.ch/url/3734700/; classtype:trojan-activity;sid:84597800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3734674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/23/zech_group_sp_project_%20rfq_specifications_65486_pdf.rar"; depth:61; endswith; nocase; http.host; content:"uniform-factory.ae"; depth:18; isdataat:!1,relative; metadata:created_at 2025_12_16; reference:url, urlhaus.abuse.ch/url/3734674/; classtype:trojan-activity;sid:84597774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3733913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usr/uploads/file/202002/20200210195059_78353.rar"; depth:49; endswith; nocase; http.host; content:"zhigao5191.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_15; reference:url, urlhaus.abuse.ch/url/3733913/; classtype:trojan-activity;sid:84597013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3733907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editor%e6%b1%89%e5%8c%96%e7%89%88.rar"; depth:38; endswith; nocase; http.host; content:"zycdjz.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_15; reference:url, urlhaus.abuse.ch/url/3733907/; classtype:trojan-activity;sid:84597007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3733819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/liljaber/am/raw/refs/heads/main/shellhost.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_15; reference:url, urlhaus.abuse.ch/url/3733819/; classtype:trojan-activity;sid:84596919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3733127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/psbbmyya.exe"; depth:32; endswith; nocase; http.host; content:"hqweb.id.vn"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_13; reference:url, urlhaus.abuse.ch/url/3733127/; classtype:trojan-activity;sid:84596227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.75.193.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732386/; classtype:trojan-activity;sid:84595486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732383/; classtype:trojan-activity;sid:84595483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"93.39.215.44"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732378/; classtype:trojan-activity;sid:84595478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eathena/tools/bymyzter/eabackup.rar"; depth:36; endswith; nocase; http.host; content:"paradox924x.pages.dev"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732133/; classtype:trojan-activity;sid:84595233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eathena/tools/bybakausagi/spr_conview_v0.11.zip"; depth:48; endswith; nocase; http.host; content:"paradox924x.pages.dev"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732129/; classtype:trojan-activity;sid:84595229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modelo/cr.exe"; depth:14; endswith; nocase; http.host; content:"joyeriatauro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_11; reference:url, urlhaus.abuse.ch/url/3731630/; classtype:trojan-activity;sid:84594730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modelo/v1d.exe"; depth:15; endswith; nocase; http.host; content:"joyeriatauro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_11; reference:url, urlhaus.abuse.ch/url/3731351/; classtype:trojan-activity;sid:84594451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modelo/c1i.exe"; depth:15; endswith; nocase; http.host; content:"joyeriatauro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_11; reference:url, urlhaus.abuse.ch/url/3731347/; classtype:trojan-activity;sid:84594447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/molo243r/fivem-weather-control/main/pneumonorrhagia/fivem-weather-control.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731299/; classtype:trojan-activity;sid:84594399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nalleysh/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731286/; classtype:trojan-activity;sid:84594386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/el1nns/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731287/; classtype:trojan-activity;sid:84594387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d3xxth/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731283/; classtype:trojan-activity;sid:84594383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/creyty1h/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731275/; classtype:trojan-activity;sid:84594375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1llenth/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731271/; classtype:trojan-activity;sid:84594371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rayn1e/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731257/; classtype:trojan-activity;sid:84594357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/colleshake/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731244/; classtype:trojan-activity;sid:84594344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arcellys/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731243/; classtype:trojan-activity;sid:84594343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n1elcery/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731242/; classtype:trojan-activity;sid:84594342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recctan1o/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731239/; classtype:trojan-activity;sid:84594339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kesslyy27/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731238/; classtype:trojan-activity;sid:84594338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssten1/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731232/; classtype:trojan-activity;sid:84594332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730787/; classtype:trojan-activity;sid:84593887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730785/; classtype:trojan-activity;sid:84593885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730754/; classtype:trojan-activity;sid:84593854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730727/; classtype:trojan-activity;sid:84593827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730681/; classtype:trojan-activity;sid:84593781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730669/; classtype:trojan-activity;sid:84593769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730651/; classtype:trojan-activity;sid:84593751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/config.json"; depth:31; endswith; nocase; http.host; content:"acaviationsupplies.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730310/; classtype:trojan-activity;sid:84593410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xi3twfy4"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730311/; classtype:trojan-activity;sid:84593411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"180.76.141.175"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_09; reference:url, urlhaus.abuse.ch/url/3729861/; classtype:trojan-activity;sid:84592961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.129.182.138"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_09; reference:url, urlhaus.abuse.ch/url/3729846/; classtype:trojan-activity;sid:84592946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.exe"; depth:11; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729467/; classtype:trojan-activity;sid:84592567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/panel/uploads/optimized_msi.png"; depth:35; endswith; nocase; http.host; content:"bvaco.com"; depth:9; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729416/; classtype:trojan-activity;sid:84592516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/readme.txt"; depth:11; endswith; nocase; http.host; content:"192.3.27.135"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729323/; classtype:trojan-activity;sid:84592423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/clean/clean.apk"; depth:23; endswith; nocase; http.host; content:"static.youdm.cn"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729248/; classtype:trojan-activity;sid:84592348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"86.89.95.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729188/; classtype:trojan-activity;sid:84592288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.149.206.91"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729170/; classtype:trojan-activity;sid:84592270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3728954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.7.149.228"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_07; reference:url, urlhaus.abuse.ch/url/3728954/; classtype:trojan-activity;sid:84592054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3728064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"196.251.107.104"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_06; reference:url, urlhaus.abuse.ch/url/3728064/; classtype:trojan-activity;sid:84591164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3727342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01.exe"; depth:7; endswith; nocase; http.host; content:"152.32.169.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_06; reference:url, urlhaus.abuse.ch/url/3727342/; classtype:trojan-activity;sid:84590442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3726789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test"; depth:5; endswith; nocase; http.host; content:"141.11.240.103"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_06; reference:url, urlhaus.abuse.ch/url/3726789/; classtype:trojan-activity;sid:84589889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3726005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receipt_11_26_2025.msi"; depth:23; endswith; nocase; http.host; content:"alineeleuterio.com.br"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_05; reference:url, urlhaus.abuse.ch/url/3726005/; classtype:trojan-activity;sid:84589105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/redmi%20ax3000/%e8%b7%af%e7%94%b1%e5%99%a8%e4%bf%ae%e5%a4%8d%e5%b7%a5%e5%85%b7/miwifirepairtool.x86.zip"; depth:109; endswith; nocase; http.host; content:"hzxcaq-github-io.pages.dev"; depth:26; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725201/; classtype:trojan-activity;sid:84588301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.161.178"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725129/; classtype:trojan-activity;sid:84588229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.137.149.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725126/; classtype:trojan-activity;sid:84588226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.219.38.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725097/; classtype:trojan-activity;sid:84588197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gretech/promotion_sw/gomplayer/fastping_silent_v4.exe"; depth:54; endswith; nocase; http.host; content:"cdn.gomlab.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3724888/; classtype:trojan-activity;sid:84587988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/linux/linux.tar.gz"; depth:23; endswith; nocase; http.host; content:"miner.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3724884/; classtype:trojan-activity;sid:84587984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win/miner.zip"; depth:18; endswith; nocase; http.host; content:"miner.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3724883/; classtype:trojan-activity;sid:84587983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/mouse-jiggler/mousejiggler_2.1.0.zip"; depth:43; endswith; nocase; http.host; content:"lon-01.dlo4d.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724319/; classtype:trojan-activity;sid:84587419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fecund.lpk"; depth:11; endswith; nocase; http.host; content:"www.mobimpex.ro"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724235/; classtype:trojan-activity;sid:84587335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrcxpywfcshe8.bin"; depth:18; endswith; nocase; http.host; content:"www.mobimpex.ro"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724236/; classtype:trojan-activity;sid:84587336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/res/keditor/2019_11/3c7a829a_893c_4f02_a407_6b0918c321c2.rar"; depth:61; endswith; nocase; http.host; content:"en.taichuan.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724034/; classtype:trojan-activity;sid:84587134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krnl.lua.script.injector.v1.3.4.zip"; depth:36; endswith; nocase; http.host; content:"injectroblox.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724008/; classtype:trojan-activity;sid:84587108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3723880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftbs.exe"; depth:16; endswith; nocase; http.host; content:"120.48.115.29"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3723880/; classtype:trojan-activity;sid:84586980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fent.mips"; depth:10; endswith; nocase; http.host; content:"23.95.248.41"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_02; reference:url, urlhaus.abuse.ch/url/3722913/; classtype:trojan-activity;sid:84586013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fent.mpsl"; depth:10; endswith; nocase; http.host; content:"23.95.248.41"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_02; reference:url, urlhaus.abuse.ch/url/3722915/; classtype:trojan-activity;sid:84586015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zx.exe"; depth:7; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_01; reference:url, urlhaus.abuse.ch/url/3722484/; classtype:trojan-activity;sid:84585584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/top8bet.apk"; depth:16; endswith; nocase; http.host; content:"top8onlinegame.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_12_01; reference:url, urlhaus.abuse.ch/url/3722069/; classtype:trojan-activity;sid:84585169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721649/; classtype:trojan-activity;sid:84584749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721528/; classtype:trojan-activity;sid:84584628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"106.13.29.104"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721477/; classtype:trojan-activity;sid:84584577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"72.201.150.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721465/; classtype:trojan-activity;sid:84584565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e4%ba%a7%e5%93%81%e8%b5%84%e6%96%99%e5%8c%85/%e6%99%ae%e9%80%9a%e5%9e%8b%e4%ba%a7%e5%93%81%e8%b5%84%e6%96%99%e5%8c%85/485%e5%9e%8b%e8%ae%be%e5%a4%87%e8%b5%84%e6%96%99%e5%8c%85.rar"; depth:181; endswith; nocase; http.host; content:"save.jnrsmcu.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721055/; classtype:trojan-activity;sid:84584155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e5%85%84%e5%bc%9f%e4%bc%a0%e5%a5%87%e3%80%90%e5%a4%8d%e5%8f%a4%e3%80%91.rar"; depth:77; endswith; nocase; http.host; content:"xdcq3.com"; depth:9; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721054/; classtype:trojan-activity;sid:84584154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/%e5%a5%87%e5%a6%99%e5%8a%a0%e9%80%9f%e5%99%a8_2_10004379.exe/%c3%a5%c2%a5%c2%87%c3%a5%c2%a6%c2%99%c3%a5%c2%8a%c2%a0%c3%a9%c2%80%c2%9f%c3%a5%c2%99%c2%a8_2_10004379.exe/%c3%83%c2%a5%c3%82%c2%a5%c3%82%c2%87%c3%83%c2%a5%c3%82%c2%a6%c3%82%c2%99%c3%83%25...~311~...%ef%bf%bd%c3%82%c2%a8_2_10004379.exe"; depth:305; endswith; nocase; http.host; content:"pvsa.gxfugy.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721052/; classtype:trojan-activity;sid:84584152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aplikasi/kingbet189.apk"; depth:24; endswith; nocase; http.host; content:"sabungkingbet189.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720424/; classtype:trojan-activity;sid:84583524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payment_receipt_11_28_2025.msi"; depth:31; endswith; nocase; http.host; content:"vizyonuniversitesi.com.tr"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720416/; classtype:trojan-activity;sid:84583516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gmssetupx86.exe"; depth:16; endswith; nocase; http.host; content:"185-55-196-13.cprapid.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720403/; classtype:trojan-activity;sid:84583503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.lnk"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720339/; classtype:trojan-activity;sid:84583439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720337/; classtype:trojan-activity;sid:84583437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720336/; classtype:trojan-activity;sid:84583436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.scr"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720335/; classtype:trojan-activity;sid:84583435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720330/; classtype:trojan-activity;sid:84583430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720331/; classtype:trojan-activity;sid:84583431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720332/; classtype:trojan-activity;sid:84583432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720333/; classtype:trojan-activity;sid:84583433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720334/; classtype:trojan-activity;sid:84583434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720329/; classtype:trojan-activity;sid:84583429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720327/; classtype:trojan-activity;sid:84583427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720328/; classtype:trojan-activity;sid:84583428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"31.0.222.123"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720042/; classtype:trojan-activity;sid:84583142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"31.0.222.123"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720037/; classtype:trojan-activity;sid:84583137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3719973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"31.0.222.123"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3719973/; classtype:trojan-activity;sid:84583073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"153.35.159.3"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718862/; classtype:trojan-activity;sid:84581962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.228.74.4"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718861/; classtype:trojan-activity;sid:84581961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.141.249.234"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718856/; classtype:trojan-activity;sid:84581956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.66.224.73"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718843/; classtype:trojan-activity;sid:84581943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.86.33.195"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_27; reference:url, urlhaus.abuse.ch/url/3718114/; classtype:trojan-activity;sid:84581214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3717880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newwfs/support/customfont.apk"; depth:30; endswith; nocase; http.host; content:"upaicdn.xinmei365.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_11_27; reference:url, urlhaus.abuse.ch/url/3717880/; classtype:trojan-activity;sid:84580980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3717867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/adan/utils/mudtime.zip"; depth:32; endswith; nocase; http.host; content:"paccbet.pages.dev"; depth:17; isdataat:!1,relative; metadata:created_at 2025_11_27; reference:url, urlhaus.abuse.ch/url/3717867/; classtype:trojan-activity;sid:84580967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3717692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safe/setup_smart.exe"; depth:21; endswith; nocase; http.host; content:"dl.ijinshan.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_27; reference:url, urlhaus.abuse.ch/url/3717692/; classtype:trojan-activity;sid:84580792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3717293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.89.131.190"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_26; reference:url, urlhaus.abuse.ch/url/3717293/; classtype:trojan-activity;sid:84580393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3717290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.185.171.111"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_26; reference:url, urlhaus.abuse.ch/url/3717290/; classtype:trojan-activity;sid:84580390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krzysztofadamczewski/nanocore-rat/raw/refs/heads/master/nanocore_portable.exe"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_26; reference:url, urlhaus.abuse.ch/url/3716961/; classtype:trojan-activity;sid:84580061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pafh99/nanocore-rat-2/raw/refs/heads/master/nanocore_portable.exe"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_26; reference:url, urlhaus.abuse.ch/url/3716962/; classtype:trojan-activity;sid:84580062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aplikasi/stayslot168.apk"; depth:25; endswith; nocase; http.host; content:"cloudstay168.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716696/; classtype:trojan-activity;sid:84579796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2016/06/avamarconsolemultiple-windows-x86_64-7.2.1-32.exe"; depth:77; endswith; nocase; http.host; content:"avbackup.acionline.de"; depth:21; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716302/; classtype:trojan-activity;sid:84579402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clientbin/dowonline.installer.exe"; depth:34; endswith; nocase; http.host; content:"dowonline.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716299/; classtype:trojan-activity;sid:84579399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baixar/suporte%20winxp-7-8.zip"; depth:31; endswith; nocase; http.host; content:"compuserviceonline.com.br"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716290/; classtype:trojan-activity;sid:84579390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/application/workspace/15/15d4031688cbb71def72a06cf15d7fa1/installer_%e6%99%ba%e8%83%bd%e7%bf%bb%e8%af%91%e5%ae%98_r1.7.9.exe"; depth:125; endswith; nocase; http.host; content:"download2.huduntech.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716195/; classtype:trojan-activity;sid:84579295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37/cqsj/official/37cqsj.exe"; depth:28; endswith; nocase; http.host; content:"d.wanyouxi7.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_24; reference:url, urlhaus.abuse.ch/url/3715638/; classtype:trojan-activity;sid:84578738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nssm-2.24.zip"; depth:14; endswith; nocase; http.host; content:"localtonet.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_24; reference:url, urlhaus.abuse.ch/url/3715637/; classtype:trojan-activity;sid:84578737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dropfix"; depth:8; endswith; nocase; http.host; content:"cdn.novoline.top"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_24; reference:url, urlhaus.abuse.ch/url/3715579/; classtype:trojan-activity;sid:84578679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fo-wsftp605.exe"; depth:16; endswith; nocase; http.host; content:"landonirwin.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_23; reference:url, urlhaus.abuse.ch/url/3715175/; classtype:trojan-activity;sid:84578275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/linux.bin"; depth:14; endswith; nocase; http.host; content:"prepstarcenter.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_11_23; reference:url, urlhaus.abuse.ch/url/3714635/; classtype:trojan-activity;sid:84577735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k1_351.apk"; depth:11; endswith; nocase; http.host; content:"app.appzcvb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714095/; classtype:trojan-activity;sid:84577195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.lnk"; depth:12; endswith; nocase; http.host; content:"101.127.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714015/; classtype:trojan-activity;sid:84577115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.scr"; depth:12; endswith; nocase; http.host; content:"101.127.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714014/; classtype:trojan-activity;sid:84577114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.scr"; depth:15; endswith; nocase; http.host; content:"101.127.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714012/; classtype:trojan-activity;sid:84577112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.scr"; depth:15; endswith; nocase; http.host; content:"101.127.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714013/; classtype:trojan-activity;sid:84577113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.lnk"; depth:15; endswith; nocase; http.host; content:"101.127.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714010/; classtype:trojan-activity;sid:84577110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rs.ps1"; depth:7; endswith; nocase; http.host; content:"20.244.42.84"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3713958/; classtype:trojan-activity;sid:84577058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cleaner"; depth:8; endswith; nocase; http.host; content:"gutando.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3713850/; classtype:trojan-activity;sid:84576950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.190.74.159"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713493/; classtype:trojan-activity;sid:84576593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stage1.ps1"; depth:11; endswith; nocase; http.host; content:"fb6390d5.infinityindians.pages.dev"; depth:34; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713469/; classtype:trojan-activity;sid:84576569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amsibypass.ps1"; depth:15; endswith; nocase; http.host; content:"fb6390d5.infinityindians.pages.dev"; depth:34; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713470/; classtype:trojan-activity;sid:84576570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/bexitor%20installer.exe"; depth:30; endswith; nocase; http.host; content:"matthewsigmondv5.pages.dev"; depth:26; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713467/; classtype:trojan-activity;sid:84576567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"43.156.63.124"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712904/; classtype:trojan-activity;sid:84576004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.lnk"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712796/; classtype:trojan-activity;sid:84575896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712795/; classtype:trojan-activity;sid:84575895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712793/; classtype:trojan-activity;sid:84575893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712794/; classtype:trojan-activity;sid:84575894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712791/; classtype:trojan-activity;sid:84575891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712792/; classtype:trojan-activity;sid:84575892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.scr"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712790/; classtype:trojan-activity;sid:84575890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712787/; classtype:trojan-activity;sid:84575887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712788/; classtype:trojan-activity;sid:84575888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712789/; classtype:trojan-activity;sid:84575889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712785/; classtype:trojan-activity;sid:84575885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712786/; classtype:trojan-activity;sid:84575886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/gof.com.my/gz2v8w/y0qt8nphhv1v"; depth:33; endswith; nocase; http.host; content:"smartermail.host"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712393/; classtype:trojan-activity;sid:84575493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/horioninjector.exe"; depth:23; endswith; nocase; http.host; content:"horion-static.pages.dev"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_19; reference:url, urlhaus.abuse.ch/url/3712017/; classtype:trojan-activity;sid:84575117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bog.apk"; depth:8; endswith; nocase; http.host; content:"bombayonline.in"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_19; reference:url, urlhaus.abuse.ch/url/3711792/; classtype:trojan-activity;sid:84574892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.107.136.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711277/; classtype:trojan-activity;sid:84574377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.121.137.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711278/; classtype:trojan-activity;sid:84574378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.154.90.21"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711212/; classtype:trojan-activity;sid:84574312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sfyhmsqlexrtjetiqydog74.bin"; depth:28; endswith; nocase; http.host; content:"dexios.co.za"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3710993/; classtype:trojan-activity;sid:84574093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brkopsluth.emz"; depth:15; endswith; nocase; http.host; content:"dexios.co.za"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3710988/; classtype:trojan-activity;sid:84574088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auo1.exe"; depth:9; endswith; nocase; http.host; content:"a-gwo.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710498/; classtype:trojan-activity;sid:84573598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com.movseek.app_release1.0.1.apk"; depth:33; endswith; nocase; http.host; content:"libretv-16e.pages.dev"; depth:21; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710493/; classtype:trojan-activity;sid:84573593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi"; depth:34; endswith; nocase; http.host; content:"rheddh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710456/; classtype:trojan-activity;sid:84573556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-19/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710416/; classtype:trojan-activity;sid:84573516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-29/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710404/; classtype:trojan-activity;sid:84573504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-03-23/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710394/; classtype:trojan-activity;sid:84573494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-03/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710388/; classtype:trojan-activity;sid:84573488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-04-23/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710390/; classtype:trojan-activity;sid:84573490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-10-11/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710385/; classtype:trojan-activity;sid:84573485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-05-20/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710383/; classtype:trojan-activity;sid:84573483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-05-21/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710380/; classtype:trojan-activity;sid:84573480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-02-26/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710370/; classtype:trojan-activity;sid:84573470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-27/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710371/; classtype:trojan-activity;sid:84573471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-28/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710374/; classtype:trojan-activity;sid:84573474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-09-25/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710362/; classtype:trojan-activity;sid:84573462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-06-22/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710351/; classtype:trojan-activity;sid:84573451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2019-07-05/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710353/; classtype:trojan-activity;sid:84573453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2023-02-01/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710340/; classtype:trojan-activity;sid:84573440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-07-05/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710341/; classtype:trojan-activity;sid:84573441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-07-27/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710343/; classtype:trojan-activity;sid:84573443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-06/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710334/; classtype:trojan-activity;sid:84573434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-11/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710323/; classtype:trojan-activity;sid:84573423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-11-22/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710327/; classtype:trojan-activity;sid:84573427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-09-28/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710316/; classtype:trojan-activity;sid:84573416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-12-23/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710318/; classtype:trojan-activity;sid:84573418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2019-05-02/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710311/; classtype:trojan-activity;sid:84573411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-12-14/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710313/; classtype:trojan-activity;sid:84573413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2020-01-28/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710306/; classtype:trojan-activity;sid:84573406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-26/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710293/; classtype:trojan-activity;sid:84573393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-10-06/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710285/; classtype:trojan-activity;sid:84573385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-21/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710287/; classtype:trojan-activity;sid:84573387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-18/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710288/; classtype:trojan-activity;sid:84573388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-07-22/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710289/; classtype:trojan-activity;sid:84573389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2019-04-12/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710290/; classtype:trojan-activity;sid:84573390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2021-05-20/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710291/; classtype:trojan-activity;sid:84573391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-20/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710284/; classtype:trojan-activity;sid:84573384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/offlinepackv4.exe"; depth:18; endswith; nocase; http.host; content:"dl.360safe.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710207/; classtype:trojan-activity;sid:84573307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soulclientwtf/lnk/raw/refs/heads/main/execute"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_16; reference:url, urlhaus.abuse.ch/url/3710011/; classtype:trojan-activity;sid:84573111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soulclientwtf/lnk/refs/heads/main/execute"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_16; reference:url, urlhaus.abuse.ch/url/3710010/; classtype:trojan-activity;sid:84573110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"153.35.159.3"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_16; reference:url, urlhaus.abuse.ch/url/3709985/; classtype:trojan-activity;sid:84573085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/-/project/75948445/uploads/4c3e660ab51c78f49b9c10016e852287/ksv.exe"; depth:68; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_16; reference:url, urlhaus.abuse.ch/url/3709921/; classtype:trojan-activity;sid:84573021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709309/; classtype:trojan-activity;sid:84572409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-05-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709306/; classtype:trojan-activity;sid:84572406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709292/; classtype:trojan-activity;sid:84572392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709293/; classtype:trojan-activity;sid:84572393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-03-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709294/; classtype:trojan-activity;sid:84572394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-10-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709295/; classtype:trojan-activity;sid:84572395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709296/; classtype:trojan-activity;sid:84572396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-08-23/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709298/; classtype:trojan-activity;sid:84572398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709299/; classtype:trojan-activity;sid:84572399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709300/; classtype:trojan-activity;sid:84572400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-05-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709301/; classtype:trojan-activity;sid:84572401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-10-20/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709302/; classtype:trojan-activity;sid:84572402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-03-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709303/; classtype:trojan-activity;sid:84572403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-05-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709304/; classtype:trojan-activity;sid:84572404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-24/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709305/; classtype:trojan-activity;sid:84572405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-08-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709288/; classtype:trojan-activity;sid:84572388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709290/; classtype:trojan-activity;sid:84572390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2024-01-26/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709291/; classtype:trojan-activity;sid:84572391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-07-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709272/; classtype:trojan-activity;sid:84572372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709273/; classtype:trojan-activity;sid:84572373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709274/; classtype:trojan-activity;sid:84572374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-04-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709275/; classtype:trojan-activity;sid:84572375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709276/; classtype:trojan-activity;sid:84572376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2022-01-20/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709277/; classtype:trojan-activity;sid:84572377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709278/; classtype:trojan-activity;sid:84572378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-06-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709280/; classtype:trojan-activity;sid:84572380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-05-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709281/; classtype:trojan-activity;sid:84572381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709284/; classtype:trojan-activity;sid:84572384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709285/; classtype:trojan-activity;sid:84572385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-11-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709286/; classtype:trojan-activity;sid:84572386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-10-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709287/; classtype:trojan-activity;sid:84572387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709270/; classtype:trojan-activity;sid:84572370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2020-10-10/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709271/; classtype:trojan-activity;sid:84572371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-02-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709267/; classtype:trojan-activity;sid:84572367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-01-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709255/; classtype:trojan-activity;sid:84572355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-11-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709256/; classtype:trojan-activity;sid:84572356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-07-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709257/; classtype:trojan-activity;sid:84572357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-06-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709258/; classtype:trojan-activity;sid:84572358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-11-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709259/; classtype:trojan-activity;sid:84572359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709261/; classtype:trojan-activity;sid:84572361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2022-03-02/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709262/; classtype:trojan-activity;sid:84572362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-08-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709263/; classtype:trojan-activity;sid:84572363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-05-11/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709264/; classtype:trojan-activity;sid:84572364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-03-03/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709248/; classtype:trojan-activity;sid:84572348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-08-24/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709249/; classtype:trojan-activity;sid:84572349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-11/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709250/; classtype:trojan-activity;sid:84572350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-11-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709251/; classtype:trojan-activity;sid:84572351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-06-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709252/; classtype:trojan-activity;sid:84572352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2024-01-17/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709253/; classtype:trojan-activity;sid:84572353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-11-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709254/; classtype:trojan-activity;sid:84572354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709244/; classtype:trojan-activity;sid:84572344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709245/; classtype:trojan-activity;sid:84572345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-09-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709246/; classtype:trojan-activity;sid:84572346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-01-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709247/; classtype:trojan-activity;sid:84572347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-07-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709241/; classtype:trojan-activity;sid:84572341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709242/; classtype:trojan-activity;sid:84572342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-11-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709234/; classtype:trojan-activity;sid:84572334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709235/; classtype:trojan-activity;sid:84572335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709236/; classtype:trojan-activity;sid:84572336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709237/; classtype:trojan-activity;sid:84572337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-07-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709238/; classtype:trojan-activity;sid:84572338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-01-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709228/; classtype:trojan-activity;sid:84572328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709229/; classtype:trojan-activity;sid:84572329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2022-07-22/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709230/; classtype:trojan-activity;sid:84572330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709231/; classtype:trojan-activity;sid:84572331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709232/; classtype:trojan-activity;sid:84572332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-09-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709233/; classtype:trojan-activity;sid:84572333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2019-07-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709220/; classtype:trojan-activity;sid:84572320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-03-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709221/; classtype:trojan-activity;sid:84572321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-11-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709222/; classtype:trojan-activity;sid:84572322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-07-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709223/; classtype:trojan-activity;sid:84572323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-26/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709224/; classtype:trojan-activity;sid:84572324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-03-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709225/; classtype:trojan-activity;sid:84572325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709227/; classtype:trojan-activity;sid:84572327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-03-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709218/; classtype:trojan-activity;sid:84572318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709219/; classtype:trojan-activity;sid:84572319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-06-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709217/; classtype:trojan-activity;sid:84572317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709213/; classtype:trojan-activity;sid:84572313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-01-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709214/; classtype:trojan-activity;sid:84572314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709209/; classtype:trojan-activity;sid:84572309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-07-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709210/; classtype:trojan-activity;sid:84572310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709211/; classtype:trojan-activity;sid:84572311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2023-06-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709212/; classtype:trojan-activity;sid:84572312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2022-03-06/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709201/; classtype:trojan-activity;sid:84572301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-03-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709202/; classtype:trojan-activity;sid:84572302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709203/; classtype:trojan-activity;sid:84572303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2020-10-12/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709204/; classtype:trojan-activity;sid:84572304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709205/; classtype:trojan-activity;sid:84572305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-03-02/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709206/; classtype:trojan-activity;sid:84572306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-02-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709207/; classtype:trojan-activity;sid:84572307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-04-04/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709193/; classtype:trojan-activity;sid:84572293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709194/; classtype:trojan-activity;sid:84572294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-01/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709195/; classtype:trojan-activity;sid:84572295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-05-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709196/; classtype:trojan-activity;sid:84572296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-08-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709197/; classtype:trojan-activity;sid:84572297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-11/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709199/; classtype:trojan-activity;sid:84572299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2019-10-15/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709200/; classtype:trojan-activity;sid:84572300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2020-07-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709192/; classtype:trojan-activity;sid:84572292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709190/; classtype:trojan-activity;sid:84572290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-11-28/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709191/; classtype:trojan-activity;sid:84572291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-07-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709186/; classtype:trojan-activity;sid:84572286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-10-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709187/; classtype:trojan-activity;sid:84572287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-07-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709188/; classtype:trojan-activity;sid:84572288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2025-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709175/; classtype:trojan-activity;sid:84572275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-05-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709176/; classtype:trojan-activity;sid:84572276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709177/; classtype:trojan-activity;sid:84572277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-09-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709178/; classtype:trojan-activity;sid:84572278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709179/; classtype:trojan-activity;sid:84572279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-09-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709180/; classtype:trojan-activity;sid:84572280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709181/; classtype:trojan-activity;sid:84572281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709182/; classtype:trojan-activity;sid:84572282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-03-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709184/; classtype:trojan-activity;sid:84572284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-08-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709185/; classtype:trojan-activity;sid:84572285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-07-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709165/; classtype:trojan-activity;sid:84572265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-07-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709166/; classtype:trojan-activity;sid:84572266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2024-01-22/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709167/; classtype:trojan-activity;sid:84572267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2022-01-27/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709168/; classtype:trojan-activity;sid:84572268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-06-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709169/; classtype:trojan-activity;sid:84572269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709170/; classtype:trojan-activity;sid:84572270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709171/; classtype:trojan-activity;sid:84572271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-11-15/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709172/; classtype:trojan-activity;sid:84572272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-07-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709163/; classtype:trojan-activity;sid:84572263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709161/; classtype:trojan-activity;sid:84572261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709162/; classtype:trojan-activity;sid:84572262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-07-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709158/; classtype:trojan-activity;sid:84572258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000758/2022-03-02/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709152/; classtype:trojan-activity;sid:84572252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2019-10-17/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709153/; classtype:trojan-activity;sid:84572253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2024-01-24/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709154/; classtype:trojan-activity;sid:84572254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-06-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709155/; classtype:trojan-activity;sid:84572255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709156/; classtype:trojan-activity;sid:84572256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2023-08-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709157/; classtype:trojan-activity;sid:84572257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-05-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709143/; classtype:trojan-activity;sid:84572243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709144/; classtype:trojan-activity;sid:84572244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709145/; classtype:trojan-activity;sid:84572245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-07-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709147/; classtype:trojan-activity;sid:84572247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-05-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709148/; classtype:trojan-activity;sid:84572248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709149/; classtype:trojan-activity;sid:84572249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709150/; classtype:trojan-activity;sid:84572250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-05-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709151/; classtype:trojan-activity;sid:84572251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-09-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709140/; classtype:trojan-activity;sid:84572240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709141/; classtype:trojan-activity;sid:84572241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-08-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709139/; classtype:trojan-activity;sid:84572239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-11-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709138/; classtype:trojan-activity;sid:84572238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-11-24/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709129/; classtype:trojan-activity;sid:84572229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-08-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709130/; classtype:trojan-activity;sid:84572230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709131/; classtype:trojan-activity;sid:84572231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2019-05-31/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709132/; classtype:trojan-activity;sid:84572232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709133/; classtype:trojan-activity;sid:84572233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-11-27/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709135/; classtype:trojan-activity;sid:84572235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-06-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709136/; classtype:trojan-activity;sid:84572236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709128/; classtype:trojan-activity;sid:84572228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-09-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709112/; classtype:trojan-activity;sid:84572212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709113/; classtype:trojan-activity;sid:84572213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-11-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709114/; classtype:trojan-activity;sid:84572214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-04-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709115/; classtype:trojan-activity;sid:84572215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-03-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709116/; classtype:trojan-activity;sid:84572216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709117/; classtype:trojan-activity;sid:84572217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-11-25/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709118/; classtype:trojan-activity;sid:84572218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709119/; classtype:trojan-activity;sid:84572219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-03-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709120/; classtype:trojan-activity;sid:84572220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-08-16/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709121/; classtype:trojan-activity;sid:84572221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709123/; classtype:trojan-activity;sid:84572223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-06-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709124/; classtype:trojan-activity;sid:84572224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-03-16/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709126/; classtype:trojan-activity;sid:84572226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709109/; classtype:trojan-activity;sid:84572209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-06-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709111/; classtype:trojan-activity;sid:84572211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709104/; classtype:trojan-activity;sid:84572204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709105/; classtype:trojan-activity;sid:84572205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-08-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709107/; classtype:trojan-activity;sid:84572207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709108/; classtype:trojan-activity;sid:84572208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-09-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709103/; classtype:trojan-activity;sid:84572203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709096/; classtype:trojan-activity;sid:84572196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709097/; classtype:trojan-activity;sid:84572197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-31/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709098/; classtype:trojan-activity;sid:84572198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709099/; classtype:trojan-activity;sid:84572199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-07-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709100/; classtype:trojan-activity;sid:84572200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000324/2024-01-02/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709101/; classtype:trojan-activity;sid:84572201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709088/; classtype:trojan-activity;sid:84572188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709089/; classtype:trojan-activity;sid:84572189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-11-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709090/; classtype:trojan-activity;sid:84572190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709091/; classtype:trojan-activity;sid:84572191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709092/; classtype:trojan-activity;sid:84572192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2022-10-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709093/; classtype:trojan-activity;sid:84572193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-03-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709078/; classtype:trojan-activity;sid:84572178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-09-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709079/; classtype:trojan-activity;sid:84572179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-09-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709080/; classtype:trojan-activity;sid:84572180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-09-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709081/; classtype:trojan-activity;sid:84572181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709083/; classtype:trojan-activity;sid:84572183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709084/; classtype:trojan-activity;sid:84572184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-11-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709085/; classtype:trojan-activity;sid:84572185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709086/; classtype:trojan-activity;sid:84572186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709087/; classtype:trojan-activity;sid:84572187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709075/; classtype:trojan-activity;sid:84572175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-01-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709076/; classtype:trojan-activity;sid:84572176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-05-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709077/; classtype:trojan-activity;sid:84572177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-06-24/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709054/; classtype:trojan-activity;sid:84572154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709055/; classtype:trojan-activity;sid:84572155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-09-26/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709056/; classtype:trojan-activity;sid:84572156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-06-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709057/; classtype:trojan-activity;sid:84572157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709058/; classtype:trojan-activity;sid:84572158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-07-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709059/; classtype:trojan-activity;sid:84572159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-02-20/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709060/; classtype:trojan-activity;sid:84572160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-02-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709061/; classtype:trojan-activity;sid:84572161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-07-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709062/; classtype:trojan-activity;sid:84572162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-07-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709063/; classtype:trojan-activity;sid:84572163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709064/; classtype:trojan-activity;sid:84572164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-06-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709065/; classtype:trojan-activity;sid:84572165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-11-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709066/; classtype:trojan-activity;sid:84572166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709067/; classtype:trojan-activity;sid:84572167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-03-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709068/; classtype:trojan-activity;sid:84572168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709069/; classtype:trojan-activity;sid:84572169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-07-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709070/; classtype:trojan-activity;sid:84572170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-09-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709072/; classtype:trojan-activity;sid:84572172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-11-18/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709042/; classtype:trojan-activity;sid:84572142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-09-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709043/; classtype:trojan-activity;sid:84572143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-09-17/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709044/; classtype:trojan-activity;sid:84572144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709045/; classtype:trojan-activity;sid:84572145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709046/; classtype:trojan-activity;sid:84572146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-06-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709047/; classtype:trojan-activity;sid:84572147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709048/; classtype:trojan-activity;sid:84572148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709049/; classtype:trojan-activity;sid:84572149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-06-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709050/; classtype:trojan-activity;sid:84572150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-03-17/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709051/; classtype:trojan-activity;sid:84572151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-11-06/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709052/; classtype:trojan-activity;sid:84572152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-04-05/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709053/; classtype:trojan-activity;sid:84572153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3708783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/-/project/76083013/uploads/32561edca48a460384d1dbaa0cf1605b/mvc3.exe"; depth:69; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3708783/; classtype:trojan-activity;sid:84571883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3708476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.143.158.122"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3708476/; classtype:trojan-activity;sid:84571576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3708402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ourzz.wav"; depth:10; endswith; nocase; http.host; content:"clubdetiroelpicarcho.com"; depth:24; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3708402/; classtype:trojan-activity;sid:84571502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3707712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com.movseek.app_release1.0.1.apk"; depth:33; endswith; nocase; http.host; content:"movseek.pages.dev"; depth:17; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3707712/; classtype:trojan-activity;sid:84570812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3707697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2019/04/pieletjf.exe"; depth:40; endswith; nocase; http.host; content:"theoremaoliveoil.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3707697/; classtype:trojan-activity;sid:84570797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3707699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2019/04/pieletjf_vm.exe"; depth:43; endswith; nocase; http.host; content:"theoremaoliveoil.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3707699/; classtype:trojan-activity;sid:84570799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.101.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704600/; classtype:trojan-activity;sid:84567700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.194.158.117"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704562/; classtype:trojan-activity;sid:84567662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haozip/haozip_v6.5.2.11245.exe"; depth:31; endswith; nocase; http.host; content:"dl.2345.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704246/; classtype:trojan-activity;sid:84567346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leinchchanceleinch/jik/raw/refs/heads/main/dev.msi"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704158/; classtype:trojan-activity;sid:84567258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_12; reference:url, urlhaus.abuse.ch/url/3703801/; classtype:trojan-activity;sid:84566901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_12; reference:url, urlhaus.abuse.ch/url/3703764/; classtype:trojan-activity;sid:84566864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_12; reference:url, urlhaus.abuse.ch/url/3703731/; classtype:trojan-activity;sid:84566831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.123.19.88"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_12; reference:url, urlhaus.abuse.ch/url/3703349/; classtype:trojan-activity;sid:84566449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.123.19.88"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_11; reference:url, urlhaus.abuse.ch/url/3703338/; classtype:trojan-activity;sid:84566438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dersnotlari/02/sora.jpg"; depth:24; endswith; nocase; http.host; content:"www.notbak.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_11; reference:url, urlhaus.abuse.ch/url/3702746/; classtype:trojan-activity;sid:84565846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702204/; classtype:trojan-activity;sid:84565304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702202/; classtype:trojan-activity;sid:84565302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702201/; classtype:trojan-activity;sid:84565301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702199/; classtype:trojan-activity;sid:84565299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702178/; classtype:trojan-activity;sid:84565278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702166/; classtype:trojan-activity;sid:84565266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702161/; classtype:trojan-activity;sid:84565261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250416/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702156/; classtype:trojan-activity;sid:84565256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702157/; classtype:trojan-activity;sid:84565257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702158/; classtype:trojan-activity;sid:84565258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702152/; classtype:trojan-activity;sid:84565252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702147/; classtype:trojan-activity;sid:84565247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702142/; classtype:trojan-activity;sid:84565242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702143/; classtype:trojan-activity;sid:84565243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250416/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702134/; classtype:trojan-activity;sid:84565234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702135/; classtype:trojan-activity;sid:84565235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702136/; classtype:trojan-activity;sid:84565236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702130/; classtype:trojan-activity;sid:84565230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250416/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702131/; classtype:trojan-activity;sid:84565231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702132/; classtype:trojan-activity;sid:84565232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702127/; classtype:trojan-activity;sid:84565227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702128/; classtype:trojan-activity;sid:84565228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702122/; classtype:trojan-activity;sid:84565222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702123/; classtype:trojan-activity;sid:84565223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702121/; classtype:trojan-activity;sid:84565221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702119/; classtype:trojan-activity;sid:84565219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702115/; classtype:trojan-activity;sid:84565215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702105/; classtype:trojan-activity;sid:84565205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702102/; classtype:trojan-activity;sid:84565202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702103/; classtype:trojan-activity;sid:84565203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701934/; classtype:trojan-activity;sid:84565034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701924/; classtype:trojan-activity;sid:84565024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701905/; classtype:trojan-activity;sid:84565005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701906/; classtype:trojan-activity;sid:84565006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"144.2.111.169"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_09; reference:url, urlhaus.abuse.ch/url/3701320/; classtype:trojan-activity;sid:84564420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scoto.jpb"; depth:10; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_09; reference:url, urlhaus.abuse.ch/url/3701203/; classtype:trojan-activity;sid:84564303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.249.127"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700623/; classtype:trojan-activity;sid:84563723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700329/; classtype:trojan-activity;sid:84563429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700276/; classtype:trojan-activity;sid:84563376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"36.158.34.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700268/; classtype:trojan-activity;sid:84563368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700199/; classtype:trojan-activity;sid:84563299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"36.158.34.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700187/; classtype:trojan-activity;sid:84563287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700112/; classtype:trojan-activity;sid:84563212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700015/; classtype:trojan-activity;sid:84563115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699997/; classtype:trojan-activity;sid:84563097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"119.91.141.214"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699967/; classtype:trojan-activity;sid:84563067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699839/; classtype:trojan-activity;sid:84562939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699812/; classtype:trojan-activity;sid:84562912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699768/; classtype:trojan-activity;sid:84562868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tinh_cuoc_xe/2025/thanh%20ti%c3%aan/info.zip"; depth:45; endswith; nocase; http.host; content:"103.226.249.227"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699681/; classtype:trojan-activity;sid:84562781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699651/; classtype:trojan-activity;sid:84562751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699578/; classtype:trojan-activity;sid:84562678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699459/; classtype:trojan-activity;sid:84562559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699462/; classtype:trojan-activity;sid:84562562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699428/; classtype:trojan-activity;sid:84562528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reprofo.mso"; depth:12; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_07; reference:url, urlhaus.abuse.ch/url/3698699/; classtype:trojan-activity;sid:84561799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"83.229.126.183"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698418/; classtype:trojan-activity;sid:84561518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"59.110.28.230"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698410/; classtype:trojan-activity;sid:84561510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.250.173"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698400/; classtype:trojan-activity;sid:84561500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.241.74.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698365/; classtype:trojan-activity;sid:84561465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698078/; classtype:trojan-activity;sid:84561178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698077/; classtype:trojan-activity;sid:84561177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698067/; classtype:trojan-activity;sid:84561167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698070/; classtype:trojan-activity;sid:84561170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698062/; classtype:trojan-activity;sid:84561162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698059/; classtype:trojan-activity;sid:84561159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698057/; classtype:trojan-activity;sid:84561157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698058/; classtype:trojan-activity;sid:84561158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zddtxxyxb.zip"; depth:14; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697910/; classtype:trojan-activity;sid:84561010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i24.bin"; depth:8; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697909/; classtype:trojan-activity;sid:84561009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/husk.zip"; depth:9; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697908/; classtype:trojan-activity;sid:84561008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eznoted2b1405e.zip"; depth:19; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697907/; classtype:trojan-activity;sid:84561007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/without_hook.zip"; depth:17; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697906/; classtype:trojan-activity;sid:84561006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/husk.py"; depth:8; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697870/; classtype:trojan-activity;sid:84560970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697816/; classtype:trojan-activity;sid:84560916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"36.158.34.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697809/; classtype:trojan-activity;sid:84560909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tran.dsp"; depth:9; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697791/; classtype:trojan-activity;sid:84560891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aibkp63.bin"; depth:12; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697789/; classtype:trojan-activity;sid:84560889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=qtuvl0pcseglafunszpre008.txt"; depth:49; endswith; nocase; http.host; content:"vcc-library.uk"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_05; reference:url, urlhaus.abuse.ch/url/3697097/; classtype:trojan-activity;sid:84560197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1l4m/2e771fb306028fabfc8e098427181f78/raw/37f3db6b29d64f1045fb60967d6297f525ddf443/iamthedanger.txt"; depth:101; endswith; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_11_05; reference:url, urlhaus.abuse.ch/url/3696992/; classtype:trojan-activity;sid:84560092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/plugins/fr3.lim"; depth:24; endswith; nocase; http.host; content:"nelees.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696375/; classtype:trojan-activity;sid:84559475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696132/; classtype:trojan-activity;sid:84559232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696129/; classtype:trojan-activity;sid:84559229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696114/; classtype:trojan-activity;sid:84559214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696096/; classtype:trojan-activity;sid:84559196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"27.110.187.133"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696094/; classtype:trojan-activity;sid:84559194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696086/; classtype:trojan-activity;sid:84559186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696082/; classtype:trojan-activity;sid:84559182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696066/; classtype:trojan-activity;sid:84559166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"144.2.111.169"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696043/; classtype:trojan-activity;sid:84559143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696026/; classtype:trojan-activity;sid:84559126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696003/; classtype:trojan-activity;sid:84559103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696004/; classtype:trojan-activity;sid:84559104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695955/; classtype:trojan-activity;sid:84559055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695952/; classtype:trojan-activity;sid:84559052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695948/; classtype:trojan-activity;sid:84559048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695937/; classtype:trojan-activity;sid:84559037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695923/; classtype:trojan-activity;sid:84559023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695920/; classtype:trojan-activity;sid:84559020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695898/; classtype:trojan-activity;sid:84558998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695884/; classtype:trojan-activity;sid:84558984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695869/; classtype:trojan-activity;sid:84558969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695875/; classtype:trojan-activity;sid:84558975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"119.91.141.214"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695868/; classtype:trojan-activity;sid:84558968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695854/; classtype:trojan-activity;sid:84558954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695827/; classtype:trojan-activity;sid:84558927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695830/; classtype:trojan-activity;sid:84558930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.242.9"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3695119/; classtype:trojan-activity;sid:84558219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.227.134"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3695114/; classtype:trojan-activity;sid:84558214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.86.246.233"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3695080/; classtype:trojan-activity;sid:84558180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3694767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clipaid-pro.exe"; depth:16; endswith; nocase; http.host; content:"clipaid.app"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3694767/; classtype:trojan-activity;sid:84557867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3693496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"36.92.110.187"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_01; reference:url, urlhaus.abuse.ch/url/3693496/; classtype:trojan-activity;sid:84556596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3691444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.137.149.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_30; reference:url, urlhaus.abuse.ch/url/3691444/; classtype:trojan-activity;sid:84554544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3689713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.137.149.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_28; reference:url, urlhaus.abuse.ch/url/3689713/; classtype:trojan-activity;sid:84552813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3689700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.197.62.195"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_28; reference:url, urlhaus.abuse.ch/url/3689700/; classtype:trojan-activity;sid:84552800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmr.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688692/; classtype:trojan-activity;sid:84551792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newtpp.exe"; depth:11; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688690/; classtype:trojan-activity;sid:84551790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1"; depth:2; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688658/; classtype:trojan-activity;sid:84551758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688659/; classtype:trojan-activity;sid:84551759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.247.202.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3688125/; classtype:trojan-activity;sid:84551225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3687916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y6m2uw0dgi.js"; depth:14; endswith; nocase; http.host; content:"filerit.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3687916/; classtype:trojan-activity;sid:84551016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3687914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4aa9fqc792.ps1"; depth:15; endswith; nocase; http.host; content:"pub-bfc34934a91a4893817098f73415917a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3687914/; classtype:trojan-activity;sid:84551014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3687753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zibll001/ffff/refs/heads/main/web.sh"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3687753/; classtype:trojan-activity;sid:84550853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3685141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/var/albums/etkinlikler/toplanti/2013/soran.jpg.jpeg"; depth:52; endswith; nocase; http.host; content:"galeri3.arkitera.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_10_24; reference:url, urlhaus.abuse.ch/url/3685141/; classtype:trojan-activity;sid:84548241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/download.php"; depth:26; endswith; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684806/; classtype:trojan-activity;sid:84547906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/898xylbd/139assicc.dll"; depth:23; endswith; nocase; http.host; content:"192.140.182.25"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684360/; classtype:trojan-activity;sid:84547460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.scr"; depth:15; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684352/; classtype:trojan-activity;sid:84547452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/video.lnk"; depth:19; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684353/; classtype:trojan-activity;sid:84547453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/av.lnk"; depth:16; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684354/; classtype:trojan-activity;sid:84547454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/video.scr"; depth:19; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684347/; classtype:trojan-activity;sid:84547447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.scr"; depth:12; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684348/; classtype:trojan-activity;sid:84547448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/av.scr"; depth:16; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684349/; classtype:trojan-activity;sid:84547449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.scr"; depth:15; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684350/; classtype:trojan-activity;sid:84547450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/photo.scr"; depth:19; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684351/; classtype:trojan-activity;sid:84547451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/photo.lnk"; depth:19; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684345/; classtype:trojan-activity;sid:84547445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.175.42.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683975/; classtype:trojan-activity;sid:84547075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.155.92.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683969/; classtype:trojan-activity;sid:84547069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"59.92.235.182"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683958/; classtype:trojan-activity;sid:84547058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"59.92.235.182"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683956/; classtype:trojan-activity;sid:84547056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cmsjj"; depth:6; endswith; nocase; http.host; content:"globaltechbilling.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683665/; classtype:trojan-activity;sid:84546765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onastroll-2000f5n/5vcye/releases/download/v1.2/launcher.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683567/; classtype:trojan-activity;sid:84546667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=107.173.101.114|7c|26|7c|p=10000|7c|26|7c|t=tcp|7c|26|7c|a=w64|7c|26|7c|stage=true"; depth:89; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_21; reference:url, urlhaus.abuse.ch/url/3683253/; classtype:trojan-activity;sid:84546353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=107.173.101.114|7c|26|7c|p=10000|7c|26|7c|t=tcp|7c|26|7c|a=w32|7c|26|7c|stage=true"; depth:89; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_21; reference:url, urlhaus.abuse.ch/url/3683254/; classtype:trojan-activity;sid:84546354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swt"; depth:4; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_21; reference:url, urlhaus.abuse.ch/url/3683250/; classtype:trojan-activity;sid:84546350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3682316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wheatw.pfm"; depth:11; endswith; nocase; http.host; content:"tehnomag.rs"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_20; reference:url, urlhaus.abuse.ch/url/3682316/; classtype:trojan-activity;sid:84545416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3682317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wheatw.pfm"; depth:11; endswith; nocase; http.host; content:"tehnomag.rs"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_20; reference:url, urlhaus.abuse.ch/url/3682317/; classtype:trojan-activity;sid:84545417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3681048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"143.92.43.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_18; reference:url, urlhaus.abuse.ch/url/3681048/; classtype:trojan-activity;sid:84544148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3680322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/x64-setup.exe"; depth:18; endswith; nocase; http.host; content:"tapestryoftruth.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_18; reference:url, urlhaus.abuse.ch/url/3680322/; classtype:trojan-activity;sid:84543422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3678940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prefiction.mp4"; depth:15; endswith; nocase; http.host; content:"www.sgeseducation.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_10_15; reference:url, urlhaus.abuse.ch/url/3678940/; classtype:trojan-activity;sid:84542040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3678923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"50.43.160.231"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_15; reference:url, urlhaus.abuse.ch/url/3678923/; classtype:trojan-activity;sid:84542023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3678013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.211.15.11"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_14; reference:url, urlhaus.abuse.ch/url/3678013/; classtype:trojan-activity;sid:84541113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3677999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"109.25.123.70"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_14; reference:url, urlhaus.abuse.ch/url/3677999/; classtype:trojan-activity;sid:84541099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3677521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/info.zip"; depth:19; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_14; reference:url, urlhaus.abuse.ch/url/3677521/; classtype:trojan-activity;sid:84540621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3669939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.140.248.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_12; reference:url, urlhaus.abuse.ch/url/3669939/; classtype:trojan-activity;sid:84533039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3669896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/build.exe"; depth:31; endswith; nocase; http.host; content:"serasoo.direct.quickconnect.to"; depth:30; isdataat:!1,relative; metadata:created_at 2025_10_12; reference:url, urlhaus.abuse.ch/url/3669896/; classtype:trojan-activity;sid:84532996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3668647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.24.0/xmrig-6.24.0-windows-x64.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_11; reference:url, urlhaus.abuse.ch/url/3668647/; classtype:trojan-activity;sid:84531747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3668586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"apn-87-251-249-41.static.gprs.plus.pl"; depth:37; isdataat:!1,relative; metadata:created_at 2025_10_11; reference:url, urlhaus.abuse.ch/url/3668586/; classtype:trojan-activity;sid:84531686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/video.scr"; depth:23; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667591/; classtype:trojan-activity;sid:84530691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/av.scr"; depth:20; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667586/; classtype:trojan-activity;sid:84530686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667587/; classtype:trojan-activity;sid:84530687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667588/; classtype:trojan-activity;sid:84530688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/photo.scr"; depth:23; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667585/; classtype:trojan-activity;sid:84530685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667584/; classtype:trojan-activity;sid:84530684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-03-10/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3666829/; classtype:trojan-activity;sid:84529929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-09-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666133/; classtype:trojan-activity;sid:84529233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666131/; classtype:trojan-activity;sid:84529231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-10-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666130/; classtype:trojan-activity;sid:84529230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-09-20/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666129/; classtype:trojan-activity;sid:84529229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-06-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666128/; classtype:trojan-activity;sid:84529228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-11-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666127/; classtype:trojan-activity;sid:84529227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-04-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666123/; classtype:trojan-activity;sid:84529223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-11-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666124/; classtype:trojan-activity;sid:84529224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666125/; classtype:trojan-activity;sid:84529225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-05-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666126/; classtype:trojan-activity;sid:84529226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-04-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666121/; classtype:trojan-activity;sid:84529221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-09-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666122/; classtype:trojan-activity;sid:84529222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-09-24/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666120/; classtype:trojan-activity;sid:84529220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666118/; classtype:trojan-activity;sid:84529218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-01-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666119/; classtype:trojan-activity;sid:84529219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-05-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666113/; classtype:trojan-activity;sid:84529213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-04-01/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666114/; classtype:trojan-activity;sid:84529214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-11-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666116/; classtype:trojan-activity;sid:84529216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-10-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666117/; classtype:trojan-activity;sid:84529217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-05-20/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666110/; classtype:trojan-activity;sid:84529210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-11-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666111/; classtype:trojan-activity;sid:84529211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-05-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666112/; classtype:trojan-activity;sid:84529212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-07-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666105/; classtype:trojan-activity;sid:84529205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-03-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666106/; classtype:trojan-activity;sid:84529206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-01-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666107/; classtype:trojan-activity;sid:84529207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-07-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666108/; classtype:trojan-activity;sid:84529208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-09-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666109/; classtype:trojan-activity;sid:84529209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-02-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666101/; classtype:trojan-activity;sid:84529201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-06-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666102/; classtype:trojan-activity;sid:84529202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666103/; classtype:trojan-activity;sid:84529203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-12-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666104/; classtype:trojan-activity;sid:84529204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666095/; classtype:trojan-activity;sid:84529195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-02-17/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666096/; classtype:trojan-activity;sid:84529196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-09-28/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666098/; classtype:trojan-activity;sid:84529198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-09-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666099/; classtype:trojan-activity;sid:84529199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666092/; classtype:trojan-activity;sid:84529192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-10-31/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666094/; classtype:trojan-activity;sid:84529194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666090/; classtype:trojan-activity;sid:84529190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666091/; classtype:trojan-activity;sid:84529191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-01-17/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666089/; classtype:trojan-activity;sid:84529189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-21/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666084/; classtype:trojan-activity;sid:84529184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666081/; classtype:trojan-activity;sid:84529181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666082/; classtype:trojan-activity;sid:84529182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-04-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666083/; classtype:trojan-activity;sid:84529183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-04-12/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666069/; classtype:trojan-activity;sid:84529169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-11-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666070/; classtype:trojan-activity;sid:84529170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-05-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666071/; classtype:trojan-activity;sid:84529171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-07-12/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666073/; classtype:trojan-activity;sid:84529173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666075/; classtype:trojan-activity;sid:84529175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-12-31/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666076/; classtype:trojan-activity;sid:84529176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666080/; classtype:trojan-activity;sid:84529180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-06-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666066/; classtype:trojan-activity;sid:84529166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666065/; classtype:trojan-activity;sid:84529165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666063/; classtype:trojan-activity;sid:84529163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666062/; classtype:trojan-activity;sid:84529162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666061/; classtype:trojan-activity;sid:84529161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666060/; classtype:trojan-activity;sid:84529160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-09-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666059/; classtype:trojan-activity;sid:84529159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-03-31/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666058/; classtype:trojan-activity;sid:84529158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-10-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666057/; classtype:trojan-activity;sid:84529157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666056/; classtype:trojan-activity;sid:84529156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-05-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666053/; classtype:trojan-activity;sid:84529153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-10/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666055/; classtype:trojan-activity;sid:84529155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-07-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666048/; classtype:trojan-activity;sid:84529148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666049/; classtype:trojan-activity;sid:84529149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-02-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666050/; classtype:trojan-activity;sid:84529150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-11-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666051/; classtype:trojan-activity;sid:84529151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-04-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666052/; classtype:trojan-activity;sid:84529152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666042/; classtype:trojan-activity;sid:84529142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666043/; classtype:trojan-activity;sid:84529143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-09-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666044/; classtype:trojan-activity;sid:84529144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-09-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666045/; classtype:trojan-activity;sid:84529145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-17/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666046/; classtype:trojan-activity;sid:84529146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666047/; classtype:trojan-activity;sid:84529147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666038/; classtype:trojan-activity;sid:84529138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-09-12/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666039/; classtype:trojan-activity;sid:84529139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666041/; classtype:trojan-activity;sid:84529141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666036/; classtype:trojan-activity;sid:84529136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666037/; classtype:trojan-activity;sid:84529137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-21/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666033/; classtype:trojan-activity;sid:84529133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-12-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666034/; classtype:trojan-activity;sid:84529134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666035/; classtype:trojan-activity;sid:84529135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-07-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666032/; classtype:trojan-activity;sid:84529132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666028/; classtype:trojan-activity;sid:84529128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-01-31/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666029/; classtype:trojan-activity;sid:84529129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666030/; classtype:trojan-activity;sid:84529130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-03-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666031/; classtype:trojan-activity;sid:84529131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-03-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666027/; classtype:trojan-activity;sid:84529127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666026/; classtype:trojan-activity;sid:84529126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666020/; classtype:trojan-activity;sid:84529120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666021/; classtype:trojan-activity;sid:84529121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666022/; classtype:trojan-activity;sid:84529122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666023/; classtype:trojan-activity;sid:84529123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666024/; classtype:trojan-activity;sid:84529124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-01-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666025/; classtype:trojan-activity;sid:84529125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-03-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666018/; classtype:trojan-activity;sid:84529118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-12-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666019/; classtype:trojan-activity;sid:84529119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666015/; classtype:trojan-activity;sid:84529115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666017/; classtype:trojan-activity;sid:84529117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666014/; classtype:trojan-activity;sid:84529114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-03-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666013/; classtype:trojan-activity;sid:84529113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665807/; classtype:trojan-activity;sid:84528907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665805/; classtype:trojan-activity;sid:84528905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"120.79.192.88"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665801/; classtype:trojan-activity;sid:84528901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665802/; classtype:trojan-activity;sid:84528902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665803/; classtype:trojan-activity;sid:84528903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665799/; classtype:trojan-activity;sid:84528899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"75.144.208.234"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665796/; classtype:trojan-activity;sid:84528896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"75.144.208.234"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665788/; classtype:trojan-activity;sid:84528888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"75.144.208.234"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665779/; classtype:trojan-activity;sid:84528879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665767/; classtype:trojan-activity;sid:84528867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"210.91.88.90"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665760/; classtype:trojan-activity;sid:84528860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"102.53.15.17"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665747/; classtype:trojan-activity;sid:84528847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"195.103.203.106"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665742/; classtype:trojan-activity;sid:84528842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"5.26.174.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665733/; classtype:trojan-activity;sid:84528833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"126.23.203.236"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665715/; classtype:trojan-activity;sid:84528815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665712/; classtype:trojan-activity;sid:84528812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"81.133.96.61"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665709/; classtype:trojan-activity;sid:84528809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665699/; classtype:trojan-activity;sid:84528799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"82.4.52.242"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665700/; classtype:trojan-activity;sid:84528800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"155.2.213.252"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665692/; classtype:trojan-activity;sid:84528792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"81.133.96.61"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665677/; classtype:trojan-activity;sid:84528777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"155.2.213.252"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665674/; classtype:trojan-activity;sid:84528774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"61.160.215.114"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665671/; classtype:trojan-activity;sid:84528771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665669/; classtype:trojan-activity;sid:84528769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665664/; classtype:trojan-activity;sid:84528764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665656/; classtype:trojan-activity;sid:84528756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachment/wmsentry/info.zip"; depth:29; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665638/; classtype:trojan-activity;sid:84528738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665611/; classtype:trojan-activity;sid:84528711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665612/; classtype:trojan-activity;sid:84528712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"81.133.96.61"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665613/; classtype:trojan-activity;sid:84528713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3662908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"143.92.43.153"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_07; reference:url, urlhaus.abuse.ch/url/3662908/; classtype:trojan-activity;sid:84526008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3662805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asmroyal/cd4/releases/download/cd4/cd4.exe"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_07; reference:url, urlhaus.abuse.ch/url/3662805/; classtype:trojan-activity;sid:84525905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3661435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1afutsiefohaia02gkfjdbgn-kk91hksb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_10_07; reference:url, urlhaus.abuse.ch/url/3661435/; classtype:trojan-activity;sid:84524535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660738/; classtype:trojan-activity;sid:84523838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660696/; classtype:trojan-activity;sid:84523796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660690/; classtype:trojan-activity;sid:84523790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660688/; classtype:trojan-activity;sid:84523788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660680/; classtype:trojan-activity;sid:84523780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660679/; classtype:trojan-activity;sid:84523779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660677/; classtype:trojan-activity;sid:84523777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660676/; classtype:trojan-activity;sid:84523776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660675/; classtype:trojan-activity;sid:84523775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660674/; classtype:trojan-activity;sid:84523774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660672/; classtype:trojan-activity;sid:84523772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660671/; classtype:trojan-activity;sid:84523771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660670/; classtype:trojan-activity;sid:84523770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660668/; classtype:trojan-activity;sid:84523768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660669/; classtype:trojan-activity;sid:84523769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660665/; classtype:trojan-activity;sid:84523765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660666/; classtype:trojan-activity;sid:84523766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660663/; classtype:trojan-activity;sid:84523763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660664/; classtype:trojan-activity;sid:84523764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660660/; classtype:trojan-activity;sid:84523760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660659/; classtype:trojan-activity;sid:84523759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660657/; classtype:trojan-activity;sid:84523757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660658/; classtype:trojan-activity;sid:84523758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660655/; classtype:trojan-activity;sid:84523755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660656/; classtype:trojan-activity;sid:84523756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660654/; classtype:trojan-activity;sid:84523754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660652/; classtype:trojan-activity;sid:84523752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660653/; classtype:trojan-activity;sid:84523753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660647/; classtype:trojan-activity;sid:84523747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660648/; classtype:trojan-activity;sid:84523748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660649/; classtype:trojan-activity;sid:84523749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/av.scr"; depth:20; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660644/; classtype:trojan-activity;sid:84523744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/photo.scr"; depth:23; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660642/; classtype:trojan-activity;sid:84523742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660641/; classtype:trojan-activity;sid:84523741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660640/; classtype:trojan-activity;sid:84523740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660639/; classtype:trojan-activity;sid:84523739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660638/; classtype:trojan-activity;sid:84523738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660637/; classtype:trojan-activity;sid:84523737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660636/; classtype:trojan-activity;sid:84523736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660635/; classtype:trojan-activity;sid:84523735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660634/; classtype:trojan-activity;sid:84523734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660633/; classtype:trojan-activity;sid:84523733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660631/; classtype:trojan-activity;sid:84523731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660630/; classtype:trojan-activity;sid:84523730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660629/; classtype:trojan-activity;sid:84523729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660627/; classtype:trojan-activity;sid:84523727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660626/; classtype:trojan-activity;sid:84523726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660625/; classtype:trojan-activity;sid:84523725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660624/; classtype:trojan-activity;sid:84523724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660622/; classtype:trojan-activity;sid:84523722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660623/; classtype:trojan-activity;sid:84523723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660621/; classtype:trojan-activity;sid:84523721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660620/; classtype:trojan-activity;sid:84523720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660619/; classtype:trojan-activity;sid:84523719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660618/; classtype:trojan-activity;sid:84523718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660615/; classtype:trojan-activity;sid:84523715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660616/; classtype:trojan-activity;sid:84523716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660614/; classtype:trojan-activity;sid:84523714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660612/; classtype:trojan-activity;sid:84523712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660613/; classtype:trojan-activity;sid:84523713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660611/; classtype:trojan-activity;sid:84523711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660608/; classtype:trojan-activity;sid:84523708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660607/; classtype:trojan-activity;sid:84523707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660605/; classtype:trojan-activity;sid:84523705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660603/; classtype:trojan-activity;sid:84523703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660600/; classtype:trojan-activity;sid:84523700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660599/; classtype:trojan-activity;sid:84523699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660598/; classtype:trojan-activity;sid:84523698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660596/; classtype:trojan-activity;sid:84523696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660595/; classtype:trojan-activity;sid:84523695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660594/; classtype:trojan-activity;sid:84523694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660592/; classtype:trojan-activity;sid:84523692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660593/; classtype:trojan-activity;sid:84523693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660590/; classtype:trojan-activity;sid:84523690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660591/; classtype:trojan-activity;sid:84523691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660587/; classtype:trojan-activity;sid:84523687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660588/; classtype:trojan-activity;sid:84523688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660589/; classtype:trojan-activity;sid:84523689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660585/; classtype:trojan-activity;sid:84523685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660583/; classtype:trojan-activity;sid:84523683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660584/; classtype:trojan-activity;sid:84523684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660581/; classtype:trojan-activity;sid:84523681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660582/; classtype:trojan-activity;sid:84523682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/video.scr"; depth:23; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660579/; classtype:trojan-activity;sid:84523679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660580/; classtype:trojan-activity;sid:84523680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660577/; classtype:trojan-activity;sid:84523677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660575/; classtype:trojan-activity;sid:84523675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660576/; classtype:trojan-activity;sid:84523676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660573/; classtype:trojan-activity;sid:84523673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660574/; classtype:trojan-activity;sid:84523674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660571/; classtype:trojan-activity;sid:84523671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660569/; classtype:trojan-activity;sid:84523669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660570/; classtype:trojan-activity;sid:84523670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660568/; classtype:trojan-activity;sid:84523668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660563/; classtype:trojan-activity;sid:84523663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660564/; classtype:trojan-activity;sid:84523664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660566/; classtype:trojan-activity;sid:84523666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660559/; classtype:trojan-activity;sid:84523659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660560/; classtype:trojan-activity;sid:84523660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660561/; classtype:trojan-activity;sid:84523661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660558/; classtype:trojan-activity;sid:84523658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660552/; classtype:trojan-activity;sid:84523652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660553/; classtype:trojan-activity;sid:84523653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660554/; classtype:trojan-activity;sid:84523654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660555/; classtype:trojan-activity;sid:84523655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660556/; classtype:trojan-activity;sid:84523656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pathdata/info.zip"; depth:18; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660536/; classtype:trojan-activity;sid:84523636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxs/info.zip"; depth:13; endswith; nocase; http.host; content:"110.227.197.204"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660537/; classtype:trojan-activity;sid:84523637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/info.zip"; depth:14; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660538/; classtype:trojan-activity;sid:84523638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"143.92.43.231"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660513/; classtype:trojan-activity;sid:84523613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.67.25.26"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660470/; classtype:trojan-activity;sid:84523570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.28.10.93"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660475/; classtype:trojan-activity;sid:84523575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660331/; classtype:trojan-activity;sid:84523431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660329/; classtype:trojan-activity;sid:84523429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660330/; classtype:trojan-activity;sid:84523430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659836/; classtype:trojan-activity;sid:84522936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"46.77.51.179"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659835/; classtype:trojan-activity;sid:84522935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659834/; classtype:trojan-activity;sid:84522934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659833/; classtype:trojan-activity;sid:84522933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"46.77.51.179"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659808/; classtype:trojan-activity;sid:84522908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"46.77.51.179"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659801/; classtype:trojan-activity;sid:84522901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"104.187.164.149"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659802/; classtype:trojan-activity;sid:84522902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"93.82.169.218"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659796/; classtype:trojan-activity;sid:84522896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"93.82.169.218"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659797/; classtype:trojan-activity;sid:84522897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659779/; classtype:trojan-activity;sid:84522879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659782/; classtype:trojan-activity;sid:84522882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659766/; classtype:trojan-activity;sid:84522866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2025-01-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658970/; classtype:trojan-activity;sid:84522070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2019-10-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658962/; classtype:trojan-activity;sid:84522062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2020-09-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658957/; classtype:trojan-activity;sid:84522057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-11-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658954/; classtype:trojan-activity;sid:84522054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-07-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658903/; classtype:trojan-activity;sid:84522003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000640/2023-11-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658778/; classtype:trojan-activity;sid:84521878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658670/; classtype:trojan-activity;sid:84521770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-03-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658610/; classtype:trojan-activity;sid:84521710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2023-03-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658568/; classtype:trojan-activity;sid:84521668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2021-07-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658555/; classtype:trojan-activity;sid:84521655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2019-11-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658470/; classtype:trojan-activity;sid:84521570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2020-12-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658437/; classtype:trojan-activity;sid:84521537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658282/; classtype:trojan-activity;sid:84521382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658247/; classtype:trojan-activity;sid:84521347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2019-12-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658173/; classtype:trojan-activity;sid:84521273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000640/2022-04-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658159/; classtype:trojan-activity;sid:84521259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2021-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658106/; classtype:trojan-activity;sid:84521206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2023-12-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658091/; classtype:trojan-activity;sid:84521191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-04-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658087/; classtype:trojan-activity;sid:84521187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-08-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658061/; classtype:trojan-activity;sid:84521161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656729/; classtype:trojan-activity;sid:84519829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656728/; classtype:trojan-activity;sid:84519828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656727/; classtype:trojan-activity;sid:84519827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656726/; classtype:trojan-activity;sid:84519826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"47.104.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656725/; classtype:trojan-activity;sid:84519825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656720/; classtype:trojan-activity;sid:84519820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656717/; classtype:trojan-activity;sid:84519817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656718/; classtype:trojan-activity;sid:84519818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656708/; classtype:trojan-activity;sid:84519808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656709/; classtype:trojan-activity;sid:84519809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656710/; classtype:trojan-activity;sid:84519810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656707/; classtype:trojan-activity;sid:84519807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656704/; classtype:trojan-activity;sid:84519804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656702/; classtype:trojan-activity;sid:84519802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656701/; classtype:trojan-activity;sid:84519801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656696/; classtype:trojan-activity;sid:84519796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656693/; classtype:trojan-activity;sid:84519793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656689/; classtype:trojan-activity;sid:84519789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656692/; classtype:trojan-activity;sid:84519792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656677/; classtype:trojan-activity;sid:84519777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"68.224.70.241"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656671/; classtype:trojan-activity;sid:84519771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656672/; classtype:trojan-activity;sid:84519772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656674/; classtype:trojan-activity;sid:84519774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"180.76.153.78"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656666/; classtype:trojan-activity;sid:84519766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656667/; classtype:trojan-activity;sid:84519767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656665/; classtype:trojan-activity;sid:84519765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656662/; classtype:trojan-activity;sid:84519762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656663/; classtype:trojan-activity;sid:84519763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656660/; classtype:trojan-activity;sid:84519760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656661/; classtype:trojan-activity;sid:84519761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656658/; classtype:trojan-activity;sid:84519758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656652/; classtype:trojan-activity;sid:84519752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656654/; classtype:trojan-activity;sid:84519754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656648/; classtype:trojan-activity;sid:84519748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656646/; classtype:trojan-activity;sid:84519746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656638/; classtype:trojan-activity;sid:84519738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656639/; classtype:trojan-activity;sid:84519739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656640/; classtype:trojan-activity;sid:84519740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656634/; classtype:trojan-activity;sid:84519734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656635/; classtype:trojan-activity;sid:84519735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"68.224.70.241"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656636/; classtype:trojan-activity;sid:84519736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656632/; classtype:trojan-activity;sid:84519732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656630/; classtype:trojan-activity;sid:84519730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656627/; classtype:trojan-activity;sid:84519727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656628/; classtype:trojan-activity;sid:84519728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656621/; classtype:trojan-activity;sid:84519721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656611/; classtype:trojan-activity;sid:84519711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656607/; classtype:trojan-activity;sid:84519707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656608/; classtype:trojan-activity;sid:84519708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656609/; classtype:trojan-activity;sid:84519709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656601/; classtype:trojan-activity;sid:84519701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656602/; classtype:trojan-activity;sid:84519702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656592/; classtype:trojan-activity;sid:84519692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656594/; classtype:trojan-activity;sid:84519694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656595/; classtype:trojan-activity;sid:84519695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656581/; classtype:trojan-activity;sid:84519681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656584/; classtype:trojan-activity;sid:84519684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656577/; classtype:trojan-activity;sid:84519677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.130.209.104"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656574/; classtype:trojan-activity;sid:84519674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656572/; classtype:trojan-activity;sid:84519672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656569/; classtype:trojan-activity;sid:84519669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"188.118.38.161"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656566/; classtype:trojan-activity;sid:84519666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656563/; classtype:trojan-activity;sid:84519663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656552/; classtype:trojan-activity;sid:84519652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656555/; classtype:trojan-activity;sid:84519655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656503/; classtype:trojan-activity;sid:84519603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656398/; classtype:trojan-activity;sid:84519498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"45.118.32.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656154/; classtype:trojan-activity;sid:84519254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/christian%20cg17042021%20xpanel.c3prj/info.zip"; depth:47; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656140/; classtype:trojan-activity;sid:84519240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656061/; classtype:trojan-activity;sid:84519161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656060/; classtype:trojan-activity;sid:84519160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656059/; classtype:trojan-activity;sid:84519159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656056/; classtype:trojan-activity;sid:84519156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656057/; classtype:trojan-activity;sid:84519157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-05-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656054/; classtype:trojan-activity;sid:84519154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656050/; classtype:trojan-activity;sid:84519150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656047/; classtype:trojan-activity;sid:84519147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656037/; classtype:trojan-activity;sid:84519137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656038/; classtype:trojan-activity;sid:84519138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656030/; classtype:trojan-activity;sid:84519130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656021/; classtype:trojan-activity;sid:84519121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656019/; classtype:trojan-activity;sid:84519119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656007/; classtype:trojan-activity;sid:84519107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655992/; classtype:trojan-activity;sid:84519092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655981/; classtype:trojan-activity;sid:84519081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655977/; classtype:trojan-activity;sid:84519077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-12-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655975/; classtype:trojan-activity;sid:84519075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"185.43.45.171"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655973/; classtype:trojan-activity;sid:84519073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655969/; classtype:trojan-activity;sid:84519069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655970/; classtype:trojan-activity;sid:84519070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655908/; classtype:trojan-activity;sid:84519008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655903/; classtype:trojan-activity;sid:84519003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655896/; classtype:trojan-activity;sid:84518996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655889/; classtype:trojan-activity;sid:84518989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655887/; classtype:trojan-activity;sid:84518987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655881/; classtype:trojan-activity;sid:84518981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-05-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655880/; classtype:trojan-activity;sid:84518980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-06-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655867/; classtype:trojan-activity;sid:84518967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655859/; classtype:trojan-activity;sid:84518959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655851/; classtype:trojan-activity;sid:84518951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655844/; classtype:trojan-activity;sid:84518944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-07-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655845/; classtype:trojan-activity;sid:84518945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655842/; classtype:trojan-activity;sid:84518942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655838/; classtype:trojan-activity;sid:84518938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655839/; classtype:trojan-activity;sid:84518939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655837/; classtype:trojan-activity;sid:84518937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655834/; classtype:trojan-activity;sid:84518934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655829/; classtype:trojan-activity;sid:84518929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655806/; classtype:trojan-activity;sid:84518906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-01-31/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655803/; classtype:trojan-activity;sid:84518903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655801/; classtype:trojan-activity;sid:84518901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-06-22/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655799/; classtype:trojan-activity;sid:84518899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655797/; classtype:trojan-activity;sid:84518897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655792/; classtype:trojan-activity;sid:84518892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655791/; classtype:trojan-activity;sid:84518891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-06-02/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655787/; classtype:trojan-activity;sid:84518887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655784/; classtype:trojan-activity;sid:84518884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655782/; classtype:trojan-activity;sid:84518882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655783/; classtype:trojan-activity;sid:84518883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655781/; classtype:trojan-activity;sid:84518881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655775/; classtype:trojan-activity;sid:84518875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655774/; classtype:trojan-activity;sid:84518874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655768/; classtype:trojan-activity;sid:84518868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655766/; classtype:trojan-activity;sid:84518866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655763/; classtype:trojan-activity;sid:84518863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655761/; classtype:trojan-activity;sid:84518861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655757/; classtype:trojan-activity;sid:84518857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655754/; classtype:trojan-activity;sid:84518854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655753/; classtype:trojan-activity;sid:84518853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655751/; classtype:trojan-activity;sid:84518851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655748/; classtype:trojan-activity;sid:84518848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-06-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655743/; classtype:trojan-activity;sid:84518843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655745/; classtype:trojan-activity;sid:84518845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655731/; classtype:trojan-activity;sid:84518831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655730/; classtype:trojan-activity;sid:84518830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655718/; classtype:trojan-activity;sid:84518818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655717/; classtype:trojan-activity;sid:84518817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655714/; classtype:trojan-activity;sid:84518814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-12-01/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655712/; classtype:trojan-activity;sid:84518812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655699/; classtype:trojan-activity;sid:84518799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655701/; classtype:trojan-activity;sid:84518801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655703/; classtype:trojan-activity;sid:84518803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655697/; classtype:trojan-activity;sid:84518797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655662/; classtype:trojan-activity;sid:84518762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655665/; classtype:trojan-activity;sid:84518765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655654/; classtype:trojan-activity;sid:84518754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655649/; classtype:trojan-activity;sid:84518749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-12-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655646/; classtype:trojan-activity;sid:84518746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655631/; classtype:trojan-activity;sid:84518731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655596/; classtype:trojan-activity;sid:84518696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655593/; classtype:trojan-activity;sid:84518693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655594/; classtype:trojan-activity;sid:84518694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655590/; classtype:trojan-activity;sid:84518690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-29/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655586/; classtype:trojan-activity;sid:84518686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655572/; classtype:trojan-activity;sid:84518672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655562/; classtype:trojan-activity;sid:84518662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655556/; classtype:trojan-activity;sid:84518656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655557/; classtype:trojan-activity;sid:84518657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655559/; classtype:trojan-activity;sid:84518659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655553/; classtype:trojan-activity;sid:84518653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655535/; classtype:trojan-activity;sid:84518635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-10-22/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655510/; classtype:trojan-activity;sid:84518610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655507/; classtype:trojan-activity;sid:84518607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-08-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655503/; classtype:trojan-activity;sid:84518603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655501/; classtype:trojan-activity;sid:84518601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655495/; classtype:trojan-activity;sid:84518595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655493/; classtype:trojan-activity;sid:84518593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655490/; classtype:trojan-activity;sid:84518590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655479/; classtype:trojan-activity;sid:84518579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655476/; classtype:trojan-activity;sid:84518576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655474/; classtype:trojan-activity;sid:84518574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-09-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655471/; classtype:trojan-activity;sid:84518571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"172.251.160.252"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655468/; classtype:trojan-activity;sid:84518568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655469/; classtype:trojan-activity;sid:84518569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655466/; classtype:trojan-activity;sid:84518566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655462/; classtype:trojan-activity;sid:84518562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655461/; classtype:trojan-activity;sid:84518561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655458/; classtype:trojan-activity;sid:84518558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655453/; classtype:trojan-activity;sid:84518553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655447/; classtype:trojan-activity;sid:84518547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655440/; classtype:trojan-activity;sid:84518540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-24/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655442/; classtype:trojan-activity;sid:84518542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655430/; classtype:trojan-activity;sid:84518530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655436/; classtype:trojan-activity;sid:84518536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-12/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655421/; classtype:trojan-activity;sid:84518521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655420/; classtype:trojan-activity;sid:84518520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-07/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655413/; classtype:trojan-activity;sid:84518513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655411/; classtype:trojan-activity;sid:84518511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655408/; classtype:trojan-activity;sid:84518508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655403/; classtype:trojan-activity;sid:84518503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655398/; classtype:trojan-activity;sid:84518498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655387/; classtype:trojan-activity;sid:84518487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655383/; classtype:trojan-activity;sid:84518483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655379/; classtype:trojan-activity;sid:84518479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655378/; classtype:trojan-activity;sid:84518478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655373/; classtype:trojan-activity;sid:84518473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655368/; classtype:trojan-activity;sid:84518468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655362/; classtype:trojan-activity;sid:84518462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655353/; classtype:trojan-activity;sid:84518453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655348/; classtype:trojan-activity;sid:84518448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-02-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655345/; classtype:trojan-activity;sid:84518445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655343/; classtype:trojan-activity;sid:84518443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655339/; classtype:trojan-activity;sid:84518439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655335/; classtype:trojan-activity;sid:84518435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-11-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655330/; classtype:trojan-activity;sid:84518430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655331/; classtype:trojan-activity;sid:84518431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655329/; classtype:trojan-activity;sid:84518429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655322/; classtype:trojan-activity;sid:84518422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655323/; classtype:trojan-activity;sid:84518423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655321/; classtype:trojan-activity;sid:84518421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655317/; classtype:trojan-activity;sid:84518417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-03-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655314/; classtype:trojan-activity;sid:84518414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655311/; classtype:trojan-activity;sid:84518411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655309/; classtype:trojan-activity;sid:84518409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655306/; classtype:trojan-activity;sid:84518406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655302/; classtype:trojan-activity;sid:84518402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655300/; classtype:trojan-activity;sid:84518400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655295/; classtype:trojan-activity;sid:84518395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655293/; classtype:trojan-activity;sid:84518393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655291/; classtype:trojan-activity;sid:84518391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655286/; classtype:trojan-activity;sid:84518386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655280/; classtype:trojan-activity;sid:84518380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655279/; classtype:trojan-activity;sid:84518379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-02-28/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655274/; classtype:trojan-activity;sid:84518374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655275/; classtype:trojan-activity;sid:84518375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655276/; classtype:trojan-activity;sid:84518376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655272/; classtype:trojan-activity;sid:84518372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655267/; classtype:trojan-activity;sid:84518367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655259/; classtype:trojan-activity;sid:84518359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655257/; classtype:trojan-activity;sid:84518357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655253/; classtype:trojan-activity;sid:84518353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655244/; classtype:trojan-activity;sid:84518344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/sp/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655245/; classtype:trojan-activity;sid:84518345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655230/; classtype:trojan-activity;sid:84518330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655228/; classtype:trojan-activity;sid:84518328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655222/; classtype:trojan-activity;sid:84518322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655220/; classtype:trojan-activity;sid:84518320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655213/; classtype:trojan-activity;sid:84518313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655207/; classtype:trojan-activity;sid:84518307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655203/; classtype:trojan-activity;sid:84518303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655200/; classtype:trojan-activity;sid:84518300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655198/; classtype:trojan-activity;sid:84518298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655191/; classtype:trojan-activity;sid:84518291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655187/; classtype:trojan-activity;sid:84518287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655179/; classtype:trojan-activity;sid:84518279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655169/; classtype:trojan-activity;sid:84518269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"185.8.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655163/; classtype:trojan-activity;sid:84518263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655160/; classtype:trojan-activity;sid:84518260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655143/; classtype:trojan-activity;sid:84518243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655126/; classtype:trojan-activity;sid:84518226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655116/; classtype:trojan-activity;sid:84518216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655115/; classtype:trojan-activity;sid:84518215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655109/; classtype:trojan-activity;sid:84518209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655099/; classtype:trojan-activity;sid:84518199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655093/; classtype:trojan-activity;sid:84518193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"88.28.218.163"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655094/; classtype:trojan-activity;sid:84518194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655089/; classtype:trojan-activity;sid:84518189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655090/; classtype:trojan-activity;sid:84518190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-03-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655088/; classtype:trojan-activity;sid:84518188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2025-01-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655085/; classtype:trojan-activity;sid:84518185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655084/; classtype:trojan-activity;sid:84518184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655081/; classtype:trojan-activity;sid:84518181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655077/; classtype:trojan-activity;sid:84518177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655073/; classtype:trojan-activity;sid:84518173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655072/; classtype:trojan-activity;sid:84518172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655070/; classtype:trojan-activity;sid:84518170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655065/; classtype:trojan-activity;sid:84518165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655064/; classtype:trojan-activity;sid:84518164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655061/; classtype:trojan-activity;sid:84518161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655057/; classtype:trojan-activity;sid:84518157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655054/; classtype:trojan-activity;sid:84518154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655052/; classtype:trojan-activity;sid:84518152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655049/; classtype:trojan-activity;sid:84518149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655046/; classtype:trojan-activity;sid:84518146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655045/; classtype:trojan-activity;sid:84518145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655044/; classtype:trojan-activity;sid:84518144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655037/; classtype:trojan-activity;sid:84518137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655038/; classtype:trojan-activity;sid:84518138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655034/; classtype:trojan-activity;sid:84518134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655028/; classtype:trojan-activity;sid:84518128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655025/; classtype:trojan-activity;sid:84518125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655021/; classtype:trojan-activity;sid:84518121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655016/; classtype:trojan-activity;sid:84518116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655010/; classtype:trojan-activity;sid:84518110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655008/; classtype:trojan-activity;sid:84518108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655005/; classtype:trojan-activity;sid:84518105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655004/; classtype:trojan-activity;sid:84518104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655001/; classtype:trojan-activity;sid:84518101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654999/; classtype:trojan-activity;sid:84518099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654994/; classtype:trojan-activity;sid:84518094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-01-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654992/; classtype:trojan-activity;sid:84518092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654991/; classtype:trojan-activity;sid:84518091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654985/; classtype:trojan-activity;sid:84518085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654981/; classtype:trojan-activity;sid:84518081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654982/; classtype:trojan-activity;sid:84518082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654971/; classtype:trojan-activity;sid:84518071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654970/; classtype:trojan-activity;sid:84518070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654967/; classtype:trojan-activity;sid:84518067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654966/; classtype:trojan-activity;sid:84518066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654962/; classtype:trojan-activity;sid:84518062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654957/; classtype:trojan-activity;sid:84518057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654953/; classtype:trojan-activity;sid:84518053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654946/; classtype:trojan-activity;sid:84518046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654942/; classtype:trojan-activity;sid:84518042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-07-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654940/; classtype:trojan-activity;sid:84518040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654936/; classtype:trojan-activity;sid:84518036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"68.148.10.182"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654935/; classtype:trojan-activity;sid:84518035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654928/; classtype:trojan-activity;sid:84518028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654927/; classtype:trojan-activity;sid:84518027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654922/; classtype:trojan-activity;sid:84518022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654923/; classtype:trojan-activity;sid:84518023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654921/; classtype:trojan-activity;sid:84518021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654902/; classtype:trojan-activity;sid:84518002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654904/; classtype:trojan-activity;sid:84518004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654898/; classtype:trojan-activity;sid:84517998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654894/; classtype:trojan-activity;sid:84517994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654892/; classtype:trojan-activity;sid:84517992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654882/; classtype:trojan-activity;sid:84517982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654880/; classtype:trojan-activity;sid:84517980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654874/; classtype:trojan-activity;sid:84517974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654859/; classtype:trojan-activity;sid:84517959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654860/; classtype:trojan-activity;sid:84517960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654857/; classtype:trojan-activity;sid:84517957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654853/; classtype:trojan-activity;sid:84517953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654850/; classtype:trojan-activity;sid:84517950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654848/; classtype:trojan-activity;sid:84517948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654829/; classtype:trojan-activity;sid:84517929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654826/; classtype:trojan-activity;sid:84517926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-04/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654814/; classtype:trojan-activity;sid:84517914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654811/; classtype:trojan-activity;sid:84517911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654806/; classtype:trojan-activity;sid:84517906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654804/; classtype:trojan-activity;sid:84517904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654803/; classtype:trojan-activity;sid:84517903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654799/; classtype:trojan-activity;sid:84517899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654796/; classtype:trojan-activity;sid:84517896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654793/; classtype:trojan-activity;sid:84517893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654788/; classtype:trojan-activity;sid:84517888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654781/; classtype:trojan-activity;sid:84517881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654769/; classtype:trojan-activity;sid:84517869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-06-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654762/; classtype:trojan-activity;sid:84517862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654758/; classtype:trojan-activity;sid:84517858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654748/; classtype:trojan-activity;sid:84517848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654747/; classtype:trojan-activity;sid:84517847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654746/; classtype:trojan-activity;sid:84517846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654740/; classtype:trojan-activity;sid:84517840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654735/; classtype:trojan-activity;sid:84517835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654732/; classtype:trojan-activity;sid:84517832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-02-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654729/; classtype:trojan-activity;sid:84517829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654727/; classtype:trojan-activity;sid:84517827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-09-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654726/; classtype:trojan-activity;sid:84517826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654721/; classtype:trojan-activity;sid:84517821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654719/; classtype:trojan-activity;sid:84517819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654714/; classtype:trojan-activity;sid:84517814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654709/; classtype:trojan-activity;sid:84517809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654708/; classtype:trojan-activity;sid:84517808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654694/; classtype:trojan-activity;sid:84517794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654695/; classtype:trojan-activity;sid:84517795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654687/; classtype:trojan-activity;sid:84517787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654682/; classtype:trojan-activity;sid:84517782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654677/; classtype:trojan-activity;sid:84517777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654678/; classtype:trojan-activity;sid:84517778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654673/; classtype:trojan-activity;sid:84517773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654674/; classtype:trojan-activity;sid:84517774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654672/; classtype:trojan-activity;sid:84517772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654668/; classtype:trojan-activity;sid:84517768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654665/; classtype:trojan-activity;sid:84517765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654661/; classtype:trojan-activity;sid:84517761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654659/; classtype:trojan-activity;sid:84517759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654657/; classtype:trojan-activity;sid:84517757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654655/; classtype:trojan-activity;sid:84517755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654654/; classtype:trojan-activity;sid:84517754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654651/; classtype:trojan-activity;sid:84517751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654647/; classtype:trojan-activity;sid:84517747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654643/; classtype:trojan-activity;sid:84517743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654641/; classtype:trojan-activity;sid:84517741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654634/; classtype:trojan-activity;sid:84517734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-02-21/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654630/; classtype:trojan-activity;sid:84517730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654625/; classtype:trojan-activity;sid:84517725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654622/; classtype:trojan-activity;sid:84517722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.56.227.40"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654620/; classtype:trojan-activity;sid:84517720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654610/; classtype:trojan-activity;sid:84517710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654608/; classtype:trojan-activity;sid:84517708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654600/; classtype:trojan-activity;sid:84517700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654589/; classtype:trojan-activity;sid:84517689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654585/; classtype:trojan-activity;sid:84517685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654575/; classtype:trojan-activity;sid:84517675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654555/; classtype:trojan-activity;sid:84517655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654546/; classtype:trojan-activity;sid:84517646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654541/; classtype:trojan-activity;sid:84517641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654542/; classtype:trojan-activity;sid:84517642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654537/; classtype:trojan-activity;sid:84517637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654533/; classtype:trojan-activity;sid:84517633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654531/; classtype:trojan-activity;sid:84517631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654526/; classtype:trojan-activity;sid:84517626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-11-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654522/; classtype:trojan-activity;sid:84517622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654513/; classtype:trojan-activity;sid:84517613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-15/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654514/; classtype:trojan-activity;sid:84517614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654509/; classtype:trojan-activity;sid:84517609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654508/; classtype:trojan-activity;sid:84517608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654507/; classtype:trojan-activity;sid:84517607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654504/; classtype:trojan-activity;sid:84517604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654499/; classtype:trojan-activity;sid:84517599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654501/; classtype:trojan-activity;sid:84517601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654498/; classtype:trojan-activity;sid:84517598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654495/; classtype:trojan-activity;sid:84517595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654491/; classtype:trojan-activity;sid:84517591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654478/; classtype:trojan-activity;sid:84517578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654477/; classtype:trojan-activity;sid:84517577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654474/; classtype:trojan-activity;sid:84517574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654451/; classtype:trojan-activity;sid:84517551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654447/; classtype:trojan-activity;sid:84517547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654445/; classtype:trojan-activity;sid:84517545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654428/; classtype:trojan-activity;sid:84517528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654392/; classtype:trojan-activity;sid:84517492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654390/; classtype:trojan-activity;sid:84517490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654391/; classtype:trojan-activity;sid:84517491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654385/; classtype:trojan-activity;sid:84517485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"75.42.36.186"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654380/; classtype:trojan-activity;sid:84517480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654378/; classtype:trojan-activity;sid:84517478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-06-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654372/; classtype:trojan-activity;sid:84517472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654356/; classtype:trojan-activity;sid:84517456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654347/; classtype:trojan-activity;sid:84517447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654342/; classtype:trojan-activity;sid:84517442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654339/; classtype:trojan-activity;sid:84517439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654336/; classtype:trojan-activity;sid:84517436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654337/; classtype:trojan-activity;sid:84517437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654334/; classtype:trojan-activity;sid:84517434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654333/; classtype:trojan-activity;sid:84517433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654331/; classtype:trojan-activity;sid:84517431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654326/; classtype:trojan-activity;sid:84517426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654321/; classtype:trojan-activity;sid:84517421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654320/; classtype:trojan-activity;sid:84517420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654318/; classtype:trojan-activity;sid:84517418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654312/; classtype:trojan-activity;sid:84517412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654308/; classtype:trojan-activity;sid:84517408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654303/; classtype:trojan-activity;sid:84517403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654299/; classtype:trojan-activity;sid:84517399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654292/; classtype:trojan-activity;sid:84517392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654288/; classtype:trojan-activity;sid:84517388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654289/; classtype:trojan-activity;sid:84517389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654285/; classtype:trojan-activity;sid:84517385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654283/; classtype:trojan-activity;sid:84517383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654276/; classtype:trojan-activity;sid:84517376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654273/; classtype:trojan-activity;sid:84517373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654270/; classtype:trojan-activity;sid:84517370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654268/; classtype:trojan-activity;sid:84517368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654266/; classtype:trojan-activity;sid:84517366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654259/; classtype:trojan-activity;sid:84517359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654258/; classtype:trojan-activity;sid:84517358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654253/; classtype:trojan-activity;sid:84517353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654247/; classtype:trojan-activity;sid:84517347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654239/; classtype:trojan-activity;sid:84517339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654234/; classtype:trojan-activity;sid:84517334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654233/; classtype:trojan-activity;sid:84517333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-04-07/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654216/; classtype:trojan-activity;sid:84517316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654208/; classtype:trojan-activity;sid:84517308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654205/; classtype:trojan-activity;sid:84517305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654203/; classtype:trojan-activity;sid:84517303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654204/; classtype:trojan-activity;sid:84517304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654197/; classtype:trojan-activity;sid:84517297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654195/; classtype:trojan-activity;sid:84517295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654192/; classtype:trojan-activity;sid:84517292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654193/; classtype:trojan-activity;sid:84517293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-10-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654187/; classtype:trojan-activity;sid:84517287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654173/; classtype:trojan-activity;sid:84517273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654177/; classtype:trojan-activity;sid:84517277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-06-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654163/; classtype:trojan-activity;sid:84517263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654161/; classtype:trojan-activity;sid:84517261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654149/; classtype:trojan-activity;sid:84517249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654125/; classtype:trojan-activity;sid:84517225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654122/; classtype:trojan-activity;sid:84517222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654123/; classtype:trojan-activity;sid:84517223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654119/; classtype:trojan-activity;sid:84517219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654117/; classtype:trojan-activity;sid:84517217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654113/; classtype:trojan-activity;sid:84517213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654108/; classtype:trojan-activity;sid:84517208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654098/; classtype:trojan-activity;sid:84517198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654088/; classtype:trojan-activity;sid:84517188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.165.240.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654078/; classtype:trojan-activity;sid:84517178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654077/; classtype:trojan-activity;sid:84517177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654076/; classtype:trojan-activity;sid:84517176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654074/; classtype:trojan-activity;sid:84517174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"77.211.28.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654072/; classtype:trojan-activity;sid:84517172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654065/; classtype:trojan-activity;sid:84517165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654054/; classtype:trojan-activity;sid:84517154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654044/; classtype:trojan-activity;sid:84517144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654038/; classtype:trojan-activity;sid:84517138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654034/; classtype:trojan-activity;sid:84517134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654033/; classtype:trojan-activity;sid:84517133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654026/; classtype:trojan-activity;sid:84517126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654025/; classtype:trojan-activity;sid:84517125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654024/; classtype:trojan-activity;sid:84517124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654023/; classtype:trojan-activity;sid:84517123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654022/; classtype:trojan-activity;sid:84517122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654019/; classtype:trojan-activity;sid:84517119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654018/; classtype:trojan-activity;sid:84517118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654017/; classtype:trojan-activity;sid:84517117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654009/; classtype:trojan-activity;sid:84517109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-08-17/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654005/; classtype:trojan-activity;sid:84517105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654003/; classtype:trojan-activity;sid:84517103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654000/; classtype:trojan-activity;sid:84517100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653997/; classtype:trojan-activity;sid:84517097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653992/; classtype:trojan-activity;sid:84517092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653985/; classtype:trojan-activity;sid:84517085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653977/; classtype:trojan-activity;sid:84517077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653972/; classtype:trojan-activity;sid:84517072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653964/; classtype:trojan-activity;sid:84517064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653960/; classtype:trojan-activity;sid:84517060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653947/; classtype:trojan-activity;sid:84517047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653941/; classtype:trojan-activity;sid:84517041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653943/; classtype:trojan-activity;sid:84517043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653939/; classtype:trojan-activity;sid:84517039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653917/; classtype:trojan-activity;sid:84517017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653918/; classtype:trojan-activity;sid:84517018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653916/; classtype:trojan-activity;sid:84517016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653914/; classtype:trojan-activity;sid:84517014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653912/; classtype:trojan-activity;sid:84517012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653910/; classtype:trojan-activity;sid:84517010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653900/; classtype:trojan-activity;sid:84517000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653892/; classtype:trojan-activity;sid:84516992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653893/; classtype:trojan-activity;sid:84516993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653885/; classtype:trojan-activity;sid:84516985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-04-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653882/; classtype:trojan-activity;sid:84516982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"45.118.32.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653878/; classtype:trojan-activity;sid:84516978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653875/; classtype:trojan-activity;sid:84516975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653874/; classtype:trojan-activity;sid:84516974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653871/; classtype:trojan-activity;sid:84516971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653867/; classtype:trojan-activity;sid:84516967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653864/; classtype:trojan-activity;sid:84516964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653863/; classtype:trojan-activity;sid:84516963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653861/; classtype:trojan-activity;sid:84516961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653858/; classtype:trojan-activity;sid:84516958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653856/; classtype:trojan-activity;sid:84516956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653853/; classtype:trojan-activity;sid:84516953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653852/; classtype:trojan-activity;sid:84516952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653848/; classtype:trojan-activity;sid:84516948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653849/; classtype:trojan-activity;sid:84516949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653847/; classtype:trojan-activity;sid:84516947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-06-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653841/; classtype:trojan-activity;sid:84516941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653840/; classtype:trojan-activity;sid:84516940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-10/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653839/; classtype:trojan-activity;sid:84516939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653836/; classtype:trojan-activity;sid:84516936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653831/; classtype:trojan-activity;sid:84516931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653829/; classtype:trojan-activity;sid:84516929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653828/; classtype:trojan-activity;sid:84516928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653827/; classtype:trojan-activity;sid:84516927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653824/; classtype:trojan-activity;sid:84516924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653823/; classtype:trojan-activity;sid:84516923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653818/; classtype:trojan-activity;sid:84516918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653819/; classtype:trojan-activity;sid:84516919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653813/; classtype:trojan-activity;sid:84516913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653806/; classtype:trojan-activity;sid:84516906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653799/; classtype:trojan-activity;sid:84516899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-08-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653794/; classtype:trojan-activity;sid:84516894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653792/; classtype:trojan-activity;sid:84516892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-04-01/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653790/; classtype:trojan-activity;sid:84516890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653785/; classtype:trojan-activity;sid:84516885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653783/; classtype:trojan-activity;sid:84516883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653782/; classtype:trojan-activity;sid:84516882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653781/; classtype:trojan-activity;sid:84516881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653772/; classtype:trojan-activity;sid:84516872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653770/; classtype:trojan-activity;sid:84516870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653761/; classtype:trojan-activity;sid:84516861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653758/; classtype:trojan-activity;sid:84516858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653756/; classtype:trojan-activity;sid:84516856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653755/; classtype:trojan-activity;sid:84516855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653751/; classtype:trojan-activity;sid:84516851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653748/; classtype:trojan-activity;sid:84516848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653745/; classtype:trojan-activity;sid:84516845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653743/; classtype:trojan-activity;sid:84516843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653741/; classtype:trojan-activity;sid:84516841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-06-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653737/; classtype:trojan-activity;sid:84516837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653734/; classtype:trojan-activity;sid:84516834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653732/; classtype:trojan-activity;sid:84516832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653730/; classtype:trojan-activity;sid:84516830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653728/; classtype:trojan-activity;sid:84516828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-09-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653725/; classtype:trojan-activity;sid:84516825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653717/; classtype:trojan-activity;sid:84516817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653713/; classtype:trojan-activity;sid:84516813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-11-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653707/; classtype:trojan-activity;sid:84516807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653705/; classtype:trojan-activity;sid:84516805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-02-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653704/; classtype:trojan-activity;sid:84516804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653703/; classtype:trojan-activity;sid:84516803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653702/; classtype:trojan-activity;sid:84516802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653701/; classtype:trojan-activity;sid:84516801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-03-01/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653696/; classtype:trojan-activity;sid:84516796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653695/; classtype:trojan-activity;sid:84516795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653693/; classtype:trojan-activity;sid:84516793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653690/; classtype:trojan-activity;sid:84516790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653691/; classtype:trojan-activity;sid:84516791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653685/; classtype:trojan-activity;sid:84516785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653683/; classtype:trojan-activity;sid:84516783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653681/; classtype:trojan-activity;sid:84516781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653675/; classtype:trojan-activity;sid:84516775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"43.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653672/; classtype:trojan-activity;sid:84516772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653669/; classtype:trojan-activity;sid:84516769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-03-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653665/; classtype:trojan-activity;sid:84516765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653666/; classtype:trojan-activity;sid:84516766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653662/; classtype:trojan-activity;sid:84516762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653663/; classtype:trojan-activity;sid:84516763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653661/; classtype:trojan-activity;sid:84516761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653655/; classtype:trojan-activity;sid:84516755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653649/; classtype:trojan-activity;sid:84516749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653650/; classtype:trojan-activity;sid:84516750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653651/; classtype:trojan-activity;sid:84516751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653652/; classtype:trojan-activity;sid:84516752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653647/; classtype:trojan-activity;sid:84516747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653640/; classtype:trojan-activity;sid:84516740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653636/; classtype:trojan-activity;sid:84516736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653633/; classtype:trojan-activity;sid:84516733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653634/; classtype:trojan-activity;sid:84516734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653632/; classtype:trojan-activity;sid:84516732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653629/; classtype:trojan-activity;sid:84516729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653627/; classtype:trojan-activity;sid:84516727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653620/; classtype:trojan-activity;sid:84516720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653621/; classtype:trojan-activity;sid:84516721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653622/; classtype:trojan-activity;sid:84516722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653611/; classtype:trojan-activity;sid:84516711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653612/; classtype:trojan-activity;sid:84516712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653606/; classtype:trojan-activity;sid:84516706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653607/; classtype:trojan-activity;sid:84516707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653605/; classtype:trojan-activity;sid:84516705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653599/; classtype:trojan-activity;sid:84516699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653598/; classtype:trojan-activity;sid:84516698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-02-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653595/; classtype:trojan-activity;sid:84516695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-12-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653593/; classtype:trojan-activity;sid:84516693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-04-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653586/; classtype:trojan-activity;sid:84516686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653585/; classtype:trojan-activity;sid:84516685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-08-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653550/; classtype:trojan-activity;sid:84516650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-06-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653547/; classtype:trojan-activity;sid:84516647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653546/; classtype:trojan-activity;sid:84516646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653537/; classtype:trojan-activity;sid:84516637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653530/; classtype:trojan-activity;sid:84516630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653525/; classtype:trojan-activity;sid:84516625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653526/; classtype:trojan-activity;sid:84516626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653518/; classtype:trojan-activity;sid:84516618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653508/; classtype:trojan-activity;sid:84516608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653502/; classtype:trojan-activity;sid:84516602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653500/; classtype:trojan-activity;sid:84516600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-07-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653495/; classtype:trojan-activity;sid:84516595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653494/; classtype:trojan-activity;sid:84516594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653492/; classtype:trojan-activity;sid:84516592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-01-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653489/; classtype:trojan-activity;sid:84516589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653487/; classtype:trojan-activity;sid:84516587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653485/; classtype:trojan-activity;sid:84516585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-11-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653482/; classtype:trojan-activity;sid:84516582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653479/; classtype:trojan-activity;sid:84516579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-04-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653464/; classtype:trojan-activity;sid:84516564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653440/; classtype:trojan-activity;sid:84516540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653427/; classtype:trojan-activity;sid:84516527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653408/; classtype:trojan-activity;sid:84516508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653384/; classtype:trojan-activity;sid:84516484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653380/; classtype:trojan-activity;sid:84516480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653374/; classtype:trojan-activity;sid:84516474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653370/; classtype:trojan-activity;sid:84516470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-07-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653366/; classtype:trojan-activity;sid:84516466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-09-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653365/; classtype:trojan-activity;sid:84516465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653363/; classtype:trojan-activity;sid:84516463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653352/; classtype:trojan-activity;sid:84516452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653347/; classtype:trojan-activity;sid:84516447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-12-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653343/; classtype:trojan-activity;sid:84516443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653310/; classtype:trojan-activity;sid:84516410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653311/; classtype:trojan-activity;sid:84516411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653303/; classtype:trojan-activity;sid:84516403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-10-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653304/; classtype:trojan-activity;sid:84516404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653297/; classtype:trojan-activity;sid:84516397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653293/; classtype:trojan-activity;sid:84516393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653290/; classtype:trojan-activity;sid:84516390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653288/; classtype:trojan-activity;sid:84516388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-09-03/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653279/; classtype:trojan-activity;sid:84516379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653278/; classtype:trojan-activity;sid:84516378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653271/; classtype:trojan-activity;sid:84516371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653264/; classtype:trojan-activity;sid:84516364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653248/; classtype:trojan-activity;sid:84516348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653250/; classtype:trojan-activity;sid:84516350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-11-23/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653244/; classtype:trojan-activity;sid:84516344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653243/; classtype:trojan-activity;sid:84516343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653238/; classtype:trojan-activity;sid:84516338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653234/; classtype:trojan-activity;sid:84516334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653208/; classtype:trojan-activity;sid:84516308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653205/; classtype:trojan-activity;sid:84516305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653204/; classtype:trojan-activity;sid:84516304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653183/; classtype:trojan-activity;sid:84516283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653179/; classtype:trojan-activity;sid:84516279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653178/; classtype:trojan-activity;sid:84516278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653176/; classtype:trojan-activity;sid:84516276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653177/; classtype:trojan-activity;sid:84516277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653173/; classtype:trojan-activity;sid:84516273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653169/; classtype:trojan-activity;sid:84516269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653171/; classtype:trojan-activity;sid:84516271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653172/; classtype:trojan-activity;sid:84516272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653163/; classtype:trojan-activity;sid:84516263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653166/; classtype:trojan-activity;sid:84516266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653159/; classtype:trojan-activity;sid:84516259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653160/; classtype:trojan-activity;sid:84516260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653161/; classtype:trojan-activity;sid:84516261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653156/; classtype:trojan-activity;sid:84516256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-10-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653155/; classtype:trojan-activity;sid:84516255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653152/; classtype:trojan-activity;sid:84516252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653149/; classtype:trojan-activity;sid:84516249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-10-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653148/; classtype:trojan-activity;sid:84516248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-09-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653143/; classtype:trojan-activity;sid:84516243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653140/; classtype:trojan-activity;sid:84516240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653137/; classtype:trojan-activity;sid:84516237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653136/; classtype:trojan-activity;sid:84516236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653132/; classtype:trojan-activity;sid:84516232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653121/; classtype:trojan-activity;sid:84516221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653114/; classtype:trojan-activity;sid:84516214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653111/; classtype:trojan-activity;sid:84516211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653107/; classtype:trojan-activity;sid:84516207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653104/; classtype:trojan-activity;sid:84516204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653097/; classtype:trojan-activity;sid:84516197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653094/; classtype:trojan-activity;sid:84516194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653079/; classtype:trojan-activity;sid:84516179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653073/; classtype:trojan-activity;sid:84516173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-05-24/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653069/; classtype:trojan-activity;sid:84516169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653066/; classtype:trojan-activity;sid:84516166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-10-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653056/; classtype:trojan-activity;sid:84516156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653047/; classtype:trojan-activity;sid:84516147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-05-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653049/; classtype:trojan-activity;sid:84516149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653044/; classtype:trojan-activity;sid:84516144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653041/; classtype:trojan-activity;sid:84516141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-11-12/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653042/; classtype:trojan-activity;sid:84516142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653038/; classtype:trojan-activity;sid:84516138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-07-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653029/; classtype:trojan-activity;sid:84516129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653025/; classtype:trojan-activity;sid:84516125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653016/; classtype:trojan-activity;sid:84516116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653021/; classtype:trojan-activity;sid:84516121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653013/; classtype:trojan-activity;sid:84516113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-02-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653011/; classtype:trojan-activity;sid:84516111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-04-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652999/; classtype:trojan-activity;sid:84516099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653004/; classtype:trojan-activity;sid:84516104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652998/; classtype:trojan-activity;sid:84516098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652994/; classtype:trojan-activity;sid:84516094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652988/; classtype:trojan-activity;sid:84516088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652989/; classtype:trojan-activity;sid:84516089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652985/; classtype:trojan-activity;sid:84516085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652980/; classtype:trojan-activity;sid:84516080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652976/; classtype:trojan-activity;sid:84516076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652977/; classtype:trojan-activity;sid:84516077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652970/; classtype:trojan-activity;sid:84516070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652962/; classtype:trojan-activity;sid:84516062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652960/; classtype:trojan-activity;sid:84516060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652954/; classtype:trojan-activity;sid:84516054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652953/; classtype:trojan-activity;sid:84516053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652940/; classtype:trojan-activity;sid:84516040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652935/; classtype:trojan-activity;sid:84516035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652932/; classtype:trojan-activity;sid:84516032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652933/; classtype:trojan-activity;sid:84516033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652923/; classtype:trojan-activity;sid:84516023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652921/; classtype:trojan-activity;sid:84516021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652919/; classtype:trojan-activity;sid:84516019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652920/; classtype:trojan-activity;sid:84516020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652895/; classtype:trojan-activity;sid:84515995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652865/; classtype:trojan-activity;sid:84515965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652846/; classtype:trojan-activity;sid:84515946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652851/; classtype:trojan-activity;sid:84515951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652843/; classtype:trojan-activity;sid:84515943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652837/; classtype:trojan-activity;sid:84515937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652820/; classtype:trojan-activity;sid:84515920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652821/; classtype:trojan-activity;sid:84515921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652803/; classtype:trojan-activity;sid:84515903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652788/; classtype:trojan-activity;sid:84515888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652789/; classtype:trojan-activity;sid:84515889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652777/; classtype:trojan-activity;sid:84515877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652776/; classtype:trojan-activity;sid:84515876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652772/; classtype:trojan-activity;sid:84515872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-08-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652767/; classtype:trojan-activity;sid:84515867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652725/; classtype:trojan-activity;sid:84515825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652723/; classtype:trojan-activity;sid:84515823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652718/; classtype:trojan-activity;sid:84515818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652719/; classtype:trojan-activity;sid:84515819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652720/; classtype:trojan-activity;sid:84515820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652721/; classtype:trojan-activity;sid:84515821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652716/; classtype:trojan-activity;sid:84515816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652717/; classtype:trojan-activity;sid:84515817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652705/; classtype:trojan-activity;sid:84515805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-09-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652702/; classtype:trojan-activity;sid:84515802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652696/; classtype:trojan-activity;sid:84515796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652692/; classtype:trojan-activity;sid:84515792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652683/; classtype:trojan-activity;sid:84515783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652675/; classtype:trojan-activity;sid:84515775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652645/; classtype:trojan-activity;sid:84515745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-05-13/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652637/; classtype:trojan-activity;sid:84515737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-03-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652640/; classtype:trojan-activity;sid:84515740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652636/; classtype:trojan-activity;sid:84515736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652629/; classtype:trojan-activity;sid:84515729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652618/; classtype:trojan-activity;sid:84515718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652617/; classtype:trojan-activity;sid:84515717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652593/; classtype:trojan-activity;sid:84515693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-30/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652591/; classtype:trojan-activity;sid:84515691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652578/; classtype:trojan-activity;sid:84515678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652573/; classtype:trojan-activity;sid:84515673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652486/; classtype:trojan-activity;sid:84515586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-11-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652485/; classtype:trojan-activity;sid:84515585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652483/; classtype:trojan-activity;sid:84515583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652484/; classtype:trojan-activity;sid:84515584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/es/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652482/; classtype:trojan-activity;sid:84515582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652481/; classtype:trojan-activity;sid:84515581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652480/; classtype:trojan-activity;sid:84515580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652478/; classtype:trojan-activity;sid:84515578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-02-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652476/; classtype:trojan-activity;sid:84515576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652474/; classtype:trojan-activity;sid:84515574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-10/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652475/; classtype:trojan-activity;sid:84515575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652473/; classtype:trojan-activity;sid:84515573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-09-26/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652472/; classtype:trojan-activity;sid:84515572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652471/; classtype:trojan-activity;sid:84515571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-05-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652467/; classtype:trojan-activity;sid:84515567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652464/; classtype:trojan-activity;sid:84515564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-04-03/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652465/; classtype:trojan-activity;sid:84515565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652463/; classtype:trojan-activity;sid:84515563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652462/; classtype:trojan-activity;sid:84515562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652461/; classtype:trojan-activity;sid:84515561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652460/; classtype:trojan-activity;sid:84515560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652458/; classtype:trojan-activity;sid:84515558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652459/; classtype:trojan-activity;sid:84515559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-09-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652456/; classtype:trojan-activity;sid:84515556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652455/; classtype:trojan-activity;sid:84515555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-03-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652454/; classtype:trojan-activity;sid:84515554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652453/; classtype:trojan-activity;sid:84515553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-01-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652451/; classtype:trojan-activity;sid:84515551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652452/; classtype:trojan-activity;sid:84515552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652449/; classtype:trojan-activity;sid:84515549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652445/; classtype:trojan-activity;sid:84515545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652446/; classtype:trojan-activity;sid:84515546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652447/; classtype:trojan-activity;sid:84515547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652448/; classtype:trojan-activity;sid:84515548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-07-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652442/; classtype:trojan-activity;sid:84515542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652444/; classtype:trojan-activity;sid:84515544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652441/; classtype:trojan-activity;sid:84515541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652439/; classtype:trojan-activity;sid:84515539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652437/; classtype:trojan-activity;sid:84515537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652438/; classtype:trojan-activity;sid:84515538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652436/; classtype:trojan-activity;sid:84515536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652435/; classtype:trojan-activity;sid:84515535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652434/; classtype:trojan-activity;sid:84515534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652433/; classtype:trojan-activity;sid:84515533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652432/; classtype:trojan-activity;sid:84515532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652431/; classtype:trojan-activity;sid:84515531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652429/; classtype:trojan-activity;sid:84515529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652427/; classtype:trojan-activity;sid:84515527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-10-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652428/; classtype:trojan-activity;sid:84515528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652426/; classtype:trojan-activity;sid:84515526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652425/; classtype:trojan-activity;sid:84515525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652424/; classtype:trojan-activity;sid:84515524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652423/; classtype:trojan-activity;sid:84515523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-04-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652421/; classtype:trojan-activity;sid:84515521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652422/; classtype:trojan-activity;sid:84515522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652419/; classtype:trojan-activity;sid:84515519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652420/; classtype:trojan-activity;sid:84515520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652417/; classtype:trojan-activity;sid:84515517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652418/; classtype:trojan-activity;sid:84515518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652415/; classtype:trojan-activity;sid:84515515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-12-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652416/; classtype:trojan-activity;sid:84515516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652414/; classtype:trojan-activity;sid:84515514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652413/; classtype:trojan-activity;sid:84515513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652412/; classtype:trojan-activity;sid:84515512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652411/; classtype:trojan-activity;sid:84515511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652408/; classtype:trojan-activity;sid:84515508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652404/; classtype:trojan-activity;sid:84515504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652407/; classtype:trojan-activity;sid:84515507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652402/; classtype:trojan-activity;sid:84515502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652403/; classtype:trojan-activity;sid:84515503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652401/; classtype:trojan-activity;sid:84515501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652399/; classtype:trojan-activity;sid:84515499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652400/; classtype:trojan-activity;sid:84515500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652397/; classtype:trojan-activity;sid:84515497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652398/; classtype:trojan-activity;sid:84515498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652395/; classtype:trojan-activity;sid:84515495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-07-29/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652396/; classtype:trojan-activity;sid:84515496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-01-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652391/; classtype:trojan-activity;sid:84515491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652392/; classtype:trojan-activity;sid:84515492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652390/; classtype:trojan-activity;sid:84515490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652389/; classtype:trojan-activity;sid:84515489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652386/; classtype:trojan-activity;sid:84515486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652387/; classtype:trojan-activity;sid:84515487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-11-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652384/; classtype:trojan-activity;sid:84515484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652383/; classtype:trojan-activity;sid:84515483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-09-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652380/; classtype:trojan-activity;sid:84515480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652381/; classtype:trojan-activity;sid:84515481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652382/; classtype:trojan-activity;sid:84515482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652377/; classtype:trojan-activity;sid:84515477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652376/; classtype:trojan-activity;sid:84515476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652375/; classtype:trojan-activity;sid:84515475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652373/; classtype:trojan-activity;sid:84515473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652374/; classtype:trojan-activity;sid:84515474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-05-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652372/; classtype:trojan-activity;sid:84515472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652371/; classtype:trojan-activity;sid:84515471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652370/; classtype:trojan-activity;sid:84515470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652368/; classtype:trojan-activity;sid:84515468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652369/; classtype:trojan-activity;sid:84515469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-02-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652367/; classtype:trojan-activity;sid:84515467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652365/; classtype:trojan-activity;sid:84515465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-12-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652363/; classtype:trojan-activity;sid:84515463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652364/; classtype:trojan-activity;sid:84515464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-10-13/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652360/; classtype:trojan-activity;sid:84515460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652359/; classtype:trojan-activity;sid:84515459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-09-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652358/; classtype:trojan-activity;sid:84515458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652357/; classtype:trojan-activity;sid:84515457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652356/; classtype:trojan-activity;sid:84515456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652353/; classtype:trojan-activity;sid:84515453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652354/; classtype:trojan-activity;sid:84515454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652349/; classtype:trojan-activity;sid:84515449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652351/; classtype:trojan-activity;sid:84515451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652352/; classtype:trojan-activity;sid:84515452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652347/; classtype:trojan-activity;sid:84515447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652348/; classtype:trojan-activity;sid:84515448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652346/; classtype:trojan-activity;sid:84515446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-10-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652342/; classtype:trojan-activity;sid:84515442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652343/; classtype:trojan-activity;sid:84515443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652344/; classtype:trojan-activity;sid:84515444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652345/; classtype:trojan-activity;sid:84515445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652340/; classtype:trojan-activity;sid:84515440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652337/; classtype:trojan-activity;sid:84515437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652338/; classtype:trojan-activity;sid:84515438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652339/; classtype:trojan-activity;sid:84515439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652335/; classtype:trojan-activity;sid:84515435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652333/; classtype:trojan-activity;sid:84515433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-12-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652331/; classtype:trojan-activity;sid:84515431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652326/; classtype:trojan-activity;sid:84515426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652327/; classtype:trojan-activity;sid:84515427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652328/; classtype:trojan-activity;sid:84515428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652329/; classtype:trojan-activity;sid:84515429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-11-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652330/; classtype:trojan-activity;sid:84515430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652325/; classtype:trojan-activity;sid:84515425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-09-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652324/; classtype:trojan-activity;sid:84515424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652323/; classtype:trojan-activity;sid:84515423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652322/; classtype:trojan-activity;sid:84515422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652320/; classtype:trojan-activity;sid:84515420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652318/; classtype:trojan-activity;sid:84515418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652319/; classtype:trojan-activity;sid:84515419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652317/; classtype:trojan-activity;sid:84515417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652316/; classtype:trojan-activity;sid:84515416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652314/; classtype:trojan-activity;sid:84515414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652312/; classtype:trojan-activity;sid:84515412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-06-04/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652313/; classtype:trojan-activity;sid:84515413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-01-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652310/; classtype:trojan-activity;sid:84515410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652309/; classtype:trojan-activity;sid:84515409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652307/; classtype:trojan-activity;sid:84515407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652306/; classtype:trojan-activity;sid:84515406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652304/; classtype:trojan-activity;sid:84515404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652303/; classtype:trojan-activity;sid:84515403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652300/; classtype:trojan-activity;sid:84515400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-28/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652301/; classtype:trojan-activity;sid:84515401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652302/; classtype:trojan-activity;sid:84515402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652298/; classtype:trojan-activity;sid:84515398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-04-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652296/; classtype:trojan-activity;sid:84515396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652294/; classtype:trojan-activity;sid:84515394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652295/; classtype:trojan-activity;sid:84515395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652293/; classtype:trojan-activity;sid:84515393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-01-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652292/; classtype:trojan-activity;sid:84515392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-25/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652291/; classtype:trojan-activity;sid:84515391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652290/; classtype:trojan-activity;sid:84515390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652289/; classtype:trojan-activity;sid:84515389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652288/; classtype:trojan-activity;sid:84515388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652287/; classtype:trojan-activity;sid:84515387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652286/; classtype:trojan-activity;sid:84515386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652285/; classtype:trojan-activity;sid:84515385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-11-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652284/; classtype:trojan-activity;sid:84515384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652282/; classtype:trojan-activity;sid:84515382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652283/; classtype:trojan-activity;sid:84515383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-12-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652280/; classtype:trojan-activity;sid:84515380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652281/; classtype:trojan-activity;sid:84515381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652279/; classtype:trojan-activity;sid:84515379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652277/; classtype:trojan-activity;sid:84515377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652278/; classtype:trojan-activity;sid:84515378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652275/; classtype:trojan-activity;sid:84515375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652276/; classtype:trojan-activity;sid:84515376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652273/; classtype:trojan-activity;sid:84515373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-08-18/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652274/; classtype:trojan-activity;sid:84515374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652272/; classtype:trojan-activity;sid:84515372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652270/; classtype:trojan-activity;sid:84515370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-29/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652269/; classtype:trojan-activity;sid:84515369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652268/; classtype:trojan-activity;sid:84515368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652265/; classtype:trojan-activity;sid:84515365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652264/; classtype:trojan-activity;sid:84515364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652263/; classtype:trojan-activity;sid:84515363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652262/; classtype:trojan-activity;sid:84515362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652259/; classtype:trojan-activity;sid:84515359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652260/; classtype:trojan-activity;sid:84515360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652257/; classtype:trojan-activity;sid:84515357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652256/; classtype:trojan-activity;sid:84515356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652255/; classtype:trojan-activity;sid:84515355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-11-25/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652250/; classtype:trojan-activity;sid:84515350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652247/; classtype:trojan-activity;sid:84515347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652248/; classtype:trojan-activity;sid:84515348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-12-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652246/; classtype:trojan-activity;sid:84515346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652245/; classtype:trojan-activity;sid:84515345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652244/; classtype:trojan-activity;sid:84515344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-09-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652243/; classtype:trojan-activity;sid:84515343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652241/; classtype:trojan-activity;sid:84515341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652242/; classtype:trojan-activity;sid:84515342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-10/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652239/; classtype:trojan-activity;sid:84515339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652240/; classtype:trojan-activity;sid:84515340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652238/; classtype:trojan-activity;sid:84515338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652237/; classtype:trojan-activity;sid:84515337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-07-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652236/; classtype:trojan-activity;sid:84515336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652235/; classtype:trojan-activity;sid:84515335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-03-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652234/; classtype:trojan-activity;sid:84515334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652232/; classtype:trojan-activity;sid:84515332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652233/; classtype:trojan-activity;sid:84515333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652230/; classtype:trojan-activity;sid:84515330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652231/; classtype:trojan-activity;sid:84515331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-12/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652229/; classtype:trojan-activity;sid:84515329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-06-25/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652225/; classtype:trojan-activity;sid:84515325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652223/; classtype:trojan-activity;sid:84515323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652221/; classtype:trojan-activity;sid:84515321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652222/; classtype:trojan-activity;sid:84515322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652219/; classtype:trojan-activity;sid:84515319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652220/; classtype:trojan-activity;sid:84515320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652218/; classtype:trojan-activity;sid:84515318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652217/; classtype:trojan-activity;sid:84515317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652216/; classtype:trojan-activity;sid:84515316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652214/; classtype:trojan-activity;sid:84515314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-02-01/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652215/; classtype:trojan-activity;sid:84515315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652213/; classtype:trojan-activity;sid:84515313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652211/; classtype:trojan-activity;sid:84515311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652210/; classtype:trojan-activity;sid:84515310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652209/; classtype:trojan-activity;sid:84515309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652208/; classtype:trojan-activity;sid:84515308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652206/; classtype:trojan-activity;sid:84515306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652207/; classtype:trojan-activity;sid:84515307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652205/; classtype:trojan-activity;sid:84515305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652204/; classtype:trojan-activity;sid:84515304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652203/; classtype:trojan-activity;sid:84515303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652201/; classtype:trojan-activity;sid:84515301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652198/; classtype:trojan-activity;sid:84515298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652200/; classtype:trojan-activity;sid:84515300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652197/; classtype:trojan-activity;sid:84515297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652196/; classtype:trojan-activity;sid:84515296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652193/; classtype:trojan-activity;sid:84515293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652194/; classtype:trojan-activity;sid:84515294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652192/; classtype:trojan-activity;sid:84515292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652186/; classtype:trojan-activity;sid:84515286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652187/; classtype:trojan-activity;sid:84515287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652188/; classtype:trojan-activity;sid:84515288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652189/; classtype:trojan-activity;sid:84515289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-28/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652190/; classtype:trojan-activity;sid:84515290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652191/; classtype:trojan-activity;sid:84515291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652185/; classtype:trojan-activity;sid:84515285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652184/; classtype:trojan-activity;sid:84515284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652183/; classtype:trojan-activity;sid:84515283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652181/; classtype:trojan-activity;sid:84515281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652180/; classtype:trojan-activity;sid:84515280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652179/; classtype:trojan-activity;sid:84515279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652177/; classtype:trojan-activity;sid:84515277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652178/; classtype:trojan-activity;sid:84515278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652175/; classtype:trojan-activity;sid:84515275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652174/; classtype:trojan-activity;sid:84515274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652173/; classtype:trojan-activity;sid:84515273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652171/; classtype:trojan-activity;sid:84515271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652169/; classtype:trojan-activity;sid:84515269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652170/; classtype:trojan-activity;sid:84515270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652167/; classtype:trojan-activity;sid:84515267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652166/; classtype:trojan-activity;sid:84515266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652165/; classtype:trojan-activity;sid:84515265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652164/; classtype:trojan-activity;sid:84515264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652163/; classtype:trojan-activity;sid:84515263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-24/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652162/; classtype:trojan-activity;sid:84515262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652161/; classtype:trojan-activity;sid:84515261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652160/; classtype:trojan-activity;sid:84515260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652157/; classtype:trojan-activity;sid:84515257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652158/; classtype:trojan-activity;sid:84515258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652159/; classtype:trojan-activity;sid:84515259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652156/; classtype:trojan-activity;sid:84515256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652152/; classtype:trojan-activity;sid:84515252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652153/; classtype:trojan-activity;sid:84515253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652151/; classtype:trojan-activity;sid:84515251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652147/; classtype:trojan-activity;sid:84515247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652148/; classtype:trojan-activity;sid:84515248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652149/; classtype:trojan-activity;sid:84515249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652144/; classtype:trojan-activity;sid:84515244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652145/; classtype:trojan-activity;sid:84515245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652146/; classtype:trojan-activity;sid:84515246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652141/; classtype:trojan-activity;sid:84515241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652143/; classtype:trojan-activity;sid:84515243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652138/; classtype:trojan-activity;sid:84515238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652140/; classtype:trojan-activity;sid:84515240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652136/; classtype:trojan-activity;sid:84515236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652137/; classtype:trojan-activity;sid:84515237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652135/; classtype:trojan-activity;sid:84515235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652132/; classtype:trojan-activity;sid:84515232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652133/; classtype:trojan-activity;sid:84515233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652134/; classtype:trojan-activity;sid:84515234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652128/; classtype:trojan-activity;sid:84515228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652129/; classtype:trojan-activity;sid:84515229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652130/; classtype:trojan-activity;sid:84515230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652126/; classtype:trojan-activity;sid:84515226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652122/; classtype:trojan-activity;sid:84515222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652124/; classtype:trojan-activity;sid:84515224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-03-24/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652121/; classtype:trojan-activity;sid:84515221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652120/; classtype:trojan-activity;sid:84515220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652119/; classtype:trojan-activity;sid:84515219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652112/; classtype:trojan-activity;sid:84515212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652113/; classtype:trojan-activity;sid:84515213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652115/; classtype:trojan-activity;sid:84515215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652116/; classtype:trojan-activity;sid:84515216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652118/; classtype:trojan-activity;sid:84515218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652108/; classtype:trojan-activity;sid:84515208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652109/; classtype:trojan-activity;sid:84515209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-11-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652110/; classtype:trojan-activity;sid:84515210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652111/; classtype:trojan-activity;sid:84515211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652107/; classtype:trojan-activity;sid:84515207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652105/; classtype:trojan-activity;sid:84515205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652106/; classtype:trojan-activity;sid:84515206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652102/; classtype:trojan-activity;sid:84515202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652103/; classtype:trojan-activity;sid:84515203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652104/; classtype:trojan-activity;sid:84515204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652101/; classtype:trojan-activity;sid:84515201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-10-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652099/; classtype:trojan-activity;sid:84515199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652100/; classtype:trojan-activity;sid:84515200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652098/; classtype:trojan-activity;sid:84515198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652097/; classtype:trojan-activity;sid:84515197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652095/; classtype:trojan-activity;sid:84515195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-04-24/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652094/; classtype:trojan-activity;sid:84515194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652091/; classtype:trojan-activity;sid:84515191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652092/; classtype:trojan-activity;sid:84515192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652090/; classtype:trojan-activity;sid:84515190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-01-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652084/; classtype:trojan-activity;sid:84515184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-05-24/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652086/; classtype:trojan-activity;sid:84515186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-12-27/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652088/; classtype:trojan-activity;sid:84515188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652089/; classtype:trojan-activity;sid:84515189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652081/; classtype:trojan-activity;sid:84515181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652082/; classtype:trojan-activity;sid:84515182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652083/; classtype:trojan-activity;sid:84515183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652078/; classtype:trojan-activity;sid:84515178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-03-17/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652079/; classtype:trojan-activity;sid:84515179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652075/; classtype:trojan-activity;sid:84515175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652076/; classtype:trojan-activity;sid:84515176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652077/; classtype:trojan-activity;sid:84515177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652070/; classtype:trojan-activity;sid:84515170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652071/; classtype:trojan-activity;sid:84515171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-11-23/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652067/; classtype:trojan-activity;sid:84515167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652068/; classtype:trojan-activity;sid:84515168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652060/; classtype:trojan-activity;sid:84515160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-10-24/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652061/; classtype:trojan-activity;sid:84515161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-27/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652063/; classtype:trojan-activity;sid:84515163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652064/; classtype:trojan-activity;sid:84515164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-11-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652065/; classtype:trojan-activity;sid:84515165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652066/; classtype:trojan-activity;sid:84515166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652057/; classtype:trojan-activity;sid:84515157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652058/; classtype:trojan-activity;sid:84515158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652053/; classtype:trojan-activity;sid:84515153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652054/; classtype:trojan-activity;sid:84515154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-08-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652048/; classtype:trojan-activity;sid:84515148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652049/; classtype:trojan-activity;sid:84515149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652051/; classtype:trojan-activity;sid:84515151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652052/; classtype:trojan-activity;sid:84515152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-02-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652045/; classtype:trojan-activity;sid:84515145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-06-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652046/; classtype:trojan-activity;sid:84515146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652042/; classtype:trojan-activity;sid:84515142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652043/; classtype:trojan-activity;sid:84515143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652041/; classtype:trojan-activity;sid:84515141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652039/; classtype:trojan-activity;sid:84515139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-07-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652040/; classtype:trojan-activity;sid:84515140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652036/; classtype:trojan-activity;sid:84515136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652037/; classtype:trojan-activity;sid:84515137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-12-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652034/; classtype:trojan-activity;sid:84515134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652025/; classtype:trojan-activity;sid:84515125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652026/; classtype:trojan-activity;sid:84515126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652027/; classtype:trojan-activity;sid:84515127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652028/; classtype:trojan-activity;sid:84515128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652029/; classtype:trojan-activity;sid:84515129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652030/; classtype:trojan-activity;sid:84515130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652031/; classtype:trojan-activity;sid:84515131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-07-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652024/; classtype:trojan-activity;sid:84515124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652023/; classtype:trojan-activity;sid:84515123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652022/; classtype:trojan-activity;sid:84515122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652021/; classtype:trojan-activity;sid:84515121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652014/; classtype:trojan-activity;sid:84515114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652015/; classtype:trojan-activity;sid:84515115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652016/; classtype:trojan-activity;sid:84515116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652017/; classtype:trojan-activity;sid:84515117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-06-14/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652018/; classtype:trojan-activity;sid:84515118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652019/; classtype:trojan-activity;sid:84515119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652020/; classtype:trojan-activity;sid:84515120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-18/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652012/; classtype:trojan-activity;sid:84515112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652013/; classtype:trojan-activity;sid:84515113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652007/; classtype:trojan-activity;sid:84515107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652008/; classtype:trojan-activity;sid:84515108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652009/; classtype:trojan-activity;sid:84515109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652010/; classtype:trojan-activity;sid:84515110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652011/; classtype:trojan-activity;sid:84515111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652005/; classtype:trojan-activity;sid:84515105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-03-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652006/; classtype:trojan-activity;sid:84515106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652002/; classtype:trojan-activity;sid:84515102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652000/; classtype:trojan-activity;sid:84515100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651998/; classtype:trojan-activity;sid:84515098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651999/; classtype:trojan-activity;sid:84515099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651993/; classtype:trojan-activity;sid:84515093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651994/; classtype:trojan-activity;sid:84515094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651995/; classtype:trojan-activity;sid:84515095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651996/; classtype:trojan-activity;sid:84515096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651997/; classtype:trojan-activity;sid:84515097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651991/; classtype:trojan-activity;sid:84515091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651992/; classtype:trojan-activity;sid:84515092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651989/; classtype:trojan-activity;sid:84515089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651990/; classtype:trojan-activity;sid:84515090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651987/; classtype:trojan-activity;sid:84515087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651988/; classtype:trojan-activity;sid:84515088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651981/; classtype:trojan-activity;sid:84515081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-09-02/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651982/; classtype:trojan-activity;sid:84515082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651983/; classtype:trojan-activity;sid:84515083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651985/; classtype:trojan-activity;sid:84515085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651986/; classtype:trojan-activity;sid:84515086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651978/; classtype:trojan-activity;sid:84515078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-03-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651969/; classtype:trojan-activity;sid:84515069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651970/; classtype:trojan-activity;sid:84515070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651971/; classtype:trojan-activity;sid:84515071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651972/; classtype:trojan-activity;sid:84515072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651973/; classtype:trojan-activity;sid:84515073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651974/; classtype:trojan-activity;sid:84515074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651975/; classtype:trojan-activity;sid:84515075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651976/; classtype:trojan-activity;sid:84515076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651977/; classtype:trojan-activity;sid:84515077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651967/; classtype:trojan-activity;sid:84515067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-09-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651968/; classtype:trojan-activity;sid:84515068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651965/; classtype:trojan-activity;sid:84515065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651966/; classtype:trojan-activity;sid:84515066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651963/; classtype:trojan-activity;sid:84515063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-09-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651964/; classtype:trojan-activity;sid:84515064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651959/; classtype:trojan-activity;sid:84515059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651960/; classtype:trojan-activity;sid:84515060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651961/; classtype:trojan-activity;sid:84515061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651962/; classtype:trojan-activity;sid:84515062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651958/; classtype:trojan-activity;sid:84515058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651956/; classtype:trojan-activity;sid:84515056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651957/; classtype:trojan-activity;sid:84515057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651955/; classtype:trojan-activity;sid:84515055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651954/; classtype:trojan-activity;sid:84515054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651952/; classtype:trojan-activity;sid:84515052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651953/; classtype:trojan-activity;sid:84515053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651951/; classtype:trojan-activity;sid:84515051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651949/; classtype:trojan-activity;sid:84515049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651950/; classtype:trojan-activity;sid:84515050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651944/; classtype:trojan-activity;sid:84515044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651945/; classtype:trojan-activity;sid:84515045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/9929/11032020101348/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651946/; classtype:trojan-activity;sid:84515046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-09-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651947/; classtype:trojan-activity;sid:84515047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651948/; classtype:trojan-activity;sid:84515048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651943/; classtype:trojan-activity;sid:84515043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651942/; classtype:trojan-activity;sid:84515042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651937/; classtype:trojan-activity;sid:84515037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651938/; classtype:trojan-activity;sid:84515038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651939/; classtype:trojan-activity;sid:84515039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651941/; classtype:trojan-activity;sid:84515041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651933/; classtype:trojan-activity;sid:84515033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-10-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651934/; classtype:trojan-activity;sid:84515034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651935/; classtype:trojan-activity;sid:84515035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-01-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651936/; classtype:trojan-activity;sid:84515036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651931/; classtype:trojan-activity;sid:84515031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651932/; classtype:trojan-activity;sid:84515032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651930/; classtype:trojan-activity;sid:84515030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651928/; classtype:trojan-activity;sid:84515028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651929/; classtype:trojan-activity;sid:84515029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-18/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651926/; classtype:trojan-activity;sid:84515026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651927/; classtype:trojan-activity;sid:84515027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651921/; classtype:trojan-activity;sid:84515021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651922/; classtype:trojan-activity;sid:84515022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651923/; classtype:trojan-activity;sid:84515023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651924/; classtype:trojan-activity;sid:84515024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651925/; classtype:trojan-activity;sid:84515025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651915/; classtype:trojan-activity;sid:84515015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651916/; classtype:trojan-activity;sid:84515016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651917/; classtype:trojan-activity;sid:84515017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651913/; classtype:trojan-activity;sid:84515013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651914/; classtype:trojan-activity;sid:84515014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-12-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651909/; classtype:trojan-activity;sid:84515009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-22/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651910/; classtype:trojan-activity;sid:84515010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651912/; classtype:trojan-activity;sid:84515012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651905/; classtype:trojan-activity;sid:84515005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651907/; classtype:trojan-activity;sid:84515007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651901/; classtype:trojan-activity;sid:84515001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-11-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651902/; classtype:trojan-activity;sid:84515002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651903/; classtype:trojan-activity;sid:84515003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651900/; classtype:trojan-activity;sid:84515000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-09-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651896/; classtype:trojan-activity;sid:84514996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651897/; classtype:trojan-activity;sid:84514997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651898/; classtype:trojan-activity;sid:84514998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651894/; classtype:trojan-activity;sid:84514994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160618/td00000000000000159843/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651892/; classtype:trojan-activity;sid:84514992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651890/; classtype:trojan-activity;sid:84514990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651891/; classtype:trojan-activity;sid:84514991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651887/; classtype:trojan-activity;sid:84514987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651888/; classtype:trojan-activity;sid:84514988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651889/; classtype:trojan-activity;sid:84514989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651883/; classtype:trojan-activity;sid:84514983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651884/; classtype:trojan-activity;sid:84514984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651885/; classtype:trojan-activity;sid:84514985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651881/; classtype:trojan-activity;sid:84514981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651882/; classtype:trojan-activity;sid:84514982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651877/; classtype:trojan-activity;sid:84514977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-02-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651878/; classtype:trojan-activity;sid:84514978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-11-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651879/; classtype:trojan-activity;sid:84514979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651874/; classtype:trojan-activity;sid:84514974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651875/; classtype:trojan-activity;sid:84514975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651876/; classtype:trojan-activity;sid:84514976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-12-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651867/; classtype:trojan-activity;sid:84514967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651868/; classtype:trojan-activity;sid:84514968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651869/; classtype:trojan-activity;sid:84514969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-04-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651870/; classtype:trojan-activity;sid:84514970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651871/; classtype:trojan-activity;sid:84514971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651872/; classtype:trojan-activity;sid:84514972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651873/; classtype:trojan-activity;sid:84514973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-12-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651866/; classtype:trojan-activity;sid:84514966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651861/; classtype:trojan-activity;sid:84514961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651862/; classtype:trojan-activity;sid:84514962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651863/; classtype:trojan-activity;sid:84514963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651864/; classtype:trojan-activity;sid:84514964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651859/; classtype:trojan-activity;sid:84514959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651860/; classtype:trojan-activity;sid:84514960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651855/; classtype:trojan-activity;sid:84514955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651854/; classtype:trojan-activity;sid:84514954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651852/; classtype:trojan-activity;sid:84514952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651853/; classtype:trojan-activity;sid:84514953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651849/; classtype:trojan-activity;sid:84514949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651850/; classtype:trojan-activity;sid:84514950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-31/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651848/; classtype:trojan-activity;sid:84514948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651847/; classtype:trojan-activity;sid:84514947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651845/; classtype:trojan-activity;sid:84514945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651846/; classtype:trojan-activity;sid:84514946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651844/; classtype:trojan-activity;sid:84514944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651836/; classtype:trojan-activity;sid:84514936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651838/; classtype:trojan-activity;sid:84514938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651839/; classtype:trojan-activity;sid:84514939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651840/; classtype:trojan-activity;sid:84514940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651841/; classtype:trojan-activity;sid:84514941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651842/; classtype:trojan-activity;sid:84514942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651834/; classtype:trojan-activity;sid:84514934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651835/; classtype:trojan-activity;sid:84514935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651832/; classtype:trojan-activity;sid:84514932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651833/; classtype:trojan-activity;sid:84514933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651830/; classtype:trojan-activity;sid:84514930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-11-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651827/; classtype:trojan-activity;sid:84514927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651822/; classtype:trojan-activity;sid:84514922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651823/; classtype:trojan-activity;sid:84514923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651824/; classtype:trojan-activity;sid:84514924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651825/; classtype:trojan-activity;sid:84514925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651826/; classtype:trojan-activity;sid:84514926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-05-27/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651820/; classtype:trojan-activity;sid:84514920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/es/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651821/; classtype:trojan-activity;sid:84514921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651819/; classtype:trojan-activity;sid:84514919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651813/; classtype:trojan-activity;sid:84514913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651814/; classtype:trojan-activity;sid:84514914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-01-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651815/; classtype:trojan-activity;sid:84514915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651816/; classtype:trojan-activity;sid:84514916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651817/; classtype:trojan-activity;sid:84514917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651818/; classtype:trojan-activity;sid:84514918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651810/; classtype:trojan-activity;sid:84514910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651811/; classtype:trojan-activity;sid:84514911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-10-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651812/; classtype:trojan-activity;sid:84514912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651808/; classtype:trojan-activity;sid:84514908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651806/; classtype:trojan-activity;sid:84514906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651807/; classtype:trojan-activity;sid:84514907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-06-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651802/; classtype:trojan-activity;sid:84514902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-06-18/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651803/; classtype:trojan-activity;sid:84514903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651804/; classtype:trojan-activity;sid:84514904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651801/; classtype:trojan-activity;sid:84514901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651798/; classtype:trojan-activity;sid:84514898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651796/; classtype:trojan-activity;sid:84514896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-02-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651797/; classtype:trojan-activity;sid:84514897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651790/; classtype:trojan-activity;sid:84514890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-08-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651792/; classtype:trojan-activity;sid:84514892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168897/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651789/; classtype:trojan-activity;sid:84514889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/sp/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651787/; classtype:trojan-activity;sid:84514887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651782/; classtype:trojan-activity;sid:84514882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651783/; classtype:trojan-activity;sid:84514883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651785/; classtype:trojan-activity;sid:84514885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651786/; classtype:trojan-activity;sid:84514886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651777/; classtype:trojan-activity;sid:84514877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651778/; classtype:trojan-activity;sid:84514878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651780/; classtype:trojan-activity;sid:84514880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651781/; classtype:trojan-activity;sid:84514881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651774/; classtype:trojan-activity;sid:84514874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-22/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651775/; classtype:trojan-activity;sid:84514875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651776/; classtype:trojan-activity;sid:84514876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651770/; classtype:trojan-activity;sid:84514870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651771/; classtype:trojan-activity;sid:84514871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651772/; classtype:trojan-activity;sid:84514872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651773/; classtype:trojan-activity;sid:84514873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-11-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651768/; classtype:trojan-activity;sid:84514868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651769/; classtype:trojan-activity;sid:84514869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651766/; classtype:trojan-activity;sid:84514866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651767/; classtype:trojan-activity;sid:84514867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-03-15/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651763/; classtype:trojan-activity;sid:84514863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-11-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651764/; classtype:trojan-activity;sid:84514864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651765/; classtype:trojan-activity;sid:84514865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651760/; classtype:trojan-activity;sid:84514860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-01/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651761/; classtype:trojan-activity;sid:84514861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651762/; classtype:trojan-activity;sid:84514862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651755/; classtype:trojan-activity;sid:84514855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651756/; classtype:trojan-activity;sid:84514856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651757/; classtype:trojan-activity;sid:84514857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/sp/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651758/; classtype:trojan-activity;sid:84514858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651759/; classtype:trojan-activity;sid:84514859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651753/; classtype:trojan-activity;sid:84514853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-09-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651754/; classtype:trojan-activity;sid:84514854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651751/; classtype:trojan-activity;sid:84514851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651752/; classtype:trojan-activity;sid:84514852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651750/; classtype:trojan-activity;sid:84514850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651741/; classtype:trojan-activity;sid:84514841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651742/; classtype:trojan-activity;sid:84514842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651744/; classtype:trojan-activity;sid:84514844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651745/; classtype:trojan-activity;sid:84514845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651746/; classtype:trojan-activity;sid:84514846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651747/; classtype:trojan-activity;sid:84514847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/conting%c3%aancia/homologa%c3%a7%c3%a3o/info.zip"; depth:95; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651748/; classtype:trojan-activity;sid:84514848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651740/; classtype:trojan-activity;sid:84514840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651734/; classtype:trojan-activity;sid:84514834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651735/; classtype:trojan-activity;sid:84514835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-28/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651736/; classtype:trojan-activity;sid:84514836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651737/; classtype:trojan-activity;sid:84514837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651738/; classtype:trojan-activity;sid:84514838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651739/; classtype:trojan-activity;sid:84514839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651730/; classtype:trojan-activity;sid:84514830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651731/; classtype:trojan-activity;sid:84514831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651732/; classtype:trojan-activity;sid:84514832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651729/; classtype:trojan-activity;sid:84514829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-12-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651726/; classtype:trojan-activity;sid:84514826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-01-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651727/; classtype:trojan-activity;sid:84514827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651720/; classtype:trojan-activity;sid:84514820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651721/; classtype:trojan-activity;sid:84514821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651722/; classtype:trojan-activity;sid:84514822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-04-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651723/; classtype:trojan-activity;sid:84514823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651724/; classtype:trojan-activity;sid:84514824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651717/; classtype:trojan-activity;sid:84514817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651718/; classtype:trojan-activity;sid:84514818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651716/; classtype:trojan-activity;sid:84514816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651715/; classtype:trojan-activity;sid:84514815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651713/; classtype:trojan-activity;sid:84514813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651714/; classtype:trojan-activity;sid:84514814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651710/; classtype:trojan-activity;sid:84514810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651711/; classtype:trojan-activity;sid:84514811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651709/; classtype:trojan-activity;sid:84514809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651707/; classtype:trojan-activity;sid:84514807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651708/; classtype:trojan-activity;sid:84514808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651705/; classtype:trojan-activity;sid:84514805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651706/; classtype:trojan-activity;sid:84514806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651699/; classtype:trojan-activity;sid:84514799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651700/; classtype:trojan-activity;sid:84514800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651701/; classtype:trojan-activity;sid:84514801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651702/; classtype:trojan-activity;sid:84514802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651703/; classtype:trojan-activity;sid:84514803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651695/; classtype:trojan-activity;sid:84514795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651696/; classtype:trojan-activity;sid:84514796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651697/; classtype:trojan-activity;sid:84514797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651693/; classtype:trojan-activity;sid:84514793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651694/; classtype:trojan-activity;sid:84514794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651691/; classtype:trojan-activity;sid:84514791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651692/; classtype:trojan-activity;sid:84514792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651686/; classtype:trojan-activity;sid:84514786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651688/; classtype:trojan-activity;sid:84514788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651690/; classtype:trojan-activity;sid:84514790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651685/; classtype:trojan-activity;sid:84514785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651682/; classtype:trojan-activity;sid:84514782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651683/; classtype:trojan-activity;sid:84514783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651681/; classtype:trojan-activity;sid:84514781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-02-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651680/; classtype:trojan-activity;sid:84514780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651679/; classtype:trojan-activity;sid:84514779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651678/; classtype:trojan-activity;sid:84514778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651675/; classtype:trojan-activity;sid:84514775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651676/; classtype:trojan-activity;sid:84514776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651677/; classtype:trojan-activity;sid:84514777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-22/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651668/; classtype:trojan-activity;sid:84514768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651669/; classtype:trojan-activity;sid:84514769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-02-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651670/; classtype:trojan-activity;sid:84514770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651671/; classtype:trojan-activity;sid:84514771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651667/; classtype:trojan-activity;sid:84514767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651663/; classtype:trojan-activity;sid:84514763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-11-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651665/; classtype:trojan-activity;sid:84514765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651666/; classtype:trojan-activity;sid:84514766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651655/; classtype:trojan-activity;sid:84514755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-23/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651656/; classtype:trojan-activity;sid:84514756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651657/; classtype:trojan-activity;sid:84514757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651659/; classtype:trojan-activity;sid:84514759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651661/; classtype:trojan-activity;sid:84514761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651650/; classtype:trojan-activity;sid:84514750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-06-24/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651651/; classtype:trojan-activity;sid:84514751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651652/; classtype:trojan-activity;sid:84514752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651653/; classtype:trojan-activity;sid:84514753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651654/; classtype:trojan-activity;sid:84514754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651645/; classtype:trojan-activity;sid:84514745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651646/; classtype:trojan-activity;sid:84514746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-09-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651647/; classtype:trojan-activity;sid:84514747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651648/; classtype:trojan-activity;sid:84514748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651649/; classtype:trojan-activity;sid:84514749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651639/; classtype:trojan-activity;sid:84514739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651640/; classtype:trojan-activity;sid:84514740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651642/; classtype:trojan-activity;sid:84514742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651643/; classtype:trojan-activity;sid:84514743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651644/; classtype:trojan-activity;sid:84514744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-09-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651632/; classtype:trojan-activity;sid:84514732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-07-16/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651633/; classtype:trojan-activity;sid:84514733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651634/; classtype:trojan-activity;sid:84514734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651635/; classtype:trojan-activity;sid:84514735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-05-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651636/; classtype:trojan-activity;sid:84514736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651637/; classtype:trojan-activity;sid:84514737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651638/; classtype:trojan-activity;sid:84514738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651629/; classtype:trojan-activity;sid:84514729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-06-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651630/; classtype:trojan-activity;sid:84514730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651631/; classtype:trojan-activity;sid:84514731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-09-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651628/; classtype:trojan-activity;sid:84514728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651622/; classtype:trojan-activity;sid:84514722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-07-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651623/; classtype:trojan-activity;sid:84514723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651624/; classtype:trojan-activity;sid:84514724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-04-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651625/; classtype:trojan-activity;sid:84514725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651627/; classtype:trojan-activity;sid:84514727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651620/; classtype:trojan-activity;sid:84514720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651621/; classtype:trojan-activity;sid:84514721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651619/; classtype:trojan-activity;sid:84514719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651617/; classtype:trojan-activity;sid:84514717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651616/; classtype:trojan-activity;sid:84514716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651615/; classtype:trojan-activity;sid:84514715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651614/; classtype:trojan-activity;sid:84514714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651613/; classtype:trojan-activity;sid:84514713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651611/; classtype:trojan-activity;sid:84514711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651608/; classtype:trojan-activity;sid:84514708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651609/; classtype:trojan-activity;sid:84514709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651605/; classtype:trojan-activity;sid:84514705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651603/; classtype:trojan-activity;sid:84514703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651604/; classtype:trojan-activity;sid:84514704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651598/; classtype:trojan-activity;sid:84514698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651599/; classtype:trojan-activity;sid:84514699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651600/; classtype:trojan-activity;sid:84514700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-14/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651602/; classtype:trojan-activity;sid:84514702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651591/; classtype:trojan-activity;sid:84514691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-07-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651593/; classtype:trojan-activity;sid:84514693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-10-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651594/; classtype:trojan-activity;sid:84514694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651595/; classtype:trojan-activity;sid:84514695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-02-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651597/; classtype:trojan-activity;sid:84514697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651588/; classtype:trojan-activity;sid:84514688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651589/; classtype:trojan-activity;sid:84514689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651590/; classtype:trojan-activity;sid:84514690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651583/; classtype:trojan-activity;sid:84514683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-25/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651584/; classtype:trojan-activity;sid:84514684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651585/; classtype:trojan-activity;sid:84514685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651586/; classtype:trojan-activity;sid:84514686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651582/; classtype:trojan-activity;sid:84514682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651580/; classtype:trojan-activity;sid:84514680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651581/; classtype:trojan-activity;sid:84514681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651579/; classtype:trojan-activity;sid:84514679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651577/; classtype:trojan-activity;sid:84514677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651578/; classtype:trojan-activity;sid:84514678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-18/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651573/; classtype:trojan-activity;sid:84514673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651574/; classtype:trojan-activity;sid:84514674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651575/; classtype:trojan-activity;sid:84514675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651576/; classtype:trojan-activity;sid:84514676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651570/; classtype:trojan-activity;sid:84514670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651571/; classtype:trojan-activity;sid:84514671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-08-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651567/; classtype:trojan-activity;sid:84514667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651568/; classtype:trojan-activity;sid:84514668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-05-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651565/; classtype:trojan-activity;sid:84514665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-05-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651566/; classtype:trojan-activity;sid:84514666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651564/; classtype:trojan-activity;sid:84514664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651562/; classtype:trojan-activity;sid:84514662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651563/; classtype:trojan-activity;sid:84514663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651561/; classtype:trojan-activity;sid:84514661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651558/; classtype:trojan-activity;sid:84514658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651559/; classtype:trojan-activity;sid:84514659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651553/; classtype:trojan-activity;sid:84514653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651554/; classtype:trojan-activity;sid:84514654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651555/; classtype:trojan-activity;sid:84514655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651557/; classtype:trojan-activity;sid:84514657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651548/; classtype:trojan-activity;sid:84514648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651549/; classtype:trojan-activity;sid:84514649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170596/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651550/; classtype:trojan-activity;sid:84514650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651551/; classtype:trojan-activity;sid:84514651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651552/; classtype:trojan-activity;sid:84514652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-07-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651545/; classtype:trojan-activity;sid:84514645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-04-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651546/; classtype:trojan-activity;sid:84514646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651539/; classtype:trojan-activity;sid:84514639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651544/; classtype:trojan-activity;sid:84514644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651532/; classtype:trojan-activity;sid:84514632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651533/; classtype:trojan-activity;sid:84514633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651534/; classtype:trojan-activity;sid:84514634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-07-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651535/; classtype:trojan-activity;sid:84514635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651536/; classtype:trojan-activity;sid:84514636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651530/; classtype:trojan-activity;sid:84514630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651531/; classtype:trojan-activity;sid:84514631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651529/; classtype:trojan-activity;sid:84514629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651527/; classtype:trojan-activity;sid:84514627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651526/; classtype:trojan-activity;sid:84514626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-02-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651525/; classtype:trojan-activity;sid:84514625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651524/; classtype:trojan-activity;sid:84514624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-01-26/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651521/; classtype:trojan-activity;sid:84514621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651522/; classtype:trojan-activity;sid:84514622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651523/; classtype:trojan-activity;sid:84514623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-05-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651520/; classtype:trojan-activity;sid:84514620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-06-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651519/; classtype:trojan-activity;sid:84514619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-06-01/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651517/; classtype:trojan-activity;sid:84514617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651518/; classtype:trojan-activity;sid:84514618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-04-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651515/; classtype:trojan-activity;sid:84514615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-08-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651512/; classtype:trojan-activity;sid:84514612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-11-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651513/; classtype:trojan-activity;sid:84514613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-02-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651514/; classtype:trojan-activity;sid:84514614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-09-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651511/; classtype:trojan-activity;sid:84514611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-09-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651509/; classtype:trojan-activity;sid:84514609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651510/; classtype:trojan-activity;sid:84514610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651506/; classtype:trojan-activity;sid:84514606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-18/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651507/; classtype:trojan-activity;sid:84514607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-08-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651508/; classtype:trojan-activity;sid:84514608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651504/; classtype:trojan-activity;sid:84514604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651505/; classtype:trojan-activity;sid:84514605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651502/; classtype:trojan-activity;sid:84514602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-05-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651503/; classtype:trojan-activity;sid:84514603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651494/; classtype:trojan-activity;sid:84514594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651481/; classtype:trojan-activity;sid:84514581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651477/; classtype:trojan-activity;sid:84514577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651476/; classtype:trojan-activity;sid:84514576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"82.67.39.194"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651475/; classtype:trojan-activity;sid:84514575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/info.zip"; depth:18; endswith; nocase; http.host; content:"47.104.31.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651304/; classtype:trojan-activity;sid:84514404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651202/; classtype:trojan-activity;sid:84514302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-01-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651196/; classtype:trojan-activity;sid:84514296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566431/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651195/; classtype:trojan-activity;sid:84514295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651192/; classtype:trojan-activity;sid:84514292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651188/; classtype:trojan-activity;sid:84514288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000225745/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651183/; classtype:trojan-activity;sid:84514283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651171/; classtype:trojan-activity;sid:84514271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585574/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651168/; classtype:trojan-activity;sid:84514268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567168/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651169/; classtype:trojan-activity;sid:84514269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171472/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651167/; classtype:trojan-activity;sid:84514267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170010/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651165/; classtype:trojan-activity;sid:84514265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651160/; classtype:trojan-activity;sid:84514260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-01-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651159/; classtype:trojan-activity;sid:84514259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651156/; classtype:trojan-activity;sid:84514256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651155/; classtype:trojan-activity;sid:84514255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165772/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651151/; classtype:trojan-activity;sid:84514251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651149/; classtype:trojan-activity;sid:84514249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-03-17/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651150/; classtype:trojan-activity;sid:84514250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170922/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651139/; classtype:trojan-activity;sid:84514239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/info.zip"; depth:28; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651142/; classtype:trojan-activity;sid:84514242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603094/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651135/; classtype:trojan-activity;sid:84514235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171064/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651136/; classtype:trojan-activity;sid:84514236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603095/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651125/; classtype:trojan-activity;sid:84514225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-03-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651106/; classtype:trojan-activity;sid:84514206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-12-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651099/; classtype:trojan-activity;sid:84514199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.56.227.40"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651097/; classtype:trojan-activity;sid:84514197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651098/; classtype:trojan-activity;sid:84514198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171016/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651095/; classtype:trojan-activity;sid:84514195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651096/; classtype:trojan-activity;sid:84514196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-07-06/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651092/; classtype:trojan-activity;sid:84514192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000253230/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651090/; classtype:trojan-activity;sid:84514190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171252/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651088/; classtype:trojan-activity;sid:84514188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651084/; classtype:trojan-activity;sid:84514184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000189793/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651078/; classtype:trojan-activity;sid:84514178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651079/; classtype:trojan-activity;sid:84514179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651076/; classtype:trojan-activity;sid:84514176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-04-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651077/; classtype:trojan-activity;sid:84514177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651075/; classtype:trojan-activity;sid:84514175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604320/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651071/; classtype:trojan-activity;sid:84514171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651067/; classtype:trojan-activity;sid:84514167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2024-05-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651061/; classtype:trojan-activity;sid:84514161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651056/; classtype:trojan-activity;sid:84514156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651044/; classtype:trojan-activity;sid:84514144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000232289/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651041/; classtype:trojan-activity;sid:84514141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2021-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651037/; classtype:trojan-activity;sid:84514137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651031/; classtype:trojan-activity;sid:84514131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651028/; classtype:trojan-activity;sid:84514128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-11-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651022/; classtype:trojan-activity;sid:84514122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/mdf-e/info.zip"; depth:22; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651020/; classtype:trojan-activity;sid:84514120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000186186/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651016/; classtype:trojan-activity;sid:84514116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164262/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651012/; classtype:trojan-activity;sid:84514112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169167/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651015/; classtype:trojan-activity;sid:84514115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000683762/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651011/; classtype:trojan-activity;sid:84514111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168339/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651006/; classtype:trojan-activity;sid:84514106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650999/; classtype:trojan-activity;sid:84514099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168881/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650998/; classtype:trojan-activity;sid:84514098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000602407/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650995/; classtype:trojan-activity;sid:84514095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000626337/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650993/; classtype:trojan-activity;sid:84514093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"193.248.186.21"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650994/; classtype:trojan-activity;sid:84514094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-12-10/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650991/; classtype:trojan-activity;sid:84514091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000565438/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650986/; classtype:trojan-activity;sid:84514086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-06-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650978/; classtype:trojan-activity;sid:84514078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000619269/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650968/; classtype:trojan-activity;sid:84514068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169465/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650963/; classtype:trojan-activity;sid:84514063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-01-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650961/; classtype:trojan-activity;sid:84514061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160983/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650959/; classtype:trojan-activity;sid:84514059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000179610/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650958/; classtype:trojan-activity;sid:84514058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165004/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650955/; classtype:trojan-activity;sid:84514055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-04-12/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650949/; classtype:trojan-activity;sid:84514049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-12-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650945/; classtype:trojan-activity;sid:84514045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600294/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650943/; classtype:trojan-activity;sid:84514043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000589083/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650940/; classtype:trojan-activity;sid:84514040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169469/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650939/; classtype:trojan-activity;sid:84514039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"172.251.160.252"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650938/; classtype:trojan-activity;sid:84514038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167445/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650934/; classtype:trojan-activity;sid:84514034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000608221/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650928/; classtype:trojan-activity;sid:84514028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168559/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650924/; classtype:trojan-activity;sid:84514024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000767154/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650915/; classtype:trojan-activity;sid:84514015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169966/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650912/; classtype:trojan-activity;sid:84514012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/info.zip"; depth:28; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650913/; classtype:trojan-activity;sid:84514013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650909/; classtype:trojan-activity;sid:84514009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625892/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650902/; classtype:trojan-activity;sid:84514002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-08-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650903/; classtype:trojan-activity;sid:84514003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-05-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650904/; classtype:trojan-activity;sid:84514004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/app_error/info.zip"; depth:26; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650900/; classtype:trojan-activity;sid:84514000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-11-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650897/; classtype:trojan-activity;sid:84513997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160599/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650887/; classtype:trojan-activity;sid:84513987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166747/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650884/; classtype:trojan-activity;sid:84513984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171986/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650886/; classtype:trojan-activity;sid:84513986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000555504/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650880/; classtype:trojan-activity;sid:84513980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000765366/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650881/; classtype:trojan-activity;sid:84513981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604319/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650870/; classtype:trojan-activity;sid:84513970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650869/; classtype:trojan-activity;sid:84513969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171330/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650868/; classtype:trojan-activity;sid:84513968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650863/; classtype:trojan-activity;sid:84513963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650862/; classtype:trojan-activity;sid:84513962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650861/; classtype:trojan-activity;sid:84513961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650859/; classtype:trojan-activity;sid:84513959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"1.64.40.207"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650857/; classtype:trojan-activity;sid:84513957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000621738/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650856/; classtype:trojan-activity;sid:84513956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165010/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650855/; classtype:trojan-activity;sid:84513955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650851/; classtype:trojan-activity;sid:84513951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168303/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650850/; classtype:trojan-activity;sid:84513950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"68.148.10.182"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650846/; classtype:trojan-activity;sid:84513946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650841/; classtype:trojan-activity;sid:84513941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650831/; classtype:trojan-activity;sid:84513931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-04-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650828/; classtype:trojan-activity;sid:84513928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650824/; classtype:trojan-activity;sid:84513924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650823/; classtype:trojan-activity;sid:84513923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-04-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650821/; classtype:trojan-activity;sid:84513921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000391039/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650820/; classtype:trojan-activity;sid:84513920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"82.67.39.194"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650817/; classtype:trojan-activity;sid:84513917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000574637/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650818/; classtype:trojan-activity;sid:84513918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650811/; classtype:trojan-activity;sid:84513911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650810/; classtype:trojan-activity;sid:84513910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650808/; classtype:trojan-activity;sid:84513908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650806/; classtype:trojan-activity;sid:84513906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-05-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650801/; classtype:trojan-activity;sid:84513901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000601712/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650791/; classtype:trojan-activity;sid:84513891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650783/; classtype:trojan-activity;sid:84513883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650782/; classtype:trojan-activity;sid:84513882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-25/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650781/; classtype:trojan-activity;sid:84513881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164804/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650779/; classtype:trojan-activity;sid:84513879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000591478/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650770/; classtype:trojan-activity;sid:84513870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165246/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650768/; classtype:trojan-activity;sid:84513868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650758/; classtype:trojan-activity;sid:84513858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650751/; classtype:trojan-activity;sid:84513851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000631756/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650748/; classtype:trojan-activity;sid:84513848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-04-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650746/; classtype:trojan-activity;sid:84513846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167557/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650744/; classtype:trojan-activity;sid:84513844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-12-10/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650741/; classtype:trojan-activity;sid:84513841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-07-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650739/; classtype:trojan-activity;sid:84513839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000232287/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650735/; classtype:trojan-activity;sid:84513835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650731/; classtype:trojan-activity;sid:84513831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-05-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650730/; classtype:trojan-activity;sid:84513830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000607873/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650729/; classtype:trojan-activity;sid:84513829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166887/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650726/; classtype:trojan-activity;sid:84513826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162883/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650720/; classtype:trojan-activity;sid:84513820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000680913/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650719/; classtype:trojan-activity;sid:84513819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625326/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650718/; classtype:trojan-activity;sid:84513818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-05-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650714/; classtype:trojan-activity;sid:84513814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167443/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650712/; classtype:trojan-activity;sid:84513812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650711/; classtype:trojan-activity;sid:84513811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-03-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650708/; classtype:trojan-activity;sid:84513808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566429/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650703/; classtype:trojan-activity;sid:84513803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-01-14/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650701/; classtype:trojan-activity;sid:84513801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"77.211.28.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650698/; classtype:trojan-activity;sid:84513798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166105/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650693/; classtype:trojan-activity;sid:84513793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171466/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650690/; classtype:trojan-activity;sid:84513790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164836/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650689/; classtype:trojan-activity;sid:84513789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2021-10-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650686/; classtype:trojan-activity;sid:84513786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650687/; classtype:trojan-activity;sid:84513787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165072/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650683/; classtype:trojan-activity;sid:84513783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000457040/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650678/; classtype:trojan-activity;sid:84513778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650679/; classtype:trojan-activity;sid:84513779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000218874/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650676/; classtype:trojan-activity;sid:84513776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171556/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650667/; classtype:trojan-activity;sid:84513767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000224647/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650664/; classtype:trojan-activity;sid:84513764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165656/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650665/; classtype:trojan-activity;sid:84513765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650659/; classtype:trojan-activity;sid:84513759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603149/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650655/; classtype:trojan-activity;sid:84513755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-10-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650653/; classtype:trojan-activity;sid:84513753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650650/; classtype:trojan-activity;sid:84513750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650652/; classtype:trojan-activity;sid:84513752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171224/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650649/; classtype:trojan-activity;sid:84513749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000187451/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650640/; classtype:trojan-activity;sid:84513740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170836/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650638/; classtype:trojan-activity;sid:84513738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650633/; classtype:trojan-activity;sid:84513733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"98.213.164.39"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650624/; classtype:trojan-activity;sid:84513724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171296/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650622/; classtype:trojan-activity;sid:84513722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-10-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650617/; classtype:trojan-activity;sid:84513717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"88.28.218.163"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650616/; classtype:trojan-activity;sid:84513716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/info.zip"; depth:65; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650611/; classtype:trojan-activity;sid:84513711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650612/; classtype:trojan-activity;sid:84513712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604318/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650609/; classtype:trojan-activity;sid:84513709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000677/2024-06-19/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650600/; classtype:trojan-activity;sid:84513700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650598/; classtype:trojan-activity;sid:84513698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650596/; classtype:trojan-activity;sid:84513696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650597/; classtype:trojan-activity;sid:84513697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000426238/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650595/; classtype:trojan-activity;sid:84513695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650593/; classtype:trojan-activity;sid:84513693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650594/; classtype:trojan-activity;sid:84513694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650588/; classtype:trojan-activity;sid:84513688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650590/; classtype:trojan-activity;sid:84513690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172470/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650585/; classtype:trojan-activity;sid:84513685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168287/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650586/; classtype:trojan-activity;sid:84513686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585436/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650575/; classtype:trojan-activity;sid:84513675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171288/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650573/; classtype:trojan-activity;sid:84513673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"14.224.205.246"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650570/; classtype:trojan-activity;sid:84513670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000176793/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650568/; classtype:trojan-activity;sid:84513668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000213545/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650569/; classtype:trojan-activity;sid:84513669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167279/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650565/; classtype:trojan-activity;sid:84513665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650563/; classtype:trojan-activity;sid:84513663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167437/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650561/; classtype:trojan-activity;sid:84513661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650558/; classtype:trojan-activity;sid:84513658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650559/; classtype:trojan-activity;sid:84513659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000606633/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650554/; classtype:trojan-activity;sid:84513654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167071/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650551/; classtype:trojan-activity;sid:84513651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-06-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650550/; classtype:trojan-activity;sid:84513650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172576/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650549/; classtype:trojan-activity;sid:84513649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650546/; classtype:trojan-activity;sid:84513646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/info.zip"; depth:32; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650541/; classtype:trojan-activity;sid:84513641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2024-10-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650535/; classtype:trojan-activity;sid:84513635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171304/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650529/; classtype:trojan-activity;sid:84513629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650526/; classtype:trojan-activity;sid:84513626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-11-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650520/; classtype:trojan-activity;sid:84513620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650521/; classtype:trojan-activity;sid:84513621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650518/; classtype:trojan-activity;sid:84513618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650519/; classtype:trojan-activity;sid:84513619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-02-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650516/; classtype:trojan-activity;sid:84513616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650515/; classtype:trojan-activity;sid:84513615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2020-11-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650513/; classtype:trojan-activity;sid:84513613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166971/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650512/; classtype:trojan-activity;sid:84513612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164808/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650508/; classtype:trojan-activity;sid:84513608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650507/; classtype:trojan-activity;sid:84513607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650503/; classtype:trojan-activity;sid:84513603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170482/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650504/; classtype:trojan-activity;sid:84513604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165644/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650506/; classtype:trojan-activity;sid:84513606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000264706/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650493/; classtype:trojan-activity;sid:84513593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000562134/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650494/; classtype:trojan-activity;sid:84513594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000680914/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650498/; classtype:trojan-activity;sid:84513598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169171/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650499/; classtype:trojan-activity;sid:84513599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-07-06/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650500/; classtype:trojan-activity;sid:84513600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-11-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650502/; classtype:trojan-activity;sid:84513602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650492/; classtype:trojan-activity;sid:84513592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-11-28/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650491/; classtype:trojan-activity;sid:84513591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650487/; classtype:trojan-activity;sid:84513587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165020/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650482/; classtype:trojan-activity;sid:84513582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650483/; classtype:trojan-activity;sid:84513583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171284/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650480/; classtype:trojan-activity;sid:84513580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650477/; classtype:trojan-activity;sid:84513577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650476/; classtype:trojan-activity;sid:84513576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604651/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650472/; classtype:trojan-activity;sid:84513572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-11-12/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650468/; classtype:trojan-activity;sid:84513568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650467/; classtype:trojan-activity;sid:84513567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166079/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650465/; classtype:trojan-activity;sid:84513565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650461/; classtype:trojan-activity;sid:84513561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000601171/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650457/; classtype:trojan-activity;sid:84513557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000677/2024-01-02/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650454/; classtype:trojan-activity;sid:84513554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000159804/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650450/; classtype:trojan-activity;sid:84513550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-08-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650447/; classtype:trojan-activity;sid:84513547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566428/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650443/; classtype:trojan-activity;sid:84513543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-02-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650444/; classtype:trojan-activity;sid:84513544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168305/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650441/; classtype:trojan-activity;sid:84513541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170516/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650439/; classtype:trojan-activity;sid:84513539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000163666/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650431/; classtype:trojan-activity;sid:84513531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650429/; classtype:trojan-activity;sid:84513529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000601753/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650430/; classtype:trojan-activity;sid:84513530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000629919/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650423/; classtype:trojan-activity;sid:84513523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000263120/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650422/; classtype:trojan-activity;sid:84513522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650415/; classtype:trojan-activity;sid:84513515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000237372/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650412/; classtype:trojan-activity;sid:84513512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650413/; classtype:trojan-activity;sid:84513513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-25/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650400/; classtype:trojan-activity;sid:84513500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650397/; classtype:trojan-activity;sid:84513497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650396/; classtype:trojan-activity;sid:84513496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000555505/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650390/; classtype:trojan-activity;sid:84513490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650389/; classtype:trojan-activity;sid:84513489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-05-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650388/; classtype:trojan-activity;sid:84513488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169865/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650386/; classtype:trojan-activity;sid:84513486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-11-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650387/; classtype:trojan-activity;sid:84513487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172466/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650383/; classtype:trojan-activity;sid:84513483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-07-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650384/; classtype:trojan-activity;sid:84513484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171312/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650381/; classtype:trojan-activity;sid:84513481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650379/; classtype:trojan-activity;sid:84513479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169769/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650374/; classtype:trojan-activity;sid:84513474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000573133/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650364/; classtype:trojan-activity;sid:84513464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000606636/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650366/; classtype:trojan-activity;sid:84513466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650368/; classtype:trojan-activity;sid:84513468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000546234/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650371/; classtype:trojan-activity;sid:84513471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650373/; classtype:trojan-activity;sid:84513473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000586306/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650362/; classtype:trojan-activity;sid:84513462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170378/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650358/; classtype:trojan-activity;sid:84513458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650351/; classtype:trojan-activity;sid:84513451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650352/; classtype:trojan-activity;sid:84513452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160995/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650348/; classtype:trojan-activity;sid:84513448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650347/; classtype:trojan-activity;sid:84513447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650343/; classtype:trojan-activity;sid:84513443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168278/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650337/; classtype:trojan-activity;sid:84513437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170774/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650338/; classtype:trojan-activity;sid:84513438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000633210/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650340/; classtype:trojan-activity;sid:84513440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000224648/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650331/; classtype:trojan-activity;sid:84513431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165504/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650332/; classtype:trojan-activity;sid:84513432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604442/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650325/; classtype:trojan-activity;sid:84513425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650327/; classtype:trojan-activity;sid:84513427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650319/; classtype:trojan-activity;sid:84513419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650307/; classtype:trojan-activity;sid:84513407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650299/; classtype:trojan-activity;sid:84513399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166309/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650300/; classtype:trojan-activity;sid:84513400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553612/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650276/; classtype:trojan-activity;sid:84513376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169947/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650270/; classtype:trojan-activity;sid:84513370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165200/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650271/; classtype:trojan-activity;sid:84513371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/mdf-e/01/consulta%20n%c3%a3o%20encerrado/info.zip"; depth:57; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650269/; classtype:trojan-activity;sid:84513369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650263/; classtype:trojan-activity;sid:84513363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650261/; classtype:trojan-activity;sid:84513361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650262/; classtype:trojan-activity;sid:84513362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-02-16/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650259/; classtype:trojan-activity;sid:84513359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168295/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650258/; classtype:trojan-activity;sid:84513358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585560/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650253/; classtype:trojan-activity;sid:84513353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-11-29/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650251/; classtype:trojan-activity;sid:84513351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604650/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650244/; classtype:trojan-activity;sid:84513344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604662/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650243/; classtype:trojan-activity;sid:84513343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-07-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650242/; classtype:trojan-activity;sid:84513342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650236/; classtype:trojan-activity;sid:84513336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168293/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650222/; classtype:trojan-activity;sid:84513322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-06-25/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650219/; classtype:trojan-activity;sid:84513319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162637/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650215/; classtype:trojan-activity;sid:84513315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600441/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650214/; classtype:trojan-activity;sid:84513314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000584368/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650213/; classtype:trojan-activity;sid:84513313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-08-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650200/; classtype:trojan-activity;sid:84513300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165935/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650201/; classtype:trojan-activity;sid:84513301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-10-28/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650195/; classtype:trojan-activity;sid:84513295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650196/; classtype:trojan-activity;sid:84513296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650193/; classtype:trojan-activity;sid:84513293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000179593/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650191/; classtype:trojan-activity;sid:84513291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650190/; classtype:trojan-activity;sid:84513290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650187/; classtype:trojan-activity;sid:84513287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650181/; classtype:trojan-activity;sid:84513281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2024-06-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650178/; classtype:trojan-activity;sid:84513278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000222522/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650170/; classtype:trojan-activity;sid:84513270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166869/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650162/; classtype:trojan-activity;sid:84513262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566150/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650160/; classtype:trojan-activity;sid:84513260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000546495/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650161/; classtype:trojan-activity;sid:84513261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-03-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650159/; classtype:trojan-activity;sid:84513259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164138/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650146/; classtype:trojan-activity;sid:84513246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-12-22/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650138/; classtype:trojan-activity;sid:84513238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170520/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650130/; classtype:trojan-activity;sid:84513230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650129/; classtype:trojan-activity;sid:84513229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171256/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650127/; classtype:trojan-activity;sid:84513227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172428/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650123/; classtype:trojan-activity;sid:84513223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553463/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650122/; classtype:trojan-activity;sid:84513222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000677/2023-11-14/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650117/; classtype:trojan-activity;sid:84513217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165900/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650118/; classtype:trojan-activity;sid:84513218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-04-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650114/; classtype:trojan-activity;sid:84513214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650115/; classtype:trojan-activity;sid:84513215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566395/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650112/; classtype:trojan-activity;sid:84513212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-08-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650111/; classtype:trojan-activity;sid:84513211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171314/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650107/; classtype:trojan-activity;sid:84513207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650105/; classtype:trojan-activity;sid:84513205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567163/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650104/; classtype:trojan-activity;sid:84513204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171298/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650093/; classtype:trojan-activity;sid:84513193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168275/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650092/; classtype:trojan-activity;sid:84513192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650086/; classtype:trojan-activity;sid:84513186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-03-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650087/; classtype:trojan-activity;sid:84513187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650085/; classtype:trojan-activity;sid:84513185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-03-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650083/; classtype:trojan-activity;sid:84513183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-11-24/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650082/; classtype:trojan-activity;sid:84513182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166259/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650079/; classtype:trojan-activity;sid:84513179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-02-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650080/; classtype:trojan-activity;sid:84513180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165824/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650078/; classtype:trojan-activity;sid:84513178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/info.zip"; depth:16; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650071/; classtype:trojan-activity;sid:84513171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600293/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650067/; classtype:trojan-activity;sid:84513167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567166/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650058/; classtype:trojan-activity;sid:84513158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-10-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650055/; classtype:trojan-activity;sid:84513155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-08-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650056/; classtype:trojan-activity;sid:84513156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650054/; classtype:trojan-activity;sid:84513154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567145/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650051/; classtype:trojan-activity;sid:84513151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-05-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650047/; classtype:trojan-activity;sid:84513147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650048/; classtype:trojan-activity;sid:84513148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650044/; classtype:trojan-activity;sid:84513144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2021-08-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650038/; classtype:trojan-activity;sid:84513138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650035/; classtype:trojan-activity;sid:84513135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167243/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650036/; classtype:trojan-activity;sid:84513136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169473/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650028/; classtype:trojan-activity;sid:84513128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171454/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650026/; classtype:trojan-activity;sid:84513126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170532/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650023/; classtype:trojan-activity;sid:84513123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650020/; classtype:trojan-activity;sid:84513120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-09-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650007/; classtype:trojan-activity;sid:84513107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000543689/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650004/; classtype:trojan-activity;sid:84513104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000633209/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650001/; classtype:trojan-activity;sid:84513101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000546233/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649996/; classtype:trojan-activity;sid:84513096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000173466/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649995/; classtype:trojan-activity;sid:84513095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585575/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649992/; classtype:trojan-activity;sid:84513092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-10-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649985/; classtype:trojan-activity;sid:84513085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171194/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649986/; classtype:trojan-activity;sid:84513086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172163/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649987/; classtype:trojan-activity;sid:84513087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649984/; classtype:trojan-activity;sid:84513084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000586961/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649980/; classtype:trojan-activity;sid:84513080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000609592/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649981/; classtype:trojan-activity;sid:84513081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649975/; classtype:trojan-activity;sid:84513075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649968/; classtype:trojan-activity;sid:84513068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649964/; classtype:trojan-activity;sid:84513064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-02-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649961/; classtype:trojan-activity;sid:84513061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172788/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649959/; classtype:trojan-activity;sid:84513059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000237371/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649956/; classtype:trojan-activity;sid:84513056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000552709/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649952/; classtype:trojan-activity;sid:84513052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168509/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649944/; classtype:trojan-activity;sid:84513044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000683761/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649943/; classtype:trojan-activity;sid:84513043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649937/; classtype:trojan-activity;sid:84513037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649935/; classtype:trojan-activity;sid:84513035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567164/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649932/; classtype:trojan-activity;sid:84513032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171888/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649930/; classtype:trojan-activity;sid:84513030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165116/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649931/; classtype:trojan-activity;sid:84513031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649928/; classtype:trojan-activity;sid:84513028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649922/; classtype:trojan-activity;sid:84513022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000208170/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649923/; classtype:trojan-activity;sid:84513023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000264645/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649919/; classtype:trojan-activity;sid:84513019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-08-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649914/; classtype:trojan-activity;sid:84513014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171458/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649910/; classtype:trojan-activity;sid:84513010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000617432/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649900/; classtype:trojan-activity;sid:84513000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-11-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649901/; classtype:trojan-activity;sid:84513001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649897/; classtype:trojan-activity;sid:84512997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649899/; classtype:trojan-activity;sid:84512999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624762/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649896/; classtype:trojan-activity;sid:84512996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000265247/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649895/; classtype:trojan-activity;sid:84512995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165014/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649888/; classtype:trojan-activity;sid:84512988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165090/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649885/; classtype:trojan-activity;sid:84512985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168749/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649886/; classtype:trojan-activity;sid:84512986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172574/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649884/; classtype:trojan-activity;sid:84512984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167339/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649881/; classtype:trojan-activity;sid:84512981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000212326/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649878/; classtype:trojan-activity;sid:84512978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603747/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649874/; classtype:trojan-activity;sid:84512974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000746890/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649870/; classtype:trojan-activity;sid:84512970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160628/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649867/; classtype:trojan-activity;sid:84512967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171452/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649868/; classtype:trojan-activity;sid:84512968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649869/; classtype:trojan-activity;sid:84512969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"75.42.36.186"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649865/; classtype:trojan-activity;sid:84512965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164253/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649864/; classtype:trojan-activity;sid:84512964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000426237/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649863/; classtype:trojan-activity;sid:84512963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649861/; classtype:trojan-activity;sid:84512961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649858/; classtype:trojan-activity;sid:84512958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649856/; classtype:trojan-activity;sid:84512956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-04-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649850/; classtype:trojan-activity;sid:84512950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-04-02/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649848/; classtype:trojan-activity;sid:84512948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649844/; classtype:trojan-activity;sid:84512944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649840/; classtype:trojan-activity;sid:84512940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170894/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649839/; classtype:trojan-activity;sid:84512939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649837/; classtype:trojan-activity;sid:84512937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171742/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649833/; classtype:trojan-activity;sid:84512933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171248/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649821/; classtype:trojan-activity;sid:84512921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/info.zip"; depth:32; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649815/; classtype:trojan-activity;sid:84512915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649802/; classtype:trojan-activity;sid:84512902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000465109/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649801/; classtype:trojan-activity;sid:84512901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172568/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649790/; classtype:trojan-activity;sid:84512890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649788/; classtype:trojan-activity;sid:84512888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000226537/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649783/; classtype:trojan-activity;sid:84512883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2022-02-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649780/; classtype:trojan-activity;sid:84512880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-07-28/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649777/; classtype:trojan-activity;sid:84512877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-08-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649775/; classtype:trojan-activity;sid:84512875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166135/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649771/; classtype:trojan-activity;sid:84512871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-06-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649768/; classtype:trojan-activity;sid:84512868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000583935/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649762/; classtype:trojan-activity;sid:84512862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-06-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649760/; classtype:trojan-activity;sid:84512860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171246/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649761/; classtype:trojan-activity;sid:84512861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165999/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649751/; classtype:trojan-activity;sid:84512851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649744/; classtype:trojan-activity;sid:84512844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2024-07-06/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649738/; classtype:trojan-activity;sid:84512838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000557542/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649730/; classtype:trojan-activity;sid:84512830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167115/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649731/; classtype:trojan-activity;sid:84512831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649707/; classtype:trojan-activity;sid:84512807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168301/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649699/; classtype:trojan-activity;sid:84512799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171474/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649701/; classtype:trojan-activity;sid:84512801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-09-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649702/; classtype:trojan-activity;sid:84512802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167423/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649692/; classtype:trojan-activity;sid:84512792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649689/; classtype:trojan-activity;sid:84512789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649682/; classtype:trojan-activity;sid:84512782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171702/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649681/; classtype:trojan-activity;sid:84512781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171468/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649677/; classtype:trojan-activity;sid:84512777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000230418/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649673/; classtype:trojan-activity;sid:84512773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166739/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649674/; classtype:trojan-activity;sid:84512774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649672/; classtype:trojan-activity;sid:84512772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000552326/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649669/; classtype:trojan-activity;sid:84512769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649663/; classtype:trojan-activity;sid:84512763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649662/; classtype:trojan-activity;sid:84512762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-04-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649656/; classtype:trojan-activity;sid:84512756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169927/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649655/; classtype:trojan-activity;sid:84512755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-08-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649651/; classtype:trojan-activity;sid:84512751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-12-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649653/; classtype:trojan-activity;sid:84512753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649650/; classtype:trojan-activity;sid:84512750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000543908/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649647/; classtype:trojan-activity;sid:84512747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172094/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649643/; classtype:trojan-activity;sid:84512743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000542543/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649644/; classtype:trojan-activity;sid:84512744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162506/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649635/; classtype:trojan-activity;sid:84512735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-04-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649636/; classtype:trojan-activity;sid:84512736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171302/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649622/; classtype:trojan-activity;sid:84512722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166801/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649626/; classtype:trojan-activity;sid:84512726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649618/; classtype:trojan-activity;sid:84512718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160981/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649613/; classtype:trojan-activity;sid:84512713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000551812/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649607/; classtype:trojan-activity;sid:84512707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649605/; classtype:trojan-activity;sid:84512705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-10-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649599/; classtype:trojan-activity;sid:84512699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649594/; classtype:trojan-activity;sid:84512694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649588/; classtype:trojan-activity;sid:84512688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-03-10/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649590/; classtype:trojan-activity;sid:84512690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649580/; classtype:trojan-activity;sid:84512680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-05-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649578/; classtype:trojan-activity;sid:84512678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168299/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649576/; classtype:trojan-activity;sid:84512676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167451/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649577/; classtype:trojan-activity;sid:84512677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160619/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649573/; classtype:trojan-activity;sid:84512673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171294/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649574/; classtype:trojan-activity;sid:84512674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171316/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649572/; classtype:trojan-activity;sid:84512672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-08-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649570/; classtype:trojan-activity;sid:84512670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000223168/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649567/; classtype:trojan-activity;sid:84512667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649560/; classtype:trojan-activity;sid:84512660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168281/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649556/; classtype:trojan-activity;sid:84512656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171358/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649549/; classtype:trojan-activity;sid:84512649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167601/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649551/; classtype:trojan-activity;sid:84512651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2024-06-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649552/; classtype:trojan-activity;sid:84512652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600310/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649544/; classtype:trojan-activity;sid:84512644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-10-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649535/; classtype:trojan-activity;sid:84512635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166323/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649533/; classtype:trojan-activity;sid:84512633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000732234/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649532/; classtype:trojan-activity;sid:84512632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649529/; classtype:trojan-activity;sid:84512629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000223167/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649528/; classtype:trojan-activity;sid:84512628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000584370/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649521/; classtype:trojan-activity;sid:84512621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000583934/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649517/; classtype:trojan-activity;sid:84512617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165844/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649514/; classtype:trojan-activity;sid:84512614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-12-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649506/; classtype:trojan-activity;sid:84512606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165184/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649503/; classtype:trojan-activity;sid:84512603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649498/; classtype:trojan-activity;sid:84512598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649495/; classtype:trojan-activity;sid:84512595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649494/; classtype:trojan-activity;sid:84512594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168365/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649492/; classtype:trojan-activity;sid:84512592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-03-26/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649489/; classtype:trojan-activity;sid:84512589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-03-01/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649486/; classtype:trojan-activity;sid:84512586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649484/; classtype:trojan-activity;sid:84512584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000209999/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649483/; classtype:trojan-activity;sid:84512583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164122/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649468/; classtype:trojan-activity;sid:84512568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567165/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649459/; classtype:trojan-activity;sid:84512559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649456/; classtype:trojan-activity;sid:84512556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649458/; classtype:trojan-activity;sid:84512558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171854/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649455/; classtype:trojan-activity;sid:84512555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604321/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649440/; classtype:trojan-activity;sid:84512540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-02-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649427/; classtype:trojan-activity;sid:84512527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160615/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649424/; classtype:trojan-activity;sid:84512524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649420/; classtype:trojan-activity;sid:84512520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171250/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649418/; classtype:trojan-activity;sid:84512518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165250/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649416/; classtype:trojan-activity;sid:84512516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171286/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649414/; classtype:trojan-activity;sid:84512514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169527/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649411/; classtype:trojan-activity;sid:84512511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171402/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649406/; classtype:trojan-activity;sid:84512506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-04-02/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649402/; classtype:trojan-activity;sid:84512502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2021-05-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649397/; classtype:trojan-activity;sid:84512497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649395/; classtype:trojan-activity;sid:84512495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171478/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649392/; classtype:trojan-activity;sid:84512492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168553/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649389/; classtype:trojan-activity;sid:84512489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649391/; classtype:trojan-activity;sid:84512491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171462/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649387/; classtype:trojan-activity;sid:84512487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-12-12/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649385/; classtype:trojan-activity;sid:84512485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/info.zip"; depth:23; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649382/; classtype:trojan-activity;sid:84512482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000606635/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649379/; classtype:trojan-activity;sid:84512479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-03-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649380/; classtype:trojan-activity;sid:84512480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000238203/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649377/; classtype:trojan-activity;sid:84512477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649375/; classtype:trojan-activity;sid:84512475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649376/; classtype:trojan-activity;sid:84512476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171242/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649372/; classtype:trojan-activity;sid:84512472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/info.zip"; depth:21; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649370/; classtype:trojan-activity;sid:84512470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171464/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649365/; classtype:trojan-activity;sid:84512465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-07-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649366/; classtype:trojan-activity;sid:84512466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-06-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649363/; classtype:trojan-activity;sid:84512463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171332/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649360/; classtype:trojan-activity;sid:84512460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649359/; classtype:trojan-activity;sid:84512459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166237/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649357/; classtype:trojan-activity;sid:84512457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165850/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649354/; classtype:trojan-activity;sid:84512454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649355/; classtype:trojan-activity;sid:84512455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000213544/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649353/; classtype:trojan-activity;sid:84512453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649352/; classtype:trojan-activity;sid:84512452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000265246/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649346/; classtype:trojan-activity;sid:84512446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649338/; classtype:trojan-activity;sid:84512438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-06-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649336/; classtype:trojan-activity;sid:84512436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000587212/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649335/; classtype:trojan-activity;sid:84512435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172165/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649332/; classtype:trojan-activity;sid:84512432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165794/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649329/; classtype:trojan-activity;sid:84512429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000173022/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649326/; classtype:trojan-activity;sid:84512426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-07-06/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649327/; classtype:trojan-activity;sid:84512427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/info.zip"; depth:44; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649321/; classtype:trojan-activity;sid:84512421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000677/2023-11-20/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649323/; classtype:trojan-activity;sid:84512423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566420/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649310/; classtype:trojan-activity;sid:84512410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567141/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649309/; classtype:trojan-activity;sid:84512409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000215215/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649306/; classtype:trojan-activity;sid:84512406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649305/; classtype:trojan-activity;sid:84512405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000562903/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649303/; classtype:trojan-activity;sid:84512403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-01-21/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649299/; classtype:trojan-activity;sid:84512399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567162/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649295/; classtype:trojan-activity;sid:84512395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649290/; classtype:trojan-activity;sid:84512390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649286/; classtype:trojan-activity;sid:84512386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-06-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649285/; classtype:trojan-activity;sid:84512385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649284/; classtype:trojan-activity;sid:84512384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649281/; classtype:trojan-activity;sid:84512381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168063/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649278/; classtype:trojan-activity;sid:84512378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649275/; classtype:trojan-activity;sid:84512375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-08-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649270/; classtype:trojan-activity;sid:84512370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649266/; classtype:trojan-activity;sid:84512366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649256/; classtype:trojan-activity;sid:84512356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000558592/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649250/; classtype:trojan-activity;sid:84512350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-06-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649252/; classtype:trojan-activity;sid:84512352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649243/; classtype:trojan-activity;sid:84512343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171090/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649242/; classtype:trojan-activity;sid:84512342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-08-17/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649231/; classtype:trojan-activity;sid:84512331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649215/; classtype:trojan-activity;sid:84512315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649213/; classtype:trojan-activity;sid:84512313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-12-21/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649208/; classtype:trojan-activity;sid:84512308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649205/; classtype:trojan-activity;sid:84512305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649196/; classtype:trojan-activity;sid:84512296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600544/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649193/; classtype:trojan-activity;sid:84512293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165480/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649189/; classtype:trojan-activity;sid:84512289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649191/; classtype:trojan-activity;sid:84512291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649186/; classtype:trojan-activity;sid:84512286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000564863/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649180/; classtype:trojan-activity;sid:84512280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649179/; classtype:trojan-activity;sid:84512279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162652/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649173/; classtype:trojan-activity;sid:84512273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-10-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649160/; classtype:trojan-activity;sid:84512260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166657/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649158/; classtype:trojan-activity;sid:84512258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625429/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649149/; classtype:trojan-activity;sid:84512249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600309/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649145/; classtype:trojan-activity;sid:84512245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000556239/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649143/; classtype:trojan-activity;sid:84512243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000765367/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649144/; classtype:trojan-activity;sid:84512244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625325/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649142/; classtype:trojan-activity;sid:84512242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2021-11-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649137/; classtype:trojan-activity;sid:84512237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/9929/info.zip"; depth:28; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649135/; classtype:trojan-activity;sid:84512235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-12/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649136/; classtype:trojan-activity;sid:84512236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171244/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649130/; classtype:trojan-activity;sid:84512230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/info.zip"; depth:52; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649128/; classtype:trojan-activity;sid:84512228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168297/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649124/; classtype:trojan-activity;sid:84512224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-07-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649120/; classtype:trojan-activity;sid:84512220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168387/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649118/; classtype:trojan-activity;sid:84512218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000606634/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649119/; classtype:trojan-activity;sid:84512219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000551813/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649110/; classtype:trojan-activity;sid:84512210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-03-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649111/; classtype:trojan-activity;sid:84512211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164394/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649112/; classtype:trojan-activity;sid:84512212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166665/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649107/; classtype:trojan-activity;sid:84512207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000224583/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649108/; classtype:trojan-activity;sid:84512208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649097/; classtype:trojan-activity;sid:84512197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170506/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649099/; classtype:trojan-activity;sid:84512199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649092/; classtype:trojan-activity;sid:84512192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2022-03-09/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649089/; classtype:trojan-activity;sid:84512189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000591279/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649084/; classtype:trojan-activity;sid:84512184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649082/; classtype:trojan-activity;sid:84512182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165248/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649080/; classtype:trojan-activity;sid:84512180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000225746/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649078/; classtype:trojan-activity;sid:84512178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649077/; classtype:trojan-activity;sid:84512177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649071/; classtype:trojan-activity;sid:84512171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-10-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649068/; classtype:trojan-activity;sid:84512168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166183/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649061/; classtype:trojan-activity;sid:84512161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-05-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649062/; classtype:trojan-activity;sid:84512162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649058/; classtype:trojan-activity;sid:84512158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000616852/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649055/; classtype:trojan-activity;sid:84512155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649056/; classtype:trojan-activity;sid:84512156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649050/; classtype:trojan-activity;sid:84512150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649048/; classtype:trojan-activity;sid:84512148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649043/; classtype:trojan-activity;sid:84512143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649044/; classtype:trojan-activity;sid:84512144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-01-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649039/; classtype:trojan-activity;sid:84512139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170776/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649033/; classtype:trojan-activity;sid:84512133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160612/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649034/; classtype:trojan-activity;sid:84512134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2020-12-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649035/; classtype:trojan-activity;sid:84512135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/info.zip"; depth:80; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649037/; classtype:trojan-activity;sid:84512137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171306/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649027/; classtype:trojan-activity;sid:84512127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160718/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649028/; classtype:trojan-activity;sid:84512128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604673/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649029/; classtype:trojan-activity;sid:84512129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649020/; classtype:trojan-activity;sid:84512120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164236/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649021/; classtype:trojan-activity;sid:84512121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649016/; classtype:trojan-activity;sid:84512116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171640/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649012/; classtype:trojan-activity;sid:84512112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-01-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649008/; classtype:trojan-activity;sid:84512108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-06-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649005/; classtype:trojan-activity;sid:84512105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000586305/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649003/; classtype:trojan-activity;sid:84512103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2024-08-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648998/; classtype:trojan-activity;sid:84512098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-05-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648994/; classtype:trojan-activity;sid:84512094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166851/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648995/; classtype:trojan-activity;sid:84512095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-11-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648996/; classtype:trojan-activity;sid:84512096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791001053/info.zip"; depth:80; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648997/; classtype:trojan-activity;sid:84512097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553613/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648988/; classtype:trojan-activity;sid:84512088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648982/; classtype:trojan-activity;sid:84512082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648979/; classtype:trojan-activity;sid:84512079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172670/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648972/; classtype:trojan-activity;sid:84512072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164510/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648973/; classtype:trojan-activity;sid:84512073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648963/; classtype:trojan-activity;sid:84512063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-09-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648964/; classtype:trojan-activity;sid:84512064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167219/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648966/; classtype:trojan-activity;sid:84512066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648968/; classtype:trojan-activity;sid:84512068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648960/; classtype:trojan-activity;sid:84512060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171308/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648957/; classtype:trojan-activity;sid:84512057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000556238/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648956/; classtype:trojan-activity;sid:84512056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171858/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648954/; classtype:trojan-activity;sid:84512054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-12-21/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648953/; classtype:trojan-activity;sid:84512053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160742/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648952/; classtype:trojan-activity;sid:84512052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000629918/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648941/; classtype:trojan-activity;sid:84512041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/18296147000306/info.zip"; depth:80; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648942/; classtype:trojan-activity;sid:84512042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/es/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648943/; classtype:trojan-activity;sid:84512043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566149/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648936/; classtype:trojan-activity;sid:84512036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168121/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648933/; classtype:trojan-activity;sid:84512033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165244/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648926/; classtype:trojan-activity;sid:84512026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-12-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648927/; classtype:trojan-activity;sid:84512027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-02-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648928/; classtype:trojan-activity;sid:84512028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648930/; classtype:trojan-activity;sid:84512030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648931/; classtype:trojan-activity;sid:84512031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000226538/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648921/; classtype:trojan-activity;sid:84512021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648914/; classtype:trojan-activity;sid:84512014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000201084/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648912/; classtype:trojan-activity;sid:84512012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648904/; classtype:trojan-activity;sid:84512004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168527/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648900/; classtype:trojan-activity;sid:84512000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648898/; classtype:trojan-activity;sid:84511998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-06-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648893/; classtype:trojan-activity;sid:84511993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167509/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648891/; classtype:trojan-activity;sid:84511991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171476/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648889/; classtype:trojan-activity;sid:84511989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168551/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648884/; classtype:trojan-activity;sid:84511984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165820/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648885/; classtype:trojan-activity;sid:84511985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603104/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648886/; classtype:trojan-activity;sid:84511986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-02-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648881/; classtype:trojan-activity;sid:84511981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166085/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648872/; classtype:trojan-activity;sid:84511972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648876/; classtype:trojan-activity;sid:84511976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171292/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648877/; classtype:trojan-activity;sid:84511977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165486/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648868/; classtype:trojan-activity;sid:84511968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169013/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648858/; classtype:trojan-activity;sid:84511958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160982/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648854/; classtype:trojan-activity;sid:84511954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648850/; classtype:trojan-activity;sid:84511950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000618093/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648852/; classtype:trojan-activity;sid:84511952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165826/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648849/; classtype:trojan-activity;sid:84511949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-05-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648841/; classtype:trojan-activity;sid:84511941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648830/; classtype:trojan-activity;sid:84511930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000591547/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648832/; classtype:trojan-activity;sid:84511932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000595438/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648828/; classtype:trojan-activity;sid:84511928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000621599/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648824/; classtype:trojan-activity;sid:84511924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171450/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648825/; classtype:trojan-activity;sid:84511925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166307/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648819/; classtype:trojan-activity;sid:84511919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-09-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648820/; classtype:trojan-activity;sid:84511920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648812/; classtype:trojan-activity;sid:84511912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171228/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648811/; classtype:trojan-activity;sid:84511911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648810/; classtype:trojan-activity;sid:84511910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171470/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648805/; classtype:trojan-activity;sid:84511905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648806/; classtype:trojan-activity;sid:84511906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172170/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648802/; classtype:trojan-activity;sid:84511902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000595439/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648798/; classtype:trojan-activity;sid:84511898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-09-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648799/; classtype:trojan-activity;sid:84511899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-07-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648789/; classtype:trojan-activity;sid:84511889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648790/; classtype:trojan-activity;sid:84511890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/info.zip"; depth:21; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648791/; classtype:trojan-activity;sid:84511891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625549/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648788/; classtype:trojan-activity;sid:84511888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648785/; classtype:trojan-activity;sid:84511885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648780/; classtype:trojan-activity;sid:84511880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168291/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648781/; classtype:trojan-activity;sid:84511881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-04/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648778/; classtype:trojan-activity;sid:84511878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-05-13/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648768/; classtype:trojan-activity;sid:84511868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171318/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648771/; classtype:trojan-activity;sid:84511871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648765/; classtype:trojan-activity;sid:84511865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-05-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648759/; classtype:trojan-activity;sid:84511859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000602408/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648758/; classtype:trojan-activity;sid:84511858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648753/; classtype:trojan-activity;sid:84511853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553198/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648755/; classtype:trojan-activity;sid:84511855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648757/; classtype:trojan-activity;sid:84511857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172872/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648750/; classtype:trojan-activity;sid:84511850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160984/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648746/; classtype:trojan-activity;sid:84511846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-05-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648741/; classtype:trojan-activity;sid:84511841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-05-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648736/; classtype:trojan-activity;sid:84511836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160478/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648737/; classtype:trojan-activity;sid:84511837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648728/; classtype:trojan-activity;sid:84511828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166243/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648725/; classtype:trojan-activity;sid:84511825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585561/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648722/; classtype:trojan-activity;sid:84511822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648719/; classtype:trojan-activity;sid:84511819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648712/; classtype:trojan-activity;sid:84511812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648711/; classtype:trojan-activity;sid:84511811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172746/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648710/; classtype:trojan-activity;sid:84511810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648708/; classtype:trojan-activity;sid:84511808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648707/; classtype:trojan-activity;sid:84511807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-05-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648706/; classtype:trojan-activity;sid:84511806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171310/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648700/; classtype:trojan-activity;sid:84511800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-08-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648702/; classtype:trojan-activity;sid:84511802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172292/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648698/; classtype:trojan-activity;sid:84511798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000542542/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648693/; classtype:trojan-activity;sid:84511793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160618/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648692/; classtype:trojan-activity;sid:84511792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624761/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648689/; classtype:trojan-activity;sid:84511789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168329/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648686/; classtype:trojan-activity;sid:84511786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167041/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648682/; classtype:trojan-activity;sid:84511782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-09-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648679/; classtype:trojan-activity;sid:84511779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648680/; classtype:trojan-activity;sid:84511780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-10-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648674/; classtype:trojan-activity;sid:84511774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648675/; classtype:trojan-activity;sid:84511775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624984/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648670/; classtype:trojan-activity;sid:84511770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566430/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648672/; classtype:trojan-activity;sid:84511772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604501/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648669/; classtype:trojan-activity;sid:84511769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171438/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648655/; classtype:trojan-activity;sid:84511755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648656/; classtype:trojan-activity;sid:84511756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000230417/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648657/; classtype:trojan-activity;sid:84511757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-07-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648660/; classtype:trojan-activity;sid:84511760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648649/; classtype:trojan-activity;sid:84511749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-06-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648644/; classtype:trojan-activity;sid:84511744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-05-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648647/; classtype:trojan-activity;sid:84511747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-30/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648640/; classtype:trojan-activity;sid:84511740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604491/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648637/; classtype:trojan-activity;sid:84511737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648638/; classtype:trojan-activity;sid:84511738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585614/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648630/; classtype:trojan-activity;sid:84511730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-10-13/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648622/; classtype:trojan-activity;sid:84511722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/mdf-e/01/info.zip"; depth:25; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648623/; classtype:trojan-activity;sid:84511723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648625/; classtype:trojan-activity;sid:84511725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648611/; classtype:trojan-activity;sid:84511711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648614/; classtype:trojan-activity;sid:84511714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-06-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648604/; classtype:trojan-activity;sid:84511704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648606/; classtype:trojan-activity;sid:84511706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648599/; classtype:trojan-activity;sid:84511699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-03-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648600/; classtype:trojan-activity;sid:84511700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-01-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648594/; classtype:trojan-activity;sid:84511694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168289/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648592/; classtype:trojan-activity;sid:84511692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171240/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648590/; classtype:trojan-activity;sid:84511690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-03-20/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648585/; classtype:trojan-activity;sid:84511685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648588/; classtype:trojan-activity;sid:84511688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648567/; classtype:trojan-activity;sid:84511667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600290/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648568/; classtype:trojan-activity;sid:84511668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172690/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648571/; classtype:trojan-activity;sid:84511671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-03-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.232"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648572/; classtype:trojan-activity;sid:84511672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624763/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648558/; classtype:trojan-activity;sid:84511658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2019-08-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648561/; classtype:trojan-activity;sid:84511661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171726/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648562/; classtype:trojan-activity;sid:84511662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20pictures/info.zip"; depth:142; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648527/; classtype:trojan-activity;sid:84511627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20received%20files/vinod982038189896/info.zip"; depth:168; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648357/; classtype:trojan-activity;sid:84511457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/transchart/unused%20desktop%20shortcuts/info.zip"; depth:161; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648354/; classtype:trojan-activity;sid:84511454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/downloads/info.zip"; depth:138; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648213/; classtype:trojan-activity;sid:84511313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20received%20files/vinod982038189896/history/info.zip"; depth:176; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648112/; classtype:trojan-activity;sid:84511212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/raj%20sir/info.zip"; depth:138; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647826/; classtype:trojan-activity;sid:84510926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/transchart/info.zip"; depth:132; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647813/; classtype:trojan-activity;sid:84510913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/transchart/sail%20performa%20jan11/info.zip"; depth:156; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647655/; classtype:trojan-activity;sid:84510755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recipes/staging/a-89fb7017-7780-4b72-950d-c2db1146a34a.exe"; depth:59; endswith; nocase; http.host; content:"best10cdn.blob.core.windows.net"; depth:31; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647457/; classtype:trojan-activity;sid:84510557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/optimized_msi.png"; depth:25; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646426/; classtype:trojan-activity;sid:84509526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano/image.jpg|3f|12711343"; depth:52; endswith; nocase; http.host; content:"ybgctdtbzvgpdxjivafy.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646414/; classtype:trojan-activity;sid:84509514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano_duso/image.jpg"; depth:45; endswith; nocase; http.host; content:"frygzjyhtiunvhvnacif.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646420/; classtype:trojan-activity;sid:84509520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/hold/image.jpg|3f|12711343h"; depth:53; endswith; nocase; http.host; content:"ihmmkvkaiwnilneauhfn.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646403/; classtype:trojan-activity;sid:84509503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jqqvlru0vaih3z.exe"; depth:25; endswith; nocase; http.host; content:"toolshare.com.tr"; depth:16; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646408/; classtype:trojan-activity;sid:84509508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645972/; classtype:trojan-activity;sid:84509072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/photo.scr"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645969/; classtype:trojan-activity;sid:84509069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/av.scr"; depth:72; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645970/; classtype:trojan-activity;sid:84509070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/photo.scr"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645971/; classtype:trojan-activity;sid:84509071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645968/; classtype:trojan-activity;sid:84509068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/video.scr"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645967/; classtype:trojan-activity;sid:84509067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645966/; classtype:trojan-activity;sid:84509066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/video.lnk"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645962/; classtype:trojan-activity;sid:84509062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645963/; classtype:trojan-activity;sid:84509063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/photo.lnk"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645964/; classtype:trojan-activity;sid:84509064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/av.lnk"; depth:72; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645965/; classtype:trojan-activity;sid:84509065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/av.scr"; depth:38; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645961/; classtype:trojan-activity;sid:84509061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/video.scr"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645960/; classtype:trojan-activity;sid:84509060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/av.lnk"; depth:38; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645957/; classtype:trojan-activity;sid:84509057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645958/; classtype:trojan-activity;sid:84509058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645959/; classtype:trojan-activity;sid:84509059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/video.lnk"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645955/; classtype:trojan-activity;sid:84509055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/photo.lnk"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645956/; classtype:trojan-activity;sid:84509056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"www.intelligradeeducation.vicentecisnerospub.com"; depth:48; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645950/; classtype:trojan-activity;sid:84509050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20pictures/neha%20imagecopy/info.zip"; depth:159; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645889/; classtype:trojan-activity;sid:84508989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"66.185.26.66"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645874/; classtype:trojan-activity;sid:84508974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/wallpaper/info.zip"; depth:138; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645854/; classtype:trojan-activity;sid:84508954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20music/info.zip"; depth:139; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645847/; classtype:trojan-activity;sid:84508947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20scans/info.zip"; depth:139; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645832/; classtype:trojan-activity;sid:84508932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20received%20files/info.zip"; depth:150; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645827/; classtype:trojan-activity;sid:84508927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/various%20files/info.zip"; depth:137; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645760/; classtype:trojan-activity;sid:84508860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/charter%20party/info.zip"; depth:144; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645751/; classtype:trojan-activity;sid:84508851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/bhushan/info.zip"; depth:129; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645677/; classtype:trojan-activity;sid:84508777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/windows/powershell/info.zip"; depth:38; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645600/; classtype:trojan-activity;sid:84508700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/info.zip"; depth:113; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645569/; classtype:trojan-activity;sid:84508669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/deepak/my%20docs/info.zip"; depth:59; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645516/; classtype:trojan-activity;sid:84508616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/desktop/tai%20ping%20shan-phaethon-cp/info.zip"; depth:105; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645322/; classtype:trojan-activity;sid:84508422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/cp%20transchart/info.zip"; depth:121; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645234/; classtype:trojan-activity;sid:84508334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/info.zip"; depth:128; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645139/; classtype:trojan-activity;sid:84508239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3644784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/info.zip"; depth:121; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3644784/; classtype:trojan-activity;sid:84507884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3644339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/info.zip"; depth:105; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3644339/; classtype:trojan-activity;sid:84507439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3643147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/for%20xp%20sp2/info.zip"; depth:120; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3643147/; classtype:trojan-activity;sid:84506247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/microsoft.sql.server.2012.enterprise.edition.with.service.pack.1-kopie/info.zip"; depth:84; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642788/; classtype:trojan-activity;sid:84505888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/key/info.zip"; depth:24; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642779/; classtype:trojan-activity;sid:84505879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incis/info.zip"; depth:15; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642775/; classtype:trojan-activity;sid:84505875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incis/key/inipaytest/info.zip"; depth:30; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642717/; classtype:trojan-activity;sid:84505817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/info.zip"; depth:13; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642710/; classtype:trojan-activity;sid:84505810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe/info.zip"; depth:21; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642700/; classtype:trojan-activity;sid:84505800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642699/; classtype:trojan-activity;sid:84505799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/windows/info.zip"; depth:27; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642692/; classtype:trojan-activity;sid:84505792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incis/key/info.zip"; depth:19; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642677/; classtype:trojan-activity;sid:84505777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/log/info.zip"; depth:24; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642643/; classtype:trojan-activity;sid:84505743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe/ammicafefile/info.zip"; depth:34; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642634/; classtype:trojan-activity;sid:84505734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/error/info.zip"; depth:19; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642607/; classtype:trojan-activity;sid:84505707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/fatal/info.zip"; depth:19; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642559/; classtype:trojan-activity;sid:84505659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe/ammicafefile/ammicafesetup/info.zip"; depth:48; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642522/; classtype:trojan-activity;sid:84505622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/info/info.zip"; depth:18; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642492/; classtype:trojan-activity;sid:84505592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upgradefiles/info.zip"; depth:22; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642493/; classtype:trojan-activity;sid:84505593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe2/info.zip"; depth:22; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642484/; classtype:trojan-activity;sid:84505584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642483/; classtype:trojan-activity;sid:84505583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/debug/info.zip"; depth:19; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642464/; classtype:trojan-activity;sid:84505564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"121.184.128.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642438/; classtype:trojan-activity;sid:84505538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/fatal/info.zip"; depth:19; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642440/; classtype:trojan-activity;sid:84505540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/info.zip"; depth:23; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642444/; classtype:trojan-activity;sid:84505544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upgradefiles/info.zip"; depth:22; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642433/; classtype:trojan-activity;sid:84505533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/info/info.zip"; depth:18; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642425/; classtype:trojan-activity;sid:84505525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02/info.zip"; depth:12; endswith; nocase; http.host; content:"121.184.128.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642422/; classtype:trojan-activity;sid:84505522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe2/ammicafe2file/info.zip"; depth:36; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642417/; classtype:trojan-activity;sid:84505517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe2/ammicafe2file/ammicafe2setup/info.zip"; depth:51; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642406/; classtype:trojan-activity;sid:84505506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/html/info.zip"; depth:18; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642382/; classtype:trojan-activity;sid:84505482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/error/info.zip"; depth:19; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642368/; classtype:trojan-activity;sid:84505468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/sql%20server%202014/info.zip"; depth:33; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642346/; classtype:trojan-activity;sid:84505446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/info.zip"; depth:16; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642349/; classtype:trojan-activity;sid:84505449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/warn/info.zip"; depth:18; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642337/; classtype:trojan-activity;sid:84505437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01/info.zip"; depth:12; endswith; nocase; http.host; content:"121.184.128.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642324/; classtype:trojan-activity;sid:84505424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/info.zip"; depth:25; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642297/; classtype:trojan-activity;sid:84505397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/key/inipaytest/info.zip"; depth:35; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642294/; classtype:trojan-activity;sid:84505394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/info.zip"; depth:23; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642289/; classtype:trojan-activity;sid:84505389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/warn/info.zip"; depth:18; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642278/; classtype:trojan-activity;sid:84505378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/debug/info.zip"; depth:19; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642261/; classtype:trojan-activity;sid:84505361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/system_web/info.zip"; depth:34; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642256/; classtype:trojan-activity;sid:84505356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/info.zip"; depth:20; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642245/; classtype:trojan-activity;sid:84505345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/info.zip"; depth:13; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642246/; classtype:trojan-activity;sid:84505346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/info.zip"; depth:13; endswith; nocase; http.host; content:"58.52.216.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642238/; classtype:trojan-activity;sid:84505338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/system_web/info.zip"; depth:34; endswith; nocase; http.host; content:"58.52.216.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642235/; classtype:trojan-activity;sid:84505335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/key/jungminsof/info.zip"; depth:35; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642226/; classtype:trojan-activity;sid:84505326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3641834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/art/info.zip"; depth:20; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3641834/; classtype:trojan-activity;sid:84504934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3639311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=15_5vja6ls72gnqbjqkrme1i7bmit0fe4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3639311/; classtype:trojan-activity;sid:84502411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haozip.100021.exe"; depth:18; endswith; nocase; http.host; content:"download.haozip.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637224/; classtype:trojan-activity;sid:84500324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/bot.jpg"; depth:15; endswith; nocase; http.host; content:"atasapka.com.tr"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637210/; classtype:trojan-activity;sid:84500310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23082024105108/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637189/; classtype:trojan-activity;sid:84500289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26072024113244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637188/; classtype:trojan-activity;sid:84500288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/19092024115007/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637186/; classtype:trojan-activity;sid:84500286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24072024081607/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637187/; classtype:trojan-activity;sid:84500287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12062024095414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637185/; classtype:trojan-activity;sid:84500285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27082024072850/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637184/; classtype:trojan-activity;sid:84500284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/12082024064105/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637183/; classtype:trojan-activity;sid:84500283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/16082024070308/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637182/; classtype:trojan-activity;sid:84500282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/13092024072525/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637181/; classtype:trojan-activity;sid:84500281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23072024115252/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637180/; classtype:trojan-activity;sid:84500280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21072024112418/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637179/; classtype:trojan-activity;sid:84500279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/16082024104510/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637178/; classtype:trojan-activity;sid:84500278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22082024110540/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637177/; classtype:trojan-activity;sid:84500277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04092024104005/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637176/; classtype:trojan-activity;sid:84500276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8343/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637175/; classtype:trojan-activity;sid:84500275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15082024173844/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637174/; classtype:trojan-activity;sid:84500274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26072024180426/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637173/; classtype:trojan-activity;sid:84500273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03072024101008/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637172/; classtype:trojan-activity;sid:84500272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13082024112350/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637171/; classtype:trojan-activity;sid:84500271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26072024074431/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637170/; classtype:trojan-activity;sid:84500270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01092024171022/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637168/; classtype:trojan-activity;sid:84500268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/11072024080039/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637169/; classtype:trojan-activity;sid:84500269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12092024113946/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637167/; classtype:trojan-activity;sid:84500267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08092024115637/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637166/; classtype:trojan-activity;sid:84500266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15092024104931/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637165/; classtype:trojan-activity;sid:84500265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/12072024075828/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637164/; classtype:trojan-activity;sid:84500264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11092024115504/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637163/; classtype:trojan-activity;sid:84500263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21082024115532/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637160/; classtype:trojan-activity;sid:84500260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05072024114132/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637161/; classtype:trojan-activity;sid:84500261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8465/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637162/; classtype:trojan-activity;sid:84500262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/25062024073012/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637159/; classtype:trojan-activity;sid:84500259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/29072024110431/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637158/; classtype:trojan-activity;sid:84500258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/30072024091401/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637157/; classtype:trojan-activity;sid:84500257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/15072024124718/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637153/; classtype:trojan-activity;sid:84500253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09082024185433/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637154/; classtype:trojan-activity;sid:84500254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09072024110245/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637155/; classtype:trojan-activity;sid:84500255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/09092024072321/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637149/; classtype:trojan-activity;sid:84500249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07082024180909/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637150/; classtype:trojan-activity;sid:84500250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24092024073908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637151/; classtype:trojan-activity;sid:84500251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/19062024071831/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637147/; classtype:trojan-activity;sid:84500247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21092024114951/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637148/; classtype:trojan-activity;sid:84500248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/30062024113348/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637145/; classtype:trojan-activity;sid:84500245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04092024113047/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637146/; classtype:trojan-activity;sid:84500246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/04092024120154/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637144/; classtype:trojan-activity;sid:84500244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01082024110241/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637143/; classtype:trojan-activity;sid:84500243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14072024110540/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637141/; classtype:trojan-activity;sid:84500241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11082024185045/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637142/; classtype:trojan-activity;sid:84500242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/19062024103023/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637138/; classtype:trojan-activity;sid:84500238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/06092024072348/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637139/; classtype:trojan-activity;sid:84500239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/29072024070625/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637140/; classtype:trojan-activity;sid:84500240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18072024112759/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637137/; classtype:trojan-activity;sid:84500237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11072024155154/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637136/; classtype:trojan-activity;sid:84500236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18082024113426/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637135/; classtype:trojan-activity;sid:84500235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07092024113602/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637133/; classtype:trojan-activity;sid:84500233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28082024163408/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637134/; classtype:trojan-activity;sid:84500234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10082024110351/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637130/; classtype:trojan-activity;sid:84500230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12092024181446/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637131/; classtype:trojan-activity;sid:84500231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26082024115142/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637129/; classtype:trojan-activity;sid:84500229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/09092024091444/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637128/; classtype:trojan-activity;sid:84500228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23082024071038/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637127/; classtype:trojan-activity;sid:84500227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17062024181518/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637122/; classtype:trojan-activity;sid:84500222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05082024120940/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637123/; classtype:trojan-activity;sid:84500223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24072024112235/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637124/; classtype:trojan-activity;sid:84500224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17092024073614/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637125/; classtype:trojan-activity;sid:84500225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09082024122457/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637120/; classtype:trojan-activity;sid:84500220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09092024112532/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637117/; classtype:trojan-activity;sid:84500217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24062024072602/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637118/; classtype:trojan-activity;sid:84500218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/12092024070406/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637119/; classtype:trojan-activity;sid:84500219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24072024143513/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637115/; classtype:trojan-activity;sid:84500215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/21082024081755/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637116/; classtype:trojan-activity;sid:84500216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13082024120234/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637114/; classtype:trojan-activity;sid:84500214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19072024123916/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637113/; classtype:trojan-activity;sid:84500213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/29082024122318/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637110/; classtype:trojan-activity;sid:84500210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/15072024080426/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637111/; classtype:trojan-activity;sid:84500211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22092024115602/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637112/; classtype:trojan-activity;sid:84500212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05082024125302/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637109/; classtype:trojan-activity;sid:84500209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16072024114842/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637107/; classtype:trojan-activity;sid:84500207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/16092024115114/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637108/; classtype:trojan-activity;sid:84500208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/31072024070936/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637105/; classtype:trojan-activity;sid:84500205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17092024104334/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637106/; classtype:trojan-activity;sid:84500206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/01082024072447/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637104/; classtype:trojan-activity;sid:84500204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05082024065930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637103/; classtype:trojan-activity;sid:84500203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/01082024133101/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637101/; classtype:trojan-activity;sid:84500201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02082024083649/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637099/; classtype:trojan-activity;sid:84500199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29072024182036/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637100/; classtype:trojan-activity;sid:84500200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/19072024071620/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637098/; classtype:trojan-activity;sid:84500198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8029/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637096/; classtype:trojan-activity;sid:84500196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/25092024150814/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637097/; classtype:trojan-activity;sid:84500197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03072024102505/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637092/; classtype:trojan-activity;sid:84500192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03092024131015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637093/; classtype:trojan-activity;sid:84500193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/15072024084956/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637094/; classtype:trojan-activity;sid:84500194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25062024105808/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637090/; classtype:trojan-activity;sid:84500190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/04092024072725/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637091/; classtype:trojan-activity;sid:84500191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20062024112748/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637089/; classtype:trojan-activity;sid:84500189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17072024103622/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637087/; classtype:trojan-activity;sid:84500187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/16082024121016/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637088/; classtype:trojan-activity;sid:84500188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24092024103551/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637085/; classtype:trojan-activity;sid:84500185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/15072024080017/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637086/; classtype:trojan-activity;sid:84500186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024081535/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637082/; classtype:trojan-activity;sid:84500182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/26072024111342/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637083/; classtype:trojan-activity;sid:84500183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11062024125904/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637084/; classtype:trojan-activity;sid:84500184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/tek/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637081/; classtype:trojan-activity;sid:84500181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/11092024075310/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637080/; classtype:trojan-activity;sid:84500180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/24072024121144/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637076/; classtype:trojan-activity;sid:84500176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/badmail/info.zip"; depth:24; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637077/; classtype:trojan-activity;sid:84500177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/06082024080109/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637078/; classtype:trojan-activity;sid:84500178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/12072024072413/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637079/; classtype:trojan-activity;sid:84500179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/08082024071151/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637073/; classtype:trojan-activity;sid:84500173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03092024073559/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637074/; classtype:trojan-activity;sid:84500174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8336/18072024083258/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637070/; classtype:trojan-activity;sid:84500170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01092024084736/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637069/; classtype:trojan-activity;sid:84500169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/08082024072046/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637067/; classtype:trojan-activity;sid:84500167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08072024110224/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637068/; classtype:trojan-activity;sid:84500168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02092024075924/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637065/; classtype:trojan-activity;sid:84500165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/30082024115734/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637064/; classtype:trojan-activity;sid:84500164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23072024075958/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637062/; classtype:trojan-activity;sid:84500162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27082024173545/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637063/; classtype:trojan-activity;sid:84500163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/06092024074954/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637060/; classtype:trojan-activity;sid:84500160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24082024112958/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637056/; classtype:trojan-activity;sid:84500156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04092024180827/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637057/; classtype:trojan-activity;sid:84500157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/05092024073851/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637058/; classtype:trojan-activity;sid:84500158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/05092024175914/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637055/; classtype:trojan-activity;sid:84500155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07082024181015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637054/; classtype:trojan-activity;sid:84500154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/09082024151247/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637053/; classtype:trojan-activity;sid:84500153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05072024135901/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637052/; classtype:trojan-activity;sid:84500152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/04072024073930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637050/; classtype:trojan-activity;sid:84500150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27072024111013/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637051/; classtype:trojan-activity;sid:84500151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28092024110908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637047/; classtype:trojan-activity;sid:84500147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/17062024124213/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637048/; classtype:trojan-activity;sid:84500148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21062024074659/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637049/; classtype:trojan-activity;sid:84500149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/06082024071203/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637046/; classtype:trojan-activity;sid:84500146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11092024163133/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637044/; classtype:trojan-activity;sid:84500144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/25092024084516/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637045/; classtype:trojan-activity;sid:84500145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/01082024134811/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637042/; classtype:trojan-activity;sid:84500142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8336/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637037/; classtype:trojan-activity;sid:84500137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26062024074615/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637038/; classtype:trojan-activity;sid:84500138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20072024103050/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637039/; classtype:trojan-activity;sid:84500139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02072024072748/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637040/; classtype:trojan-activity;sid:84500140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17092024073317/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637041/; classtype:trojan-activity;sid:84500141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024124018/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637036/; classtype:trojan-activity;sid:84500136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/27092024120719/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637034/; classtype:trojan-activity;sid:84500134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29062024115106/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637032/; classtype:trojan-activity;sid:84500132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/02092024121943/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637030/; classtype:trojan-activity;sid:84500130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06092024173040/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637029/; classtype:trojan-activity;sid:84500129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/17072024080628/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637026/; classtype:trojan-activity;sid:84500126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13082024144908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637027/; classtype:trojan-activity;sid:84500127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14092024112531/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637028/; classtype:trojan-activity;sid:84500128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29082024110733/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637025/; classtype:trojan-activity;sid:84500125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11092024161738/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637024/; classtype:trojan-activity;sid:84500124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/25062024074726/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637021/; classtype:trojan-activity;sid:84500121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/02102024124124/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637022/; classtype:trojan-activity;sid:84500122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/01082024124212/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637023/; classtype:trojan-activity;sid:84500123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/29072024170139/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637020/; classtype:trojan-activity;sid:84500120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13092024090633/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637015/; classtype:trojan-activity;sid:84500115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12082024111719/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637017/; classtype:trojan-activity;sid:84500117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/13062024073315/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637019/; classtype:trojan-activity;sid:84500119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26092024073319/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637011/; classtype:trojan-activity;sid:84500111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/03072024075801/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637012/; classtype:trojan-activity;sid:84500112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/13092024065731/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637013/; classtype:trojan-activity;sid:84500113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02092024155414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637014/; classtype:trojan-activity;sid:84500114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29062024131718/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637007/; classtype:trojan-activity;sid:84500107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024163711/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637008/; classtype:trojan-activity;sid:84500108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27062024115812/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637009/; classtype:trojan-activity;sid:84500109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07072024113310/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637010/; classtype:trojan-activity;sid:84500110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26082024175225/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637005/; classtype:trojan-activity;sid:84500105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06092024112226/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637002/; classtype:trojan-activity;sid:84500102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/8325/14062024181140/info.zip"; depth:43; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637003/; classtype:trojan-activity;sid:84500103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15092024163914/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637004/; classtype:trojan-activity;sid:84500104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12082024111034/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636999/; classtype:trojan-activity;sid:84500099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/19062024111300/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637000/; classtype:trojan-activity;sid:84500100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/02092024070516/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637001/; classtype:trojan-activity;sid:84500101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15062024120757/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636997/; classtype:trojan-activity;sid:84500097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/07082024074934/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636996/; classtype:trojan-activity;sid:84500096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/drop/info.zip"; depth:21; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636993/; classtype:trojan-activity;sid:84500093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11092024172104/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636994/; classtype:trojan-activity;sid:84500094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23072024072015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636995/; classtype:trojan-activity;sid:84500095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18082024174028/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636992/; classtype:trojan-activity;sid:84500092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/10072024072615/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636991/; classtype:trojan-activity;sid:84500091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03102024140347/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636990/; classtype:trojan-activity;sid:84500090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/29072024094428/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636987/; classtype:trojan-activity;sid:84500087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08082024114220/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636988/; classtype:trojan-activity;sid:84500088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/19072024081323/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636986/; classtype:trojan-activity;sid:84500086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/08082024072411/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636985/; classtype:trojan-activity;sid:84500085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11092024072722/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636982/; classtype:trojan-activity;sid:84500082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/17062024075813/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636978/; classtype:trojan-activity;sid:84500078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26072024071101/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636979/; classtype:trojan-activity;sid:84500079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18092024104929/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636980/; classtype:trojan-activity;sid:84500080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8051/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636975/; classtype:trojan-activity;sid:84500075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024144032/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636976/; classtype:trojan-activity;sid:84500076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/26082024121258/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636977/; classtype:trojan-activity;sid:84500077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27082024111920/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636967/; classtype:trojan-activity;sid:84500067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024121015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636968/; classtype:trojan-activity;sid:84500068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21082024175843/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636969/; classtype:trojan-activity;sid:84500069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/18062024121810/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636970/; classtype:trojan-activity;sid:84500070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12072024130606/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636971/; classtype:trojan-activity;sid:84500071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16062024115815/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636972/; classtype:trojan-activity;sid:84500072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13092024164829/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636973/; classtype:trojan-activity;sid:84500073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02092024071944/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636965/; classtype:trojan-activity;sid:84500065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01092024103900/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636966/; classtype:trojan-activity;sid:84500066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23072024130857/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636964/; classtype:trojan-activity;sid:84500064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/06092024071949/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636963/; classtype:trojan-activity;sid:84500063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17062024111134/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636957/; classtype:trojan-activity;sid:84500057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12082024174415/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636958/; classtype:trojan-activity;sid:84500058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02082024073257/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636959/; classtype:trojan-activity;sid:84500059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03092024120537/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636960/; classtype:trojan-activity;sid:84500060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01072024102122/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636961/; classtype:trojan-activity;sid:84500061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27072024112004/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636962/; classtype:trojan-activity;sid:84500062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/09072024071533/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636956/; classtype:trojan-activity;sid:84500056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22082024070804/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636955/; classtype:trojan-activity;sid:84500055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21082024115442/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636954/; classtype:trojan-activity;sid:84500054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/8325/info.zip"; depth:28; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636953/; classtype:trojan-activity;sid:84500053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17072024080732/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636948/; classtype:trojan-activity;sid:84500048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/19082024080051/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636949/; classtype:trojan-activity;sid:84500049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28082024111159/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636950/; classtype:trojan-activity;sid:84500050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28072024115238/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636951/; classtype:trojan-activity;sid:84500051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/07082024070516/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636947/; classtype:trojan-activity;sid:84500047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07092024175546/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636946/; classtype:trojan-activity;sid:84500046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024103203/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636945/; classtype:trojan-activity;sid:84500045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/31082024165207/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636942/; classtype:trojan-activity;sid:84500042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11062024093514/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636943/; classtype:trojan-activity;sid:84500043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/06092024114755/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636944/; classtype:trojan-activity;sid:84500044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27092024123259/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636940/; classtype:trojan-activity;sid:84500040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23092024073238/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636941/; classtype:trojan-activity;sid:84500041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13072024115545/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636937/; classtype:trojan-activity;sid:84500037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29072024104316/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636936/; classtype:trojan-activity;sid:84500036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13072024115848/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636935/; classtype:trojan-activity;sid:84500035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24072024071414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636934/; classtype:trojan-activity;sid:84500034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16092024105926/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636933/; classtype:trojan-activity;sid:84500033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28082024174605/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636932/; classtype:trojan-activity;sid:84500032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08082024174233/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636931/; classtype:trojan-activity;sid:84500031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23072024081312/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636927/; classtype:trojan-activity;sid:84500027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02102024072353/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636928/; classtype:trojan-activity;sid:84500028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08092024174750/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636929/; classtype:trojan-activity;sid:84500029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8325/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636930/; classtype:trojan-activity;sid:84500030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8336/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636925/; classtype:trojan-activity;sid:84500025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/19062024070824/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636926/; classtype:trojan-activity;sid:84500026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/22082024121329/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636920/; classtype:trojan-activity;sid:84500020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26062024155216/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636921/; classtype:trojan-activity;sid:84500021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/24092024120511/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636922/; classtype:trojan-activity;sid:84500022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16062024180613/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636923/; classtype:trojan-activity;sid:84500023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07072024165922/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636919/; classtype:trojan-activity;sid:84500019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13092024114239/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636918/; classtype:trojan-activity;sid:84500018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/20082024112036/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636917/; classtype:trojan-activity;sid:84500017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8318/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636916/; classtype:trojan-activity;sid:84500016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/31082024110606/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636913/; classtype:trojan-activity;sid:84500013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11062024112609/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636914/; classtype:trojan-activity;sid:84500014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/02072024115435/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636910/; classtype:trojan-activity;sid:84500010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07092024122439/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636909/; classtype:trojan-activity;sid:84500009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/14062024123830/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636906/; classtype:trojan-activity;sid:84500006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17062024180043/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636908/; classtype:trojan-activity;sid:84500008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28072024115112/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636905/; classtype:trojan-activity;sid:84500005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024090731/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636904/; classtype:trojan-activity;sid:84500004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23092024113222/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636902/; classtype:trojan-activity;sid:84500002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/03072024113724/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636900/; classtype:trojan-activity;sid:84500000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11092024134516/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636899/; classtype:trojan-activity;sid:84499999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8334/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636897/; classtype:trojan-activity;sid:84499997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08082024114317/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636894/; classtype:trojan-activity;sid:84499994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18072024151745/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636895/; classtype:trojan-activity;sid:84499995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19072024124237/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636893/; classtype:trojan-activity;sid:84499993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29082024170717/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636892/; classtype:trojan-activity;sid:84499992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/08072024075903/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636883/; classtype:trojan-activity;sid:84499983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8325/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636884/; classtype:trojan-activity;sid:84499984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15062024114520/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636885/; classtype:trojan-activity;sid:84499985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13092024153227/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636886/; classtype:trojan-activity;sid:84499986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/14082024075957/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636887/; classtype:trojan-activity;sid:84499987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26082024070716/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636888/; classtype:trojan-activity;sid:84499988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21062024072959/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636890/; classtype:trojan-activity;sid:84499990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/8325/13062024155232/info.zip"; depth:43; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636882/; classtype:trojan-activity;sid:84499982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23082024111126/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636881/; classtype:trojan-activity;sid:84499981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/04072024125301/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636880/; classtype:trojan-activity;sid:84499980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11082024113244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636876/; classtype:trojan-activity;sid:84499976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/04092024091820/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636877/; classtype:trojan-activity;sid:84499977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07102024125032/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636878/; classtype:trojan-activity;sid:84499978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/30072024114118/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636872/; classtype:trojan-activity;sid:84499972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05082024083850/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636873/; classtype:trojan-activity;sid:84499973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17062024072104/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636874/; classtype:trojan-activity;sid:84499974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024125710/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636875/; classtype:trojan-activity;sid:84499975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03072024103601/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636871/; classtype:trojan-activity;sid:84499971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12082024120632/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636869/; classtype:trojan-activity;sid:84499969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636863/; classtype:trojan-activity;sid:84499963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11072024071932/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636864/; classtype:trojan-activity;sid:84499964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11072024143228/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636865/; classtype:trojan-activity;sid:84499965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27092024124432/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636866/; classtype:trojan-activity;sid:84499966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23082024175244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636867/; classtype:trojan-activity;sid:84499967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/13062024070655/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636868/; classtype:trojan-activity;sid:84499968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/14062024072833/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636862/; classtype:trojan-activity;sid:84499962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25092024120601/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636859/; classtype:trojan-activity;sid:84499959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08092024115123/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636860/; classtype:trojan-activity;sid:84499960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05072024071033/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636855/; classtype:trojan-activity;sid:84499955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/04102024094250/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636856/; classtype:trojan-activity;sid:84499956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/01082024101244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636857/; classtype:trojan-activity;sid:84499957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03072024091538/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636850/; classtype:trojan-activity;sid:84499950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/05082024114357/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636851/; classtype:trojan-activity;sid:84499951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/10092024070313/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636852/; classtype:trojan-activity;sid:84499952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23092024123854/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636853/; classtype:trojan-activity;sid:84499953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22082024112941/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636854/; classtype:trojan-activity;sid:84499954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/08072024113918/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636849/; classtype:trojan-activity;sid:84499949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8326/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636847/; classtype:trojan-activity;sid:84499947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11072024110808/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636843/; classtype:trojan-activity;sid:84499943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06072024112721/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636845/; classtype:trojan-activity;sid:84499945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8326/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636846/; classtype:trojan-activity;sid:84499946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/15072024151521/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636839/; classtype:trojan-activity;sid:84499939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16072024120102/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636840/; classtype:trojan-activity;sid:84499940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07102024115226/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636842/; classtype:trojan-activity;sid:84499942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/08072024070547/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636836/; classtype:trojan-activity;sid:84499936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/26092024103307/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636837/; classtype:trojan-activity;sid:84499937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024134639/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636835/; classtype:trojan-activity;sid:84499935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/29072024120914/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636833/; classtype:trojan-activity;sid:84499933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11092024104834/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636834/; classtype:trojan-activity;sid:84499934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/01072024095738/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636826/; classtype:trojan-activity;sid:84499926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/10072024073020/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636827/; classtype:trojan-activity;sid:84499927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/13082024065051/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636828/; classtype:trojan-activity;sid:84499928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23092024074730/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636829/; classtype:trojan-activity;sid:84499929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05092024071139/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636830/; classtype:trojan-activity;sid:84499930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05072024143423/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636831/; classtype:trojan-activity;sid:84499931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/01072024073548/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636832/; classtype:trojan-activity;sid:84499932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/16092024075132/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636825/; classtype:trojan-activity;sid:84499925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28062024112249/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636824/; classtype:trojan-activity;sid:84499924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/18072024080738/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636823/; classtype:trojan-activity;sid:84499923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06102024112545/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636816/; classtype:trojan-activity;sid:84499916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17062024181057/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636817/; classtype:trojan-activity;sid:84499917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02072024073145/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636818/; classtype:trojan-activity;sid:84499918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/21062024070935/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636819/; classtype:trojan-activity;sid:84499919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/06082024120113/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636820/; classtype:trojan-activity;sid:84499920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27062024081736/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636821/; classtype:trojan-activity;sid:84499921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/29082024071803/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636822/; classtype:trojan-activity;sid:84499922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24062024113513/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636815/; classtype:trojan-activity;sid:84499915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/25072024071606/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636814/; classtype:trojan-activity;sid:84499914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12062024085922/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636812/; classtype:trojan-activity;sid:84499912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03092024152101/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636813/; classtype:trojan-activity;sid:84499913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/08072024113231/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636811/; classtype:trojan-activity;sid:84499911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024130114/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636806/; classtype:trojan-activity;sid:84499906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16072024114959/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636807/; classtype:trojan-activity;sid:84499907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/20082024121600/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636809/; classtype:trojan-activity;sid:84499909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26092024115544/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636810/; classtype:trojan-activity;sid:84499910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/28082024070417/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636803/; classtype:trojan-activity;sid:84499903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26072024143113/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636804/; classtype:trojan-activity;sid:84499904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/13092024071052/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636800/; classtype:trojan-activity;sid:84499900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/10062024180136/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636801/; classtype:trojan-activity;sid:84499901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23082024175356/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636802/; classtype:trojan-activity;sid:84499902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/27082024070328/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636799/; classtype:trojan-activity;sid:84499899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8050/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636798/; classtype:trojan-activity;sid:84499898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18062024071837/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636795/; classtype:trojan-activity;sid:84499895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/18072024120409/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636796/; classtype:trojan-activity;sid:84499896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/30082024111343/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636797/; classtype:trojan-activity;sid:84499897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/21082024112544/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636794/; classtype:trojan-activity;sid:84499894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/19072024111357/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636791/; classtype:trojan-activity;sid:84499891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11062024175200/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636784/; classtype:trojan-activity;sid:84499884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/30072024115935/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636785/; classtype:trojan-activity;sid:84499885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/02092024114819/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636786/; classtype:trojan-activity;sid:84499886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/30072024070959/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636788/; classtype:trojan-activity;sid:84499888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05092024120909/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636789/; classtype:trojan-activity;sid:84499889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/05072024112530/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636790/; classtype:trojan-activity;sid:84499890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09082024115132/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636783/; classtype:trojan-activity;sid:84499883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10092024114316/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636782/; classtype:trojan-activity;sid:84499882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15082024113136/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636781/; classtype:trojan-activity;sid:84499881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/04072024170824/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636779/; classtype:trojan-activity;sid:84499879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23072024135746/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636780/; classtype:trojan-activity;sid:84499880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07102024115515/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636777/; classtype:trojan-activity;sid:84499877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12072024115926/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636778/; classtype:trojan-activity;sid:84499878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05082024082013/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636775/; classtype:trojan-activity;sid:84499875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10072024110114/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636776/; classtype:trojan-activity;sid:84499876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17072024071919/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636773/; classtype:trojan-activity;sid:84499873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/19082024070444/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636771/; classtype:trojan-activity;sid:84499871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20082024104419/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636772/; classtype:trojan-activity;sid:84499872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/06082024070754/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636770/; classtype:trojan-activity;sid:84499870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12092024074514/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636769/; classtype:trojan-activity;sid:84499869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/23072024073428/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636768/; classtype:trojan-activity;sid:84499868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16082024110029/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636767/; classtype:trojan-activity;sid:84499867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/30072024075615/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636766/; classtype:trojan-activity;sid:84499866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24082024173603/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636764/; classtype:trojan-activity;sid:84499864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/27092024072930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636763/; classtype:trojan-activity;sid:84499863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/14092024070825/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636761/; classtype:trojan-activity;sid:84499861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10082024105405/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636762/; classtype:trojan-activity;sid:84499862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/31072024120304/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636760/; classtype:trojan-activity;sid:84499860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16082024171045/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636759/; classtype:trojan-activity;sid:84499859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19062024083204/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636757/; classtype:trojan-activity;sid:84499857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17062024175202/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636758/; classtype:trojan-activity;sid:84499858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/6011/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636756/; classtype:trojan-activity;sid:84499856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/09082024071028/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636754/; classtype:trojan-activity;sid:84499854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/bkp/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636753/; classtype:trojan-activity;sid:84499853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11062024074638/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636752/; classtype:trojan-activity;sid:84499852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8318/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636751/; classtype:trojan-activity;sid:84499851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024071328/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636750/; classtype:trojan-activity;sid:84499850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17082024111540/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636749/; classtype:trojan-activity;sid:84499849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/25072024111710/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636748/; classtype:trojan-activity;sid:84499848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11062024125639/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636746/; classtype:trojan-activity;sid:84499846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26062024072316/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636745/; classtype:trojan-activity;sid:84499845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18072024152842/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636744/; classtype:trojan-activity;sid:84499844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/03092024065611/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636743/; classtype:trojan-activity;sid:84499843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/20082024074454/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636742/; classtype:trojan-activity;sid:84499842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14062024182506/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636741/; classtype:trojan-activity;sid:84499841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/28062024162227/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636740/; classtype:trojan-activity;sid:84499840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/25082024112344/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636739/; classtype:trojan-activity;sid:84499839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/05102024112225/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636736/; classtype:trojan-activity;sid:84499836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22072024112228/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636737/; classtype:trojan-activity;sid:84499837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13092024123948/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636735/; classtype:trojan-activity;sid:84499835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636733/; classtype:trojan-activity;sid:84499833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/21082024065715/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636734/; classtype:trojan-activity;sid:84499834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024163507/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636728/; classtype:trojan-activity;sid:84499828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/05092024111850/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636729/; classtype:trojan-activity;sid:84499829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24072024112124/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636730/; classtype:trojan-activity;sid:84499830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/pickup/info.zip"; depth:23; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636731/; classtype:trojan-activity;sid:84499831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/09072024072801/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636732/; classtype:trojan-activity;sid:84499832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/30082024070843/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636727/; classtype:trojan-activity;sid:84499827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15072024111306/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636723/; classtype:trojan-activity;sid:84499823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24072024072622/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636724/; classtype:trojan-activity;sid:84499824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23082024120742/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636726/; classtype:trojan-activity;sid:84499826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/15072024121001/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636721/; classtype:trojan-activity;sid:84499821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14092024162753/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636722/; classtype:trojan-activity;sid:84499822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26072024130538/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636719/; classtype:trojan-activity;sid:84499819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/01102024075913/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636720/; classtype:trojan-activity;sid:84499820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/31072024110649/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636717/; classtype:trojan-activity;sid:84499817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24092024074236/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636718/; classtype:trojan-activity;sid:84499818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26092024073810/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636715/; classtype:trojan-activity;sid:84499815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19062024073721/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636716/; classtype:trojan-activity;sid:84499816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/03102024114713/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636714/; classtype:trojan-activity;sid:84499814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/27062024134606/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636708/; classtype:trojan-activity;sid:84499808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/25092024074358/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636709/; classtype:trojan-activity;sid:84499809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636710/; classtype:trojan-activity;sid:84499810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/12092024065636/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636711/; classtype:trojan-activity;sid:84499811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07082024113359/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636712/; classtype:trojan-activity;sid:84499812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14082024102908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636713/; classtype:trojan-activity;sid:84499813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/27062024074304/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636705/; classtype:trojan-activity;sid:84499805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20092024114457/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636706/; classtype:trojan-activity;sid:84499806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/idi/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636707/; classtype:trojan-activity;sid:84499807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/05072024105131/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636703/; classtype:trojan-activity;sid:84499803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11062024123414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636704/; classtype:trojan-activity;sid:84499804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12062024122748/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636698/; classtype:trojan-activity;sid:84499798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636699/; classtype:trojan-activity;sid:84499799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22082024180206/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636693/; classtype:trojan-activity;sid:84499793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20082024172514/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636694/; classtype:trojan-activity;sid:84499794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/20082024070343/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636695/; classtype:trojan-activity;sid:84499795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27092024125844/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636696/; classtype:trojan-activity;sid:84499796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/01082024070127/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636697/; classtype:trojan-activity;sid:84499797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/30092024073115/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636685/; classtype:trojan-activity;sid:84499785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04102024114428/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636686/; classtype:trojan-activity;sid:84499786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17072024162506/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636687/; classtype:trojan-activity;sid:84499787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17072024112121/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636688/; classtype:trojan-activity;sid:84499788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13062024123930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636689/; classtype:trojan-activity;sid:84499789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20082024114833/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636690/; classtype:trojan-activity;sid:84499790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22072024071046/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636691/; classtype:trojan-activity;sid:84499791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/21082024074934/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636692/; classtype:trojan-activity;sid:84499792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12072024073215/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636683/; classtype:trojan-activity;sid:84499783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11082024113341/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636684/; classtype:trojan-activity;sid:84499784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/09092024080429/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636681/; classtype:trojan-activity;sid:84499781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8342/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636682/; classtype:trojan-activity;sid:84499782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/16092024071437/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636678/; classtype:trojan-activity;sid:84499778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11092024070152/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636679/; classtype:trojan-activity;sid:84499779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/19072024082257/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636676/; classtype:trojan-activity;sid:84499776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/02092024173539/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636666/; classtype:trojan-activity;sid:84499766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/14062024074014/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636667/; classtype:trojan-activity;sid:84499767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/queue/info.zip"; depth:22; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636668/; classtype:trojan-activity;sid:84499768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13082024112311/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636669/; classtype:trojan-activity;sid:84499769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23072024112852/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636670/; classtype:trojan-activity;sid:84499770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13092024094613/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636671/; classtype:trojan-activity;sid:84499771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/19082024113816/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636672/; classtype:trojan-activity;sid:84499772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/02082024121949/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636674/; classtype:trojan-activity;sid:84499774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10092024185923/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636675/; classtype:trojan-activity;sid:84499775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024130440/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636662/; classtype:trojan-activity;sid:84499762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8336/05072024082450/info.zip"; depth:46; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636663/; classtype:trojan-activity;sid:84499763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09092024181236/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636664/; classtype:trojan-activity;sid:84499764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/20082024150907/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636665/; classtype:trojan-activity;sid:84499765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22082024114017/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636656/; classtype:trojan-activity;sid:84499756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/14082024065337/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636657/; classtype:trojan-activity;sid:84499757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8059/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636658/; classtype:trojan-activity;sid:84499758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03072024154958/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636659/; classtype:trojan-activity;sid:84499759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24062024075130/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636660/; classtype:trojan-activity;sid:84499760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18072024070807/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636654/; classtype:trojan-activity;sid:84499754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.98.68"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636585/; classtype:trojan-activity;sid:84499685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-3/m2-100125/main/ud.png"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636195/; classtype:trojan-activity;sid:84499295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-3/9325-pd/main/ud.png"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636191/; classtype:trojan-activity;sid:84499291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-3/9325-m1/main/ud.png"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636185/; classtype:trojan-activity;sid:84499285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d/main/pd-92725.zip"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636161/; classtype:trojan-activity;sid:84499261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d/raw/main/pd-92725.zip"; depth:31; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636159/; classtype:trojan-activity;sid:84499259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mh1-m1/pd/main/mh1-pd-92725.png"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636155/; classtype:trojan-activity;sid:84499255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-pudam/main/u-p.png"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636156/; classtype:trojan-activity;sid:84499256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-mrw/f096dbcbef9efb4ac45d4b7171898fbc1a4d5d38/ud.png"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636151/; classtype:trojan-activity;sid:84499251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/u-mrw-1/feeddc44327a3d7f5328ebad35ebe132d0e18f92/ud.png"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636152/; classtype:trojan-activity;sid:84499252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-pudam/a4916b0dfc5588abf04daa866fddc42054a11368/ud.png"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636153/; classtype:trojan-activity;sid:84499253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-pudam/66bcf33bad15036f44df9c2ca7808a5de38435a5/u-p.png"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636147/; classtype:trojan-activity;sid:84499247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/1/296b891ef5d15bc30620bcccb0660d36d3d0a0f9/ud.png"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636141/; classtype:trojan-activity;sid:84499241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3635840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.197.122.35"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_30; reference:url, urlhaus.abuse.ch/url/3635840/; classtype:trojan-activity;sid:84498940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3635467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano/image.jpg"; depth:40; endswith; nocase; http.host; content:"ybgctdtbzvgpdxjivafy.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_30; reference:url, urlhaus.abuse.ch/url/3635467/; classtype:trojan-activity;sid:84498567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3634292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziobigiu84/site/raw/refs/heads/main/launcher.zip"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_29; reference:url, urlhaus.abuse.ch/url/3634292/; classtype:trojan-activity;sid:84497392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3633174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.112.126.123"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_27; reference:url, urlhaus.abuse.ch/url/3633174/; classtype:trojan-activity;sid:84496274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3632903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/bocavenue.exe"; depth:25; endswith; nocase; http.host; content:"versaclean.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_27; reference:url, urlhaus.abuse.ch/url/3632903/; classtype:trojan-activity;sid:84496003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3632299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ske1et2/telegrams-best-scrapper/raw/refs/heads/main/slouchy/telegrams-best-scrapper.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_26; reference:url, urlhaus.abuse.ch/url/3632299/; classtype:trojan-activity;sid:84495399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/installer.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631593/; classtype:trojan-activity;sid:84494693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/tlp.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631583/; classtype:trojan-activity;sid:84494683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/lol11.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631573/; classtype:trojan-activity;sid:84494673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/1488.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631574/; classtype:trojan-activity;sid:84494674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/1210.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631575/; classtype:trojan-activity;sid:84494675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/lol.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631555/; classtype:trojan-activity;sid:84494655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/bsg.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631554/; classtype:trojan-activity;sid:84494654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.95.148.167"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_24; reference:url, urlhaus.abuse.ch/url/3631233/; classtype:trojan-activity;sid:84494333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3630546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaerrlys/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_23; reference:url, urlhaus.abuse.ch/url/3630546/; classtype:trojan-activity;sid:84493646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3628584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.117.74"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_21; reference:url, urlhaus.abuse.ch/url/3628584/; classtype:trojan-activity;sid:84491684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3627935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"36.154.188.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_20; reference:url, urlhaus.abuse.ch/url/3627935/; classtype:trojan-activity;sid:84491035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3627210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"36.154.188.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_19; reference:url, urlhaus.abuse.ch/url/3627210/; classtype:trojan-activity;sid:84490310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3627206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.203.86.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_19; reference:url, urlhaus.abuse.ch/url/3627206/; classtype:trojan-activity;sid:84490306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626596/; classtype:trojan-activity;sid:84489696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drilldata/info.zip"; depth:19; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626595/; classtype:trojan-activity;sid:84489695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"74.62.255.234"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626275/; classtype:trojan-activity;sid:84489375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3625503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"203.203.86.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_17; reference:url, urlhaus.abuse.ch/url/3625503/; classtype:trojan-activity;sid:84488603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/lol1.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623408/; classtype:trojan-activity;sid:84486508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rasadhlp.dll"; depth:13; endswith; nocase; http.host; content:"118.25.68.152"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623131/; classtype:trojan-activity;sid:84486231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziobigiu84/site/refs/heads/main/launcher.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623126/; classtype:trojan-activity;sid:84486226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/midkourtbbe/network/refs/heads/main/software.zip"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623123/; classtype:trojan-activity;sid:84486223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anno29/web/refs/heads/main/software.zip"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623122/; classtype:trojan-activity;sid:84486222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilpigna03/site/refs/heads/main/launcher.zip"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623121/; classtype:trojan-activity;sid:84486221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullarchive/request/refs/heads/main/software.zip"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623120/; classtype:trojan-activity;sid:84486220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/hold/image.jpg"; depth:40; endswith; nocase; http.host; content:"ihmmkvkaiwnilneauhfn.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622759/; classtype:trojan-activity;sid:84485859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano_duso/image.jpg|3f|12711343p"; depth:58; endswith; nocase; http.host; content:"frygzjyhtiunvhvnacif.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622643/; classtype:trojan-activity;sid:84485743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano_duso/image.jpg|3f|12711343"; depth:57; endswith; nocase; http.host; content:"frygzjyhtiunvhvnacif.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622639/; classtype:trojan-activity;sid:84485739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/hold/image.jpg|3f|12711343"; depth:52; endswith; nocase; http.host; content:"ihmmkvkaiwnilneauhfn.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622638/; classtype:trojan-activity;sid:84485738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"www.hcsnet.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622625/; classtype:trojan-activity;sid:84485725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"www.hcsnet.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622623/; classtype:trojan-activity;sid:84485723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_x86"; depth:10; endswith; nocase; http.host; content:"www.hcsnet.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622624/; classtype:trojan-activity;sid:84485724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/125.bin"; depth:8; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622541/; classtype:trojan-activity;sid:84485641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellcode.bin"; depth:14; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622545/; classtype:trojan-activity;sid:84485645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/45.bin"; depth:10; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622547/; classtype:trojan-activity;sid:84485647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/326.bin"; depth:11; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622548/; classtype:trojan-activity;sid:84485648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/46.bin"; depth:10; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622549/; classtype:trojan-activity;sid:84485649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/1212.bin"; depth:12; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622539/; classtype:trojan-activity;sid:84485639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3621757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1xisuc6psmmj5jzq7jgoffba7avfhzga_"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_09_11; reference:url, urlhaus.abuse.ch/url/3621757/; classtype:trojan-activity;sid:84484857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3621753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1okqdyr_kghanl7h_i1mwmlmzfesw_gx0"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_09_11; reference:url, urlhaus.abuse.ch/url/3621753/; classtype:trojan-activity;sid:84484853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3620835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client-built.exe"; depth:17; endswith; nocase; http.host; content:"5.133.102.252"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_09; reference:url, urlhaus.abuse.ch/url/3620835/; classtype:trojan-activity;sid:84483935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3619986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"hcsnet.com.br"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_08; reference:url, urlhaus.abuse.ch/url/3619986/; classtype:trojan-activity;sid:84483086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3619984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"hcsnet.com.br"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_08; reference:url, urlhaus.abuse.ch/url/3619984/; classtype:trojan-activity;sid:84483084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3619985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_x86"; depth:10; endswith; nocase; http.host; content:"hcsnet.com.br"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_08; reference:url, urlhaus.abuse.ch/url/3619985/; classtype:trojan-activity;sid:84483085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"95.70.238.134"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_05; reference:url, urlhaus.abuse.ch/url/3617527/; classtype:trojan-activity;sid:84480627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.129.100.123"; depth:15; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617428/; classtype:trojan-activity;sid:84480528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.93.200.20"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617421/; classtype:trojan-activity;sid:84480521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617201/; classtype:trojan-activity;sid:84480301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617196/; classtype:trojan-activity;sid:84480296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617193/; classtype:trojan-activity;sid:84480293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617189/; classtype:trojan-activity;sid:84480289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617190/; classtype:trojan-activity;sid:84480290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3616000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35buding/139assicc.dll"; depth:23; endswith; nocase; http.host; content:"58.87.92.169"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_03; reference:url, urlhaus.abuse.ch/url/3616000/; classtype:trojan-activity;sid:84479100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.97.162.109"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615703/; classtype:trojan-activity;sid:84478803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.126.179"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615696/; classtype:trojan-activity;sid:84478796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xdbcvdei"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615611/; classtype:trojan-activity;sid:84478711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"193.109.44.54"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_01; reference:url, urlhaus.abuse.ch/url/3615306/; classtype:trojan-activity;sid:84478406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowsupdate.exe"; depth:18; endswith; nocase; http.host; content:"129.152.20.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_31; reference:url, urlhaus.abuse.ch/url/3614697/; classtype:trojan-activity;sid:84477797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows.x64.silent.cpu.exe"; depth:27; endswith; nocase; http.host; content:"129.152.20.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_31; reference:url, urlhaus.abuse.ch/url/3614696/; classtype:trojan-activity;sid:84477796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/mzjfndu3ndewnzjf/dvgihou177.bin"; depth:34; endswith; nocase; http.host; content:"od.lk"; depth:5; isdataat:!1,relative; metadata:created_at 2025_08_30; reference:url, urlhaus.abuse.ch/url/3614280/; classtype:trojan-activity;sid:84477380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/827-mh1-3t/827/main/t1.png"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_30; reference:url, urlhaus.abuse.ch/url/3614199/; classtype:trojan-activity;sid:84477299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3613629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/pinaview.exe"; depth:23; endswith; nocase; http.host; content:"pinaview.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_29; reference:url, urlhaus.abuse.ch/url/3613629/; classtype:trojan-activity;sid:84476729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3613494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peterson643eu/projecttop/refs/heads/main/zjqppajn.exe"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_29; reference:url, urlhaus.abuse.ch/url/3613494/; classtype:trojan-activity;sid:84476594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3612734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client/better.exe"; depth:18; endswith; nocase; http.host; content:"api.ezilax.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_27; reference:url, urlhaus.abuse.ch/url/3612734/; classtype:trojan-activity;sid:84475834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3612605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.4.102.81"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_27; reference:url, urlhaus.abuse.ch/url/3612605/; classtype:trojan-activity;sid:84475705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3612593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.7.149.228"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_27; reference:url, urlhaus.abuse.ch/url/3612593/; classtype:trojan-activity;sid:84475693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3612304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.43.76.100"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_27; reference:url, urlhaus.abuse.ch/url/3612304/; classtype:trojan-activity;sid:84475404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3611504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/usbmmidd_v2.zip"; depth:26; endswith; nocase; http.host; content:"www.amyuni.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_25; reference:url, urlhaus.abuse.ch/url/3611504/; classtype:trojan-activity;sid:84474604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"94.72.35.59"; depth:11; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610702/; classtype:trojan-activity;sid:84473802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soul.exe"; depth:9; endswith; nocase; http.host; content:"114.66.52.198"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610638/; classtype:trojan-activity;sid:84473738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tfsoft/xftd/v2/ctf/"; depth:20; endswith; nocase; http.host; content:"tengfeidn.cn"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610613/; classtype:trojan-activity;sid:84473713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tfsoft/xftd/v2/ctf/"; depth:20; endswith; nocase; http.host; content:"pcupd.com"; depth:9; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610612/; classtype:trojan-activity;sid:84473712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/upgrade/jd"; depth:15; endswith; nocase; http.host; content:"rdm.91yunma.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610604/; classtype:trojan-activity;sid:84473704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/upgrade/qcoin"; depth:18; endswith; nocase; http.host; content:"rdm.91yunma.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610602/; classtype:trojan-activity;sid:84473702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/mely.exe"; depth:14; endswith; nocase; http.host; content:"areyouready.co.za"; depth:17; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610401/; classtype:trojan-activity;sid:84473501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/loic/raw/refs/heads/master/loic.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610381/; classtype:trojan-activity;sid:84473481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raizydaizy/steamcmd/raw/refs/heads/main/steamcmd.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610380/; classtype:trojan-activity;sid:84473480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"181.223.9.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_23; reference:url, urlhaus.abuse.ch/url/3610039/; classtype:trojan-activity;sid:84473139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.exe"; depth:9; endswith; nocase; http.host; content:"181.223.9.36"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_23; reference:url, urlhaus.abuse.ch/url/3610038/; classtype:trojan-activity;sid:84473138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.186.28.36"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_23; reference:url, urlhaus.abuse.ch/url/3609741/; classtype:trojan-activity;sid:84472841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.197.231.77"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3609150/; classtype:trojan-activity;sid:84472250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=sljurzjsslqcmdtxdolcw013.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3609122/; classtype:trojan-activity;sid:84472222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"119.45.105.211"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3608802/; classtype:trojan-activity;sid:84471902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"119.45.105.211"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3608773/; classtype:trojan-activity;sid:84471873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/22072024080730/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608522/; classtype:trojan-activity;sid:84471622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/17062024123023/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608521/; classtype:trojan-activity;sid:84471621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/14082024082341/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608520/; classtype:trojan-activity;sid:84471620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/09072024080408/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608519/; classtype:trojan-activity;sid:84471619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11072024072520/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608518/; classtype:trojan-activity;sid:84471618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608517/; classtype:trojan-activity;sid:84471617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/10092024072747/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608511/; classtype:trojan-activity;sid:84471611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/23092024080311/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608513/; classtype:trojan-activity;sid:84471613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/02082024071413/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608506/; classtype:trojan-activity;sid:84471606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23092024103542/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608503/; classtype:trojan-activity;sid:84471603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/15072024075523/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608500/; classtype:trojan-activity;sid:84471600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/13082024070204/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608487/; classtype:trojan-activity;sid:84471587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/14062024075221/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608488/; classtype:trojan-activity;sid:84471588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/12082024075637/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608491/; classtype:trojan-activity;sid:84471591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/16082024071234/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608492/; classtype:trojan-activity;sid:84471592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/13072024070443/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608493/; classtype:trojan-activity;sid:84471593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/18062024074945/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608496/; classtype:trojan-activity;sid:84471596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22082024110801/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608497/; classtype:trojan-activity;sid:84471597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12092024121832/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608482/; classtype:trojan-activity;sid:84471582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8461/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608483/; classtype:trojan-activity;sid:84471583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/10092024080037/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608479/; classtype:trojan-activity;sid:84471579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/28082024112055/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608471/; classtype:trojan-activity;sid:84471571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11062024140819/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608474/; classtype:trojan-activity;sid:84471574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/25072024071607/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608470/; classtype:trojan-activity;sid:84471570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/17082024070657/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608466/; classtype:trojan-activity;sid:84471566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11072024122345/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608467/; classtype:trojan-activity;sid:84471567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.82.160"; depth:11; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608082/; classtype:trojan-activity;sid:84471182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3607961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntchuy/hack/refs/heads/main/client.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3607961/; classtype:trojan-activity;sid:84471061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3607915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linpeas.sh"; depth:11; endswith; nocase; http.host; content:"34.70.102.215"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3607915/; classtype:trojan-activity;sid:84471015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3607894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=sncpakg7g9fwre65pslcw016.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3607894/; classtype:trojan-activity;sid:84470994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/win.exe"; depth:8; endswith; nocase; http.host; content:"visualwikicloud.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606904/; classtype:trojan-activity;sid:84470004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1ovu/pon/refs/heads/main/rustmedebyg.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606770/; classtype:trojan-activity;sid:84469870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1ovu/pon/refs/heads/main/rustme.exe"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606767/; classtype:trojan-activity;sid:84469867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1ovu/pon/refs/heads/main/debugconfig.bat"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606766/; classtype:trojan-activity;sid:84469866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atu.lim"; depth:8; endswith; nocase; http.host; content:"electri.billregulator.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606680/; classtype:trojan-activity;sid:84469780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2508/9e3363f017c60726bf610a2a472040144t."; depth:41; endswith; nocase; http.host; content:"file.uhsea.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606577/; classtype:trojan-activity;sid:84469677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3605993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"150.187.25.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_18; reference:url, urlhaus.abuse.ch/url/3605993/; classtype:trojan-activity;sid:84469093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keepon.exe"; depth:11; endswith; nocase; http.host; content:"209.145.51.44"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_16; reference:url, urlhaus.abuse.ch/url/3604879/; classtype:trojan-activity;sid:84467979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networke.ps1"; depth:13; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2025_08_16; reference:url, urlhaus.abuse.ch/url/3604591/; classtype:trojan-activity;sid:84467691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.196.93"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_15; reference:url, urlhaus.abuse.ch/url/3604243/; classtype:trojan-activity;sid:84467343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"141.149.36.27"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_15; reference:url, urlhaus.abuse.ch/url/3604235/; classtype:trojan-activity;sid:84467335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"164.126.150.95"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_15; reference:url, urlhaus.abuse.ch/url/3604233/; classtype:trojan-activity;sid:84467333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3602487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scanubs9420625fpdf.7z"; depth:22; endswith; nocase; http.host; content:"access.skaparade.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_08_14; reference:url, urlhaus.abuse.ch/url/3602487/; classtype:trojan-activity;sid:84465587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3601597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/runtime/vc_redist.x64.exe"; depth:26; endswith; nocase; http.host; content:"checkfivem.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_13; reference:url, urlhaus.abuse.ch/url/3601597/; classtype:trojan-activity;sid:84464697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3601445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"164.126.150.95"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_12; reference:url, urlhaus.abuse.ch/url/3601445/; classtype:trojan-activity;sid:84464545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3600796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rondo.i686"; depth:11; endswith; nocase; http.host; content:"74.194.191.52"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_11; reference:url, urlhaus.abuse.ch/url/3600796/; classtype:trojan-activity;sid:84463896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3599810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.122.193.32"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_09; reference:url, urlhaus.abuse.ch/url/3599810/; classtype:trojan-activity;sid:84462910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3597645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_06; reference:url, urlhaus.abuse.ch/url/3597645/; classtype:trojan-activity;sid:84460745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3597379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"117.72.183.111"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_06; reference:url, urlhaus.abuse.ch/url/3597379/; classtype:trojan-activity;sid:84460479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3597150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmyjungmin/img001.exe"; depth:22; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3597150/; classtype:trojan-activity;sid:84460250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.218.189.32"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596573/; classtype:trojan-activity;sid:84459673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596562/; classtype:trojan-activity;sid:84459662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596563/; classtype:trojan-activity;sid:84459663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596564/; classtype:trojan-activity;sid:84459664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3595203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.241.78.146"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_02; reference:url, urlhaus.abuse.ch/url/3595203/; classtype:trojan-activity;sid:84458303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3594962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.ssa/t1.png"; depth:12; endswith; nocase; http.host; content:"isiore.com.co"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_02; reference:url, urlhaus.abuse.ch/url/3594962/; classtype:trojan-activity;sid:84458062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3594942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r00tnik8/zianr35524869492586/raw/refs/heads/main/plugin3.plg"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_08_02; reference:url, urlhaus.abuse.ch/url/3594942/; classtype:trojan-activity;sid:84458042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3594359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/auths0//booking13763.rar"; depth:50; endswith; nocase; http.host; content:"fnvimoyvwkbxbmczlqus.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_08_01; reference:url, urlhaus.abuse.ch/url/3594359/; classtype:trojan-activity;sid:84457459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3594030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"mail.ssadownload.top"; depth:20; isdataat:!1,relative; metadata:created_at 2025_08_01; reference:url, urlhaus.abuse.ch/url/3594030/; classtype:trojan-activity;sid:84457130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3593771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.170.112.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_31; reference:url, urlhaus.abuse.ch/url/3593771/; classtype:trojan-activity;sid:84456871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3592552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.247.208.231"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_29; reference:url, urlhaus.abuse.ch/url/3592552/; classtype:trojan-activity;sid:84455652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3592078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.247.208.231"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_29; reference:url, urlhaus.abuse.ch/url/3592078/; classtype:trojan-activity;sid:84455178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3592038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/cache/data/aksesuarlar/patch-yama-arma/skid-row-500x500.jpg"; depth:66; endswith; nocase; http.host; content:"xshop.com.tr"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_29; reference:url, urlhaus.abuse.ch/url/3592038/; classtype:trojan-activity;sid:84455138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3591634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.150.78.122"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_28; reference:url, urlhaus.abuse.ch/url/3591634/; classtype:trojan-activity;sid:84454734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3591244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"23.95.247.31"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3591244/; classtype:trojan-activity;sid:84454344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amineamine284/d3dx11_45/refs/heads/main/d3dx11_45.dll"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590749/; classtype:trojan-activity;sid:84453849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amineamine284/rssdgxgr/refs/heads/main/garo%20x.exe"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590748/; classtype:trojan-activity;sid:84453848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amineamine284/edggqdsg/refs/heads/main/garo%20v1.dll"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590746/; classtype:trojan-activity;sid:84453846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hafiz12cyber/request/raw/refs/heads/main/launcher.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590552/; classtype:trojan-activity;sid:84453652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/midkourtbbe/network/raw/refs/heads/main/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590550/; classtype:trojan-activity;sid:84453650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anno29/web/raw/refs/heads/main/software.zip"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590549/; classtype:trojan-activity;sid:84453649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notcat999/sys/raw/refs/heads/main/software.zip"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590548/; classtype:trojan-activity;sid:84453648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gethalal-007/request/raw/refs/heads/main/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590547/; classtype:trojan-activity;sid:84453647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullarchive/request/raw/refs/heads/main/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590546/; classtype:trojan-activity;sid:84453646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3589467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_25; reference:url, urlhaus.abuse.ch/url/3589467/; classtype:trojan-activity;sid:84452567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3589312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.24.52.121"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_25; reference:url, urlhaus.abuse.ch/url/3589312/; classtype:trojan-activity;sid:84452412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3589307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.24.52.121"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_25; reference:url, urlhaus.abuse.ch/url/3589307/; classtype:trojan-activity;sid:84452407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3588886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=3hbukcrujg1pozf7wspre002.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_07_24; reference:url, urlhaus.abuse.ch/url/3588886/; classtype:trojan-activity;sid:84451986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3588081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.173.138.102"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_22; reference:url, urlhaus.abuse.ch/url/3588081/; classtype:trojan-activity;sid:84451181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3587585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sid2983/-1aa-valoranta/releases/download/d0wn10ad/valcheat.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_21; reference:url, urlhaus.abuse.ch/url/3587585/; classtype:trojan-activity;sid:84450685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3587551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//2025/07/19/15/683192372.png"; depth:29; endswith; nocase; http.host; content:"www2.0zz0.com"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_21; reference:url, urlhaus.abuse.ch/url/3587551/; classtype:trojan-activity;sid:84450651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.220.163.1"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_21; reference:url, urlhaus.abuse.ch/url/3586622/; classtype:trojan-activity;sid:84449722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.97.32.167"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_20; reference:url, urlhaus.abuse.ch/url/3586154/; classtype:trojan-activity;sid:84449254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.200.208.28"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_20; reference:url, urlhaus.abuse.ch/url/3586156/; classtype:trojan-activity;sid:84449256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.247.4.226"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_20; reference:url, urlhaus.abuse.ch/url/3586166/; classtype:trojan-activity;sid:84449266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.83.186.62"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_20; reference:url, urlhaus.abuse.ch/url/3586167/; classtype:trojan-activity;sid:84449267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.117.7.182"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_20; reference:url, urlhaus.abuse.ch/url/3586122/; classtype:trojan-activity;sid:84449222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3585162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.7.131.145"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3585162/; classtype:trojan-activity;sid:84448262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3585053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/catalog/model/cummersmg.exe"; depth:28; endswith; nocase; http.host; content:"kavacanada.ca"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3585053/; classtype:trojan-activity;sid:84448153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3585052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/catalog/model/cheekpiecegar.ps1"; depth:32; endswith; nocase; http.host; content:"kavacanada.ca"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3585052/; classtype:trojan-activity;sid:84448152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.242.149.32"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3584732/; classtype:trojan-activity;sid:84447832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"61.2.45.191"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3584719/; classtype:trojan-activity;sid:84447819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5l4j.js"; depth:8; endswith; nocase; http.host; content:"deathmatchuk.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_07_16; reference:url, urlhaus.abuse.ch/url/3584654/; classtype:trojan-activity;sid:84447754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.204.227"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_16; reference:url, urlhaus.abuse.ch/url/3584281/; classtype:trojan-activity;sid:84447381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.60.172"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_16; reference:url, urlhaus.abuse.ch/url/3584277/; classtype:trojan-activity;sid:84447377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3583571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_15; reference:url, urlhaus.abuse.ch/url/3583571/; classtype:trojan-activity;sid:84446671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3583040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laurenxss/42429a19c72b875b93608f8cb0cab933/raw/"; depth:48; endswith; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_07_14; reference:url, urlhaus.abuse.ch/url/3583040/; classtype:trojan-activity;sid:84446140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3582620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"61.2.45.172"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_13; reference:url, urlhaus.abuse.ch/url/3582620/; classtype:trojan-activity;sid:84445720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3582116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=squbykf3ta5kbkp13hpre008.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_07_12; reference:url, urlhaus.abuse.ch/url/3582116/; classtype:trojan-activity;sid:84445216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"61.2.45.141"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580902/; classtype:trojan-activity;sid:84444002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.191.106"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580896/; classtype:trojan-activity;sid:84443996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.240.70.185"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580881/; classtype:trojan-activity;sid:84443981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.153.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580884/; classtype:trojan-activity;sid:84443984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.96.233"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580863/; classtype:trojan-activity;sid:84443963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3579459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.jpg|3f|137113"; depth:19; endswith; nocase; http.host; content:"bafybeidvf6tytrspkd4wnvxzs23m3kjr6bfvgszbfwybmmcosl4rrhvuo4.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2025_07_09; reference:url, urlhaus.abuse.ch/url/3579459/; classtype:trojan-activity;sid:84442559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3578386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invisiblebunny/records/main/bunny-mini/mini.shell.php"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_07; reference:url, urlhaus.abuse.ch/url/3578386/; classtype:trojan-activity;sid:84441486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3578385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ly4k/pwnkit/main/pwnkit"; depth:24; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_07; reference:url, urlhaus.abuse.ch/url/3578385/; classtype:trojan-activity;sid:84441485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.60.172"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_06; reference:url, urlhaus.abuse.ch/url/3577299/; classtype:trojan-activity;sid:84440399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/photo.lnk"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577021/; classtype:trojan-activity;sid:84440121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577019/; classtype:trojan-activity;sid:84440119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/av.lnk"; depth:9; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577020/; classtype:trojan-activity;sid:84440120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/video.scr"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577008/; classtype:trojan-activity;sid:84440108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/photo.scr"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577009/; classtype:trojan-activity;sid:84440109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/av.scr"; depth:9; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576996/; classtype:trojan-activity;sid:84440096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576990/; classtype:trojan-activity;sid:84440090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/photo.scr"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576991/; classtype:trojan-activity;sid:84440091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/info.zip"; depth:22; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576992/; classtype:trojan-activity;sid:84440092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/av.scr"; depth:20; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576993/; classtype:trojan-activity;sid:84440093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576994/; classtype:trojan-activity;sid:84440094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/av.lnk"; depth:20; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576995/; classtype:trojan-activity;sid:84440095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576988/; classtype:trojan-activity;sid:84440088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/video.scr"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576989/; classtype:trojan-activity;sid:84440089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/video.lnk"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576987/; classtype:trojan-activity;sid:84440087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576981/; classtype:trojan-activity;sid:84440081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576982/; classtype:trojan-activity;sid:84440082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/video.lnk"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576983/; classtype:trojan-activity;sid:84440083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/photo.lnk"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576984/; classtype:trojan-activity;sid:84440084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/info.zip"; depth:11; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576985/; classtype:trojan-activity;sid:84440085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576986/; classtype:trojan-activity;sid:84440086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.60.172"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576384/; classtype:trojan-activity;sid:84439484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.60.172"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576359/; classtype:trojan-activity;sid:84439459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/allbnc.jpg"; depth:11; endswith; nocase; http.host; content:"185.253.75.188"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3575978/; classtype:trojan-activity;sid:84439078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auto.jpg"; depth:9; endswith; nocase; http.host; content:"185.253.75.188"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3575979/; classtype:trojan-activity;sid:84439079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.sh"; depth:5; endswith; nocase; http.host; content:"185.253.75.188"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3575971/; classtype:trojan-activity;sid:84439071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cata2.jpg"; depth:10; endswith; nocase; http.host; content:"185.253.75.188"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3575892/; classtype:trojan-activity;sid:84438992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labubu99999/localoco8386/main/shaman.zip"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_04; reference:url, urlhaus.abuse.ch/url/3575355/; classtype:trojan-activity;sid:84438455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labubu99999/localoco8386/raw/main/update0.bat"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_04; reference:url, urlhaus.abuse.ch/url/3575354/; classtype:trojan-activity;sid:84438454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.80.246.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_03; reference:url, urlhaus.abuse.ch/url/3575022/; classtype:trojan-activity;sid:84438122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3573965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_02; reference:url, urlhaus.abuse.ch/url/3573965/; classtype:trojan-activity;sid:84437065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3573963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"110.227.197.204"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_02; reference:url, urlhaus.abuse.ch/url/3573963/; classtype:trojan-activity;sid:84437063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3573084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chrome_134.exe"; depth:15; endswith; nocase; http.host; content:"lomejordesalamanca.es"; depth:21; isdataat:!1,relative; metadata:created_at 2025_07_01; reference:url, urlhaus.abuse.ch/url/3573084/; classtype:trojan-activity;sid:84436184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3572729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3/2.txt"; depth:8; endswith; nocase; http.host; content:"hotellacastellana.com.uy"; depth:24; isdataat:!1,relative; metadata:created_at 2025_07_01; reference:url, urlhaus.abuse.ch/url/3572729/; classtype:trojan-activity;sid:84435829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3572728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3/1.txt"; depth:8; endswith; nocase; http.host; content:"hotellacastellana.com.uy"; depth:24; isdataat:!1,relative; metadata:created_at 2025_07_01; reference:url, urlhaus.abuse.ch/url/3572728/; classtype:trojan-activity;sid:84435828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3572294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.142.68"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_01; reference:url, urlhaus.abuse.ch/url/3572294/; classtype:trojan-activity;sid:84435394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3571424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3f.dof"; depth:8; endswith; nocase; http.host; content:"checkinetverifk.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_06_30; reference:url, urlhaus.abuse.ch/url/3571424/; classtype:trojan-activity;sid:84434524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3570861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.147.179.88"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_28; reference:url, urlhaus.abuse.ch/url/3570861/; classtype:trojan-activity;sid:84433961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3570158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.8.83.87"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_25; reference:url, urlhaus.abuse.ch/url/3570158/; classtype:trojan-activity;sid:84433258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.57.30.25"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_24; reference:url, urlhaus.abuse.ch/url/3569817/; classtype:trojan-activity;sid:84432917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.8.83.87"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_24; reference:url, urlhaus.abuse.ch/url/3569802/; classtype:trojan-activity;sid:84432902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.8.83.87"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_24; reference:url, urlhaus.abuse.ch/url/3569803/; classtype:trojan-activity;sid:84432903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/images/trapapo.ps1"; depth:31; endswith; nocase; http.host; content:"www.vuelaviajero.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_06_22; reference:url, urlhaus.abuse.ch/url/3569088/; classtype:trojan-activity;sid:84432188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aminer.gz"; depth:10; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_21; reference:url, urlhaus.abuse.ch/url/3568977/; classtype:trojan-activity;sid:84432077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.tgz"; depth:12; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_21; reference:url, urlhaus.abuse.ch/url/3568976/; classtype:trojan-activity;sid:84432076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new_image.jpg"; depth:14; endswith; nocase; http.host; content:"talentrecruitments.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568238/; classtype:trojan-activity;sid:84431338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/new_image.jpg"; depth:17; endswith; nocase; http.host; content:"talentrecruitments.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568230/; classtype:trojan-activity;sid:84431330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/gv-cu/main/ud.png"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568176/; classtype:trojan-activity;sid:84431276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/gv-cu/raw/main/ud.png"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568162/; classtype:trojan-activity;sid:84431262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xl.txt"; depth:7; endswith; nocase; http.host; content:"mundocarnes.cl"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3568006/; classtype:trojan-activity;sid:84431106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/info.zip"; depth:16; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565283/; classtype:trojan-activity;sid:84428383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svg/info.zip"; depth:13; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565284/; classtype:trojan-activity;sid:84428384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565285/; classtype:trojan-activity;sid:84428385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/dao/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565262/; classtype:trojan-activity;sid:84428362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/badmail/info.zip"; depth:36; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565260/; classtype:trojan-activity;sid:84428360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/info.zip"; depth:23; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565261/; classtype:trojan-activity;sid:84428361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/info.zip"; depth:37; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565259/; classtype:trojan-activity;sid:84428359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/info.zip"; depth:28; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565258/; classtype:trojan-activity;sid:84428358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/info.zip"; depth:35; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565257/; classtype:trojan-activity;sid:84428357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bkp/info.zip"; depth:13; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565256/; classtype:trojan-activity;sid:84428356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/queue/info.zip"; depth:34; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565255/; classtype:trojan-activity;sid:84428355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/relftp/info.zip"; depth:16; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565254/; classtype:trojan-activity;sid:84428354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/drop/info.zip"; depth:33; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565253/; classtype:trojan-activity;sid:84428353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/info.zip"; depth:16; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565252/; classtype:trojan-activity;sid:84428352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/pickup/info.zip"; depth:35; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565249/; classtype:trojan-activity;sid:84428349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h4lud3ae/info.zip"; depth:18; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565244/; classtype:trojan-activity;sid:84428344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/info.zip"; depth:17; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565245/; classtype:trojan-activity;sid:84428345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/info.zip"; depth:21; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565246/; classtype:trojan-activity;sid:84428346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/relftp/pdf/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565243/; classtype:trojan-activity;sid:84428343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/info.zip"; depth:26; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565230/; classtype:trojan-activity;sid:84428330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idi/info.zip"; depth:13; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565236/; classtype:trojan-activity;sid:84428336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/info.zip"; depth:24; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565239/; classtype:trojan-activity;sid:84428339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/idi/info.zip"; depth:32; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565240/; classtype:trojan-activity;sid:84428340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdbftp/info.zip"; depth:16; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565241/; classtype:trojan-activity;sid:84428341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/cksy/info.zip"; depth:98; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565091/; classtype:trojan-activity;sid:84428191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/service/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565090/; classtype:trojan-activity;sid:84428190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/rgsy/info.zip"; depth:98; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565089/; classtype:trojan-activity;sid:84428189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565088/; classtype:trojan-activity;sid:84428188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/entity/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565087/; classtype:trojan-activity;sid:84428187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/info.zip"; depth:62; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565085/; classtype:trojan-activity;sid:84428185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565086/; classtype:trojan-activity;sid:84428186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565084/; classtype:trojan-activity;sid:84428184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/entity/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565083/; classtype:trojan-activity;sid:84428183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/utils/constrant/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565082/; classtype:trojan-activity;sid:84428182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565081/; classtype:trojan-activity;sid:84428181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/info.zip"; depth:57; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565080/; classtype:trojan-activity;sid:84428180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565079/; classtype:trojan-activity;sid:84428179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/log/info.zip"; depth:83; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565078/; classtype:trojan-activity;sid:84428178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565077/; classtype:trojan-activity;sid:84428177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/chkptwss/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565076/; classtype:trojan-activity;sid:84428176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/images/new/info.zip"; depth:48; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565075/; classtype:trojan-activity;sid:84428175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565074/; classtype:trojan-activity;sid:84428174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/photoset/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565073/; classtype:trojan-activity;sid:84428173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/templete/info.zip"; depth:55; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565072/; classtype:trojan-activity;sid:84428172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/service/impl/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565071/; classtype:trojan-activity;sid:84428171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/action/info.zip"; depth:76; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565070/; classtype:trojan-activity;sid:84428170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/vehiclereview/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565069/; classtype:trojan-activity;sid:84428169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/org/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565068/; classtype:trojan-activity;sid:84428168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/css1/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565066/; classtype:trojan-activity;sid:84428166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/base/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565067/; classtype:trojan-activity;sid:84428167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/zbawss/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565065/; classtype:trojan-activity;sid:84428165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/entity/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565064/; classtype:trojan-activity;sid:84428164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/set/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565062/; classtype:trojan-activity;sid:84428162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/dto/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565063/; classtype:trojan-activity;sid:84428163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/service/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565061/; classtype:trojan-activity;sid:84428161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/org/apache/info.zip"; depth:57; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565060/; classtype:trojan-activity;sid:84428160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/templete/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565059/; classtype:trojan-activity;sid:84428159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/photo/info.zip"; depth:36; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565057/; classtype:trojan-activity;sid:84428157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/service/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565058/; classtype:trojan-activity;sid:84428158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/entity/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565056/; classtype:trojan-activity;sid:84428156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565054/; classtype:trojan-activity;sid:84428154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/service/impl/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565049/; classtype:trojan-activity;sid:84428149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/hdk/localxml.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565050/; classtype:trojan-activity;sid:84428150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/info.zip"; depth:37; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565051/; classtype:trojan-activity;sid:84428151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/dto/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565048/; classtype:trojan-activity;sid:84428148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/action/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565044/; classtype:trojan-activity;sid:84428144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/entity/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565043/; classtype:trojan-activity;sid:84428143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/servacpt/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565040/; classtype:trojan-activity;sid:84428140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/temp/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565035/; classtype:trojan-activity;sid:84428135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/dto/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565034/; classtype:trojan-activity;sid:84428134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/pdauser/action/info.zip"; depth:94; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565030/; classtype:trojan-activity;sid:84428130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/sysparam/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565029/; classtype:trojan-activity;sid:84428129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/info.zip"; depth:38; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565024/; classtype:trojan-activity;sid:84428124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/client/info.zip"; depth:70; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565017/; classtype:trojan-activity;sid:84428117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/info.zip"; depth:31; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565018/; classtype:trojan-activity;sid:84428118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565016/; classtype:trojan-activity;sid:84428116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565015/; classtype:trojan-activity;sid:84428115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/dao/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565014/; classtype:trojan-activity;sid:84428114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/interceptor/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565008/; classtype:trojan-activity;sid:84428108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/plugin/info.zip"; depth:37; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565009/; classtype:trojan-activity;sid:84428109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/dto/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565010/; classtype:trojan-activity;sid:84428110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565011/; classtype:trojan-activity;sid:84428111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565004/; classtype:trojan-activity;sid:84428104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/info.zip"; depth:66; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565001/; classtype:trojan-activity;sid:84428101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/dto/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564999/; classtype:trojan-activity;sid:84428099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/service/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564992/; classtype:trojan-activity;sid:84428092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/mgr/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564993/; classtype:trojan-activity;sid:84428093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/visitwss/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564990/; classtype:trojan-activity;sid:84428090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564988/; classtype:trojan-activity;sid:84428088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/wss/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564986/; classtype:trojan-activity;sid:84428086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/pdawss/dto/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564985/; classtype:trojan-activity;sid:84428085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564984/; classtype:trojan-activity;sid:84428084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/info.zip"; depth:68; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564983/; classtype:trojan-activity;sid:84428083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/exception/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564980/; classtype:trojan-activity;sid:84428080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/dao/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564979/; classtype:trojan-activity;sid:84428079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564977/; classtype:trojan-activity;sid:84428077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564975/; classtype:trojan-activity;sid:84428075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/dao/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564976/; classtype:trojan-activity;sid:84428076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/service/impl/info.zip"; depth:95; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564974/; classtype:trojan-activity;sid:84428074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/dao/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564972/; classtype:trojan-activity;sid:84428072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/hdk/localxml.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564971/; classtype:trojan-activity;sid:84428071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/info.zip"; depth:17; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564969/; classtype:trojan-activity;sid:84428069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/service/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564968/; classtype:trojan-activity;sid:84428068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/rgsy/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564966/; classtype:trojan-activity;sid:84428066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/dao/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564965/; classtype:trojan-activity;sid:84428065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/info.zip"; depth:64; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564964/; classtype:trojan-activity;sid:84428064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564960/; classtype:trojan-activity;sid:84428060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/system_web/info.zip"; depth:34; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564961/; classtype:trojan-activity;sid:84428061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/dto/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564958/; classtype:trojan-activity;sid:84428058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/action/info.zip"; depth:96; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564957/; classtype:trojan-activity;sid:84428057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/conf/catalina/info.zip"; depth:31; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564956/; classtype:trojan-activity;sid:84428056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564953/; classtype:trojan-activity;sid:84428053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/service/impl/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564948/; classtype:trojan-activity;sid:84428048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564949/; classtype:trojan-activity;sid:84428049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2345downloads/info.zip"; depth:23; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564944/; classtype:trojan-activity;sid:84428044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/lib/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564937/; classtype:trojan-activity;sid:84428037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/info.zip"; depth:62; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564938/; classtype:trojan-activity;sid:84428038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/service/impl/info.zip"; depth:76; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564939/; classtype:trojan-activity;sid:84428039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/record/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564940/; classtype:trojan-activity;sid:84428040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/info.zip"; depth:69; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564935/; classtype:trojan-activity;sid:84428035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564936/; classtype:trojan-activity;sid:84428036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/mgr/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564931/; classtype:trojan-activity;sid:84428031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/nvrsetting/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564927/; classtype:trojan-activity;sid:84428027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/css1/_notes/info.zip"; depth:49; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564925/; classtype:trojan-activity;sid:84428025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/rgsy/system/info.zip"; depth:66; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564926/; classtype:trojan-activity;sid:84428026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564924/; classtype:trojan-activity;sid:84428024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/base/dto/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564920/; classtype:trojan-activity;sid:84428020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/web/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564908/; classtype:trojan-activity;sid:84428008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/info.zip"; depth:44; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564909/; classtype:trojan-activity;sid:84428009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/lib/info.zip"; depth:48; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564906/; classtype:trojan-activity;sid:84428006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/base/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564903/; classtype:trojan-activity;sid:84428003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/unusual/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564902/; classtype:trojan-activity;sid:84428002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564900/; classtype:trojan-activity;sid:84428000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/pub/info.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564899/; classtype:trojan-activity;sid:84427999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/info.zip"; depth:61; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564898/; classtype:trojan-activity;sid:84427998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/cyzpdytemp/info.zip"; depth:36; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564895/; classtype:trojan-activity;sid:84427995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/systemset/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564896/; classtype:trojan-activity;sid:84427996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/viewwss/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564893/; classtype:trojan-activity;sid:84427993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/util/info.zip"; depth:68; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564894/; classtype:trojan-activity;sid:84427994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/wss/util/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564892/; classtype:trojan-activity;sid:84427992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/utils/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564888/; classtype:trojan-activity;sid:84427988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/util/nvr/info.zip"; depth:72; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564889/; classtype:trojan-activity;sid:84427989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564882/; classtype:trojan-activity;sid:84427982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/cksy/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564883/; classtype:trojan-activity;sid:84427983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/sysparam/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564881/; classtype:trojan-activity;sid:84427981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/bin/tomcat8.exe"; depth:24; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564878/; classtype:trojan-activity;sid:84427978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/info.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564876/; classtype:trojan-activity;sid:84427976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/info.zip"; depth:63; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564874/; classtype:trojan-activity;sid:84427974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/dao/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564871/; classtype:trojan-activity;sid:84427971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564866/; classtype:trojan-activity;sid:84427966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/action/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564861/; classtype:trojan-activity;sid:84427961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564862/; classtype:trojan-activity;sid:84427962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/dto/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564863/; classtype:trojan-activity;sid:84427963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/vehicleinformation/info.zip"; depth:98; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564858/; classtype:trojan-activity;sid:84427958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/logs/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564859/; classtype:trojan-activity;sid:84427959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/entity/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564855/; classtype:trojan-activity;sid:84427955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/entity/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564852/; classtype:trojan-activity;sid:84427952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/info.zip"; depth:83; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564850/; classtype:trojan-activity;sid:84427950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564849/; classtype:trojan-activity;sid:84427949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/utils/excel/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564847/; classtype:trojan-activity;sid:84427947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/service/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564845/; classtype:trojan-activity;sid:84427945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/szclient/info.zip"; depth:72; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564844/; classtype:trojan-activity;sid:84427944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/futai/info.zip"; depth:15; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564838/; classtype:trojan-activity;sid:84427938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564839/; classtype:trojan-activity;sid:84427939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/service/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564832/; classtype:trojan-activity;sid:84427932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564819/; classtype:trojan-activity;sid:84427919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564820/; classtype:trojan-activity;sid:84427920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/dto/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564821/; classtype:trojan-activity;sid:84427921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/service/impl/info.zip"; depth:97; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564822/; classtype:trojan-activity;sid:84427922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564823/; classtype:trojan-activity;sid:84427923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/jurisdict/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564809/; classtype:trojan-activity;sid:84427909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/set/service/info.zip"; depth:83; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564810/; classtype:trojan-activity;sid:84427910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/utils/exception/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564812/; classtype:trojan-activity;sid:84427912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/hdk/hcnetsdkcom/info.zip"; depth:66; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564807/; classtype:trojan-activity;sid:84427907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564808/; classtype:trojan-activity;sid:84427908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/dao/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564804/; classtype:trojan-activity;sid:84427904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/mgr/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564801/; classtype:trojan-activity;sid:84427901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/info.zip"; depth:36; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564800/; classtype:trojan-activity;sid:84427900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/pub/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564799/; classtype:trojan-activity;sid:84427899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564797/; classtype:trojan-activity;sid:84427897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/info.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564796/; classtype:trojan-activity;sid:84427896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564794/; classtype:trojan-activity;sid:84427894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/info.zip"; depth:64; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564793/; classtype:trojan-activity;sid:84427893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/hdk/hcnetsdkcom/info.zip"; depth:62; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564791/; classtype:trojan-activity;sid:84427891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/info.zip"; depth:60; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564787/; classtype:trojan-activity;sid:84427887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/pub/info.zip"; depth:97; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564785/; classtype:trojan-activity;sid:84427885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/service/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564783/; classtype:trojan-activity;sid:84427883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564784/; classtype:trojan-activity;sid:84427884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564781/; classtype:trojan-activity;sid:84427881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/js/info.zip"; depth:40; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564782/; classtype:trojan-activity;sid:84427882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564780/; classtype:trojan-activity;sid:84427880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/web/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564778/; classtype:trojan-activity;sid:84427878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/base/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564777/; classtype:trojan-activity;sid:84427877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/dto/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564776/; classtype:trojan-activity;sid:84427876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564769/; classtype:trojan-activity;sid:84427869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/meta-inf/info.zip"; depth:43; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564770/; classtype:trojan-activity;sid:84427870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/wss/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564771/; classtype:trojan-activity;sid:84427871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/org/apache/jsp/info.zip"; depth:61; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564766/; classtype:trojan-activity;sid:84427866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/utils/nvr/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564761/; classtype:trojan-activity;sid:84427861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/web/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564760/; classtype:trojan-activity;sid:84427860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/meta-inf/info.zip"; depth:45; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564755/; classtype:trojan-activity;sid:84427855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/service/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564756/; classtype:trojan-activity;sid:84427856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/conf/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564757/; classtype:trojan-activity;sid:84427857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/mgr/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564753/; classtype:trojan-activity;sid:84427853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/action/info.zip"; depth:95; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564752/; classtype:trojan-activity;sid:84427852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/visitwss/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564749/; classtype:trojan-activity;sid:84427849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564748/; classtype:trojan-activity;sid:84427848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/dto/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564747/; classtype:trojan-activity;sid:84427847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/css/info.zip"; depth:41; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564746/; classtype:trojan-activity;sid:84427846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/mgr/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564743/; classtype:trojan-activity;sid:84427843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/service/impl/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564739/; classtype:trojan-activity;sid:84427839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/chkptwss/dto/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564740/; classtype:trojan-activity;sid:84427840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/action/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564737/; classtype:trojan-activity;sid:84427837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/exception/info.zip"; depth:99; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564734/; classtype:trojan-activity;sid:84427834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564735/; classtype:trojan-activity;sid:84427835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564736/; classtype:trojan-activity;sid:84427836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/images/info.zip"; depth:44; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564731/; classtype:trojan-activity;sid:84427831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/download/info.zip"; depth:39; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564726/; classtype:trojan-activity;sid:84427826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/info.zip"; depth:64; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564724/; classtype:trojan-activity;sid:84427824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/hdk/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564725/; classtype:trojan-activity;sid:84427825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/controller/info.zip"; depth:94; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564720/; classtype:trojan-activity;sid:84427820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564717/; classtype:trojan-activity;sid:84427817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564718/; classtype:trojan-activity;sid:84427818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xinheyuan/info.zip"; depth:19; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564715/; classtype:trojan-activity;sid:84427815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/dao/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564713/; classtype:trojan-activity;sid:84427813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/dao/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564711/; classtype:trojan-activity;sid:84427811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/mgr/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564706/; classtype:trojan-activity;sid:84427806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564703/; classtype:trojan-activity;sid:84427803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/service/impl/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564704/; classtype:trojan-activity;sid:84427804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/mgr/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564700/; classtype:trojan-activity;sid:84427800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/dao/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564697/; classtype:trojan-activity;sid:84427797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564693/; classtype:trojan-activity;sid:84427793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/images/icons/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564694/; classtype:trojan-activity;sid:84427794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/hdk/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564685/; classtype:trojan-activity;sid:84427785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564686/; classtype:trojan-activity;sid:84427786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/service/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564687/; classtype:trojan-activity;sid:84427787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/mgr/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564681/; classtype:trojan-activity;sid:84427781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564682/; classtype:trojan-activity;sid:84427782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/lib/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564675/; classtype:trojan-activity;sid:84427775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564674/; classtype:trojan-activity;sid:84427774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/bin/info.zip"; depth:21; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564673/; classtype:trojan-activity;sid:84427773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/pdauser/dao/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564672/; classtype:trojan-activity;sid:84427772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/entity/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564671/; classtype:trojan-activity;sid:84427771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564669/; classtype:trojan-activity;sid:84427769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/service/impl/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564670/; classtype:trojan-activity;sid:84427770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/utils/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564666/; classtype:trojan-activity;sid:84427766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/dao/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564667/; classtype:trojan-activity;sid:84427767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564665/; classtype:trojan-activity;sid:84427765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/service/impl/info.zip"; depth:97; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564659/; classtype:trojan-activity;sid:84427759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/spotckeck/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564660/; classtype:trojan-activity;sid:84427760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/entity/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564653/; classtype:trojan-activity;sid:84427753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hengsheng/info.zip"; depth:19; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564654/; classtype:trojan-activity;sid:84427754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/info.zip"; depth:25; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564655/; classtype:trojan-activity;sid:84427755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/service/impl/info.zip"; depth:96; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564648/; classtype:trojan-activity;sid:84427748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/pdauser/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564644/; classtype:trojan-activity;sid:84427744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/base/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564640/; classtype:trojan-activity;sid:84427740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/dao/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564641/; classtype:trojan-activity;sid:84427741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/dto/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564636/; classtype:trojan-activity;sid:84427736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/dao/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564638/; classtype:trojan-activity;sid:84427738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/visitwss/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564633/; classtype:trojan-activity;sid:84427733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/service/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564634/; classtype:trojan-activity;sid:84427734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/info.zip"; depth:64; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564635/; classtype:trojan-activity;sid:84427735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/entity/info.zip"; depth:95; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564630/; classtype:trojan-activity;sid:84427730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/dept/info.zip"; depth:69; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564629/; classtype:trojan-activity;sid:84427729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/info.zip"; depth:41; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564620/; classtype:trojan-activity;sid:84427720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/service/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564621/; classtype:trojan-activity;sid:84427721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/web/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564616/; classtype:trojan-activity;sid:84427716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/dept/web/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564611/; classtype:trojan-activity;sid:84427711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guirui/info.zip"; depth:16; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564599/; classtype:trojan-activity;sid:84427699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/info.zip"; depth:30; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564600/; classtype:trojan-activity;sid:84427700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564601/; classtype:trojan-activity;sid:84427701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/action/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564602/; classtype:trojan-activity;sid:84427702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/action/info.zip"; depth:96; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564603/; classtype:trojan-activity;sid:84427703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/dao/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564597/; classtype:trojan-activity;sid:84427697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564598/; classtype:trojan-activity;sid:84427698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564594/; classtype:trojan-activity;sid:84427694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/info.zip"; depth:60; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564595/; classtype:trojan-activity;sid:84427695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/service/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564596/; classtype:trojan-activity;sid:84427696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/utils/excel/annotation/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564593/; classtype:trojan-activity;sid:84427693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/set/service/impl/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564592/; classtype:trojan-activity;sid:84427692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/utils/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564589/; classtype:trojan-activity;sid:84427689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/dao/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564590/; classtype:trojan-activity;sid:84427690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/service/info.zip"; depth:96; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564583/; classtype:trojan-activity;sid:84427683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%96%b0%e6%96%87%e4%bb%b6%e5%a4%b9%20(2)/info.zip"; depth:52; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564584/; classtype:trojan-activity;sid:84427684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/info.zip"; depth:34; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564585/; classtype:trojan-activity;sid:84427685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/service/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564581/; classtype:trojan-activity;sid:84427681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haohua/info.zip"; depth:16; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564578/; classtype:trojan-activity;sid:84427678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/base/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564577/; classtype:trojan-activity;sid:84427677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/count/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564576/; classtype:trojan-activity;sid:84427676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/dao/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564574/; classtype:trojan-activity;sid:84427674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/info.zip"; depth:52; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564575/; classtype:trojan-activity;sid:84427675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/info.zip"; depth:69; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564569/; classtype:trojan-activity;sid:84427669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/service/impl/info.zip"; depth:101; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564568/; classtype:trojan-activity;sid:84427668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/rgsy/system/info.zip"; depth:105; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564566/; classtype:trojan-activity;sid:84427666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/chkpt/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564565/; classtype:trojan-activity;sid:84427665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/info.zip"; depth:63; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564563/; classtype:trojan-activity;sid:84427663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/controller/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564561/; classtype:trojan-activity;sid:84427661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/info.zip"; depth:56; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564562/; classtype:trojan-activity;sid:84427662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/entity/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564559/; classtype:trojan-activity;sid:84427659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/lib/info.zip"; depth:21; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564554/; classtype:trojan-activity;sid:84427654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564542/; classtype:trojan-activity;sid:84427642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaifa/info.zip"; depth:15; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564543/; classtype:trojan-activity;sid:84427643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/dto/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564544/; classtype:trojan-activity;sid:84427644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564545/; classtype:trojan-activity;sid:84427645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564539/; classtype:trojan-activity;sid:84427639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/viewws/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564540/; classtype:trojan-activity;sid:84427640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/pdawss/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564541/; classtype:trojan-activity;sid:84427641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/web/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564538/; classtype:trojan-activity;sid:84427638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564534/; classtype:trojan-activity;sid:84427634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/ckwss/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564535/; classtype:trojan-activity;sid:84427635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/action/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564536/; classtype:trojan-activity;sid:84427636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564537/; classtype:trojan-activity;sid:84427637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564527/; classtype:trojan-activity;sid:84427627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/info.zip"; depth:23; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564528/; classtype:trojan-activity;sid:84427628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/web/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564529/; classtype:trojan-activity;sid:84427629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/temp/poifiles/info.zip"; depth:31; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564526/; classtype:trojan-activity;sid:84427626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/report/info.zip"; depth:37; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564522/; classtype:trojan-activity;sid:84427622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/dao/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564521/; classtype:trojan-activity;sid:84427621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/visitwss/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564519/; classtype:trojan-activity;sid:84427619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/entity/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564518/; classtype:trojan-activity;sid:84427618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564515/; classtype:trojan-activity;sid:84427615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/action/info.zip"; depth:70; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564514/; classtype:trojan-activity;sid:84427614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/dao/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564509/; classtype:trojan-activity;sid:84427609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564500/; classtype:trojan-activity;sid:84427600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/dao/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564502/; classtype:trojan-activity;sid:84427602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/dept/service/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564498/; classtype:trojan-activity;sid:84427598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/dept/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564499/; classtype:trojan-activity;sid:84427599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564497/; classtype:trojan-activity;sid:84427597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.exe"; depth:10; endswith; nocase; http.host; content:"152.67.84.123"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563453/; classtype:trojan-activity;sid:84426553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"43.136.88.193"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563444/; classtype:trojan-activity;sid:84426544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"175.178.174.23"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563441/; classtype:trojan-activity;sid:84426541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"175.178.174.23"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563442/; classtype:trojan-activity;sid:84426542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"43.136.51.89"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563435/; classtype:trojan-activity;sid:84426535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"42.193.115.114"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563432/; classtype:trojan-activity;sid:84426532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"43.136.51.89"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563425/; classtype:trojan-activity;sid:84426525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"42.193.115.114"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563418/; classtype:trojan-activity;sid:84426518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"43.136.88.193"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563424/; classtype:trojan-activity;sid:84426524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"114.132.86.182"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563388/; classtype:trojan-activity;sid:84426488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"43.139.88.161"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563385/; classtype:trojan-activity;sid:84426485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"106.55.134.240"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563384/; classtype:trojan-activity;sid:84426484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"124.223.73.186"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563380/; classtype:trojan-activity;sid:84426480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"124.223.73.186"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563381/; classtype:trojan-activity;sid:84426481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"42.194.199.15"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563374/; classtype:trojan-activity;sid:84426474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"114.132.86.182"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563373/; classtype:trojan-activity;sid:84426473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"49.233.172.4"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563369/; classtype:trojan-activity;sid:84426469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"43.139.88.161"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563362/; classtype:trojan-activity;sid:84426462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"49.233.172.4"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563363/; classtype:trojan-activity;sid:84426463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"119.91.58.97"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563364/; classtype:trojan-activity;sid:84426464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"81.69.185.184"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563349/; classtype:trojan-activity;sid:84426449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"81.69.185.184"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563343/; classtype:trojan-activity;sid:84426443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"106.55.134.240"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563336/; classtype:trojan-activity;sid:84426436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"119.91.58.97"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563320/; classtype:trojan-activity;sid:84426420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"175.178.112.226"; depth:15; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563326/; classtype:trojan-activity;sid:84426426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gg.apk"; depth:7; endswith; nocase; http.host; content:"112.18.10.80"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563253/; classtype:trojan-activity;sid:84426353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mar10/wsgidav/archive/refs/heads/master.zip"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3562926/; classtype:trojan-activity;sid:84426026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/msglu32.ocx"; depth:28; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562778/; classtype:trojan-activity;sid:84425878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/energizertrojan-malware.zip"; depth:38; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562768/; classtype:trojan-activity;sid:84425868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/advnetcfg.ocx"; depth:30; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562769/; classtype:trojan-activity;sid:84425869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/malware/icecast2_2.0.0_vulnerable.exe"; depth:38; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562770/; classtype:trojan-activity;sid:84425870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/mssecmgr.ocx"; depth:29; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562771/; classtype:trojan-activity;sid:84425871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/dnsmasq-2.73rc7.tar.gz"; depth:33; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562772/; classtype:trojan-activity;sid:84425872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/boot32drv.sys"; depth:30; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562774/; classtype:trojan-activity;sid:84425874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/malware/energizertrojan-malware.zip"; depth:36; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562775/; classtype:trojan-activity;sid:84425875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/nteps32.ocx"; depth:28; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562766/; classtype:trojan-activity;sid:84425866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/malware/dnsmasq-2.73rc7.tar.gz"; depth:31; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562767/; classtype:trojan-activity;sid:84425867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/icecast2_2.0.0_vulnerable.exe"; depth:40; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562765/; classtype:trojan-activity;sid:84425865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/ccalc32.sys"; depth:28; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562763/; classtype:trojan-activity;sid:84425863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tcp_linux_amd64"; depth:16; endswith; nocase; http.host; content:"101.43.49.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562757/; classtype:trojan-activity;sid:84425857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cve-2020-15972/tear-down.js"; depth:28; endswith; nocase; http.host; content:"119.28.140.233"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562758/; classtype:trojan-activity;sid:84425858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.232.167.99"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562728/; classtype:trojan-activity;sid:84425828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.28.31.6"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562674/; classtype:trojan-activity;sid:84425774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zusyaku/malware-collection-part-2/refs/heads/main/666/666.exe"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562600/; classtype:trojan-activity;sid:84425700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp.bat"; depth:7; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562599/; classtype:trojan-activity;sid:84425699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/releases/download/1.2.4.1/cpuminer-gr-1.2.4.1-x86_64_windows.7z"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561991/; classtype:trojan-activity;sid:84425091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/archive/refs/tags/1.2.4.1.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561989/; classtype:trojan-activity;sid:84425089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/archive/refs/tags/1.2.4.1.tar.gz"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561990/; classtype:trojan-activity;sid:84425090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/releases/download/1.2.4.1/cpuminer-gr-1.2.4.1-args-x86_64_linux.tar.gz"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561988/; classtype:trojan-activity;sid:84425088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1746669868_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.yz.tcdnos.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561860/; classtype:trojan-activity;sid:84424960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747308966_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561859/; classtype:trojan-activity;sid:84424959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747209335_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561858/; classtype:trojan-activity;sid:84424958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747732120_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561857/; classtype:trojan-activity;sid:84424957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747640975_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561856/; classtype:trojan-activity;sid:84424956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/data/drss/drbw.zip"; depth:25; endswith; nocase; http.host; content:"124.223.105.161"; depth:15; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561839/; classtype:trojan-activity;sid:84424939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/kedadecoder.zip"; depth:25; endswith; nocase; http.host; content:"123.232.43.185"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_12; reference:url, urlhaus.abuse.ch/url/3561639/; classtype:trojan-activity;sid:84424739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zbsm.zip"; depth:9; endswith; nocase; http.host; content:"1.94.184.17"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3561086/; classtype:trojan-activity;sid:84424186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.jsp"; depth:6; endswith; nocase; http.host; content:"1.94.184.17"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3561082/; classtype:trojan-activity;sid:84424182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poc.xml"; depth:8; endswith; nocase; http.host; content:"1.94.184.17"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3561083/; classtype:trojan-activity;sid:84424183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.88.234.44"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3560938/; classtype:trojan-activity;sid:84424038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yc.exe"; depth:7; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560460/; classtype:trojan-activity;sid:84423560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/ransomware/annabelle.exe"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560452/; classtype:trojan-activity;sid:84423552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rzm-crack-team/redline-crack/main/redline-crack-by-rzt.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560449/; classtype:trojan-activity;sid:84423549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/master/ydrag.dll"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560445/; classtype:trojan-activity;sid:84423545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/loic/master/loic.exe"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560439/; classtype:trojan-activity;sid:84423539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantompeek/kematian/main/frontend-src/kematian_shellcode.ps1"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560434/; classtype:trojan-activity;sid:84423534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/ransomware/cryptowall.exe"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560418/; classtype:trojan-activity;sid:84423518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantompeek/kematian/main/frontend-src/main.ps1"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560419/; classtype:trojan-activity;sid:84423519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/ransomware/cryptolocker.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560422/; classtype:trojan-activity;sid:84423522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/prolin.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560416/; classtype:trojan-activity;sid:84423516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantompeek/kematian/main/frontend-src/main.bat"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560412/; classtype:trojan-activity;sid:84423512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/funbatchcode-malicousandnonmalicous/master/worm.bat"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560414/; classtype:trojan-activity;sid:84423514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noccenter/noccenter/main/huong%20dan%20xu%20ly%20tai%20khoan%20mail%20noi%20bo.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560409/; classtype:trojan-activity;sid:84423509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pc/pdfconvert/pdfconverter_p2w154-zx-666.exe"; depth:45; endswith; nocase; http.host; content:"download.pdf00.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560385/; classtype:trojan-activity;sid:84423485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/rod_en_1.exe"; depth:23; endswith; nocase; http.host; content:"www.r-tt.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560380/; classtype:trojan-activity;sid:84423480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/rmd_en_1.exe"; depth:23; endswith; nocase; http.host; content:"www.r-tt.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560381/; classtype:trojan-activity;sid:84423481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/rxd_en_1.exe"; depth:23; endswith; nocase; http.host; content:"www.r-tt.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560383/; classtype:trojan-activity;sid:84423483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cybertoxin/remcos-professional-cracked-by-alcatraz3222/raw/master/remcos%20professional%20cracked%20by%20alcatraz3222.zip"; depth:122; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560209/; classtype:trojan-activity;sid:84423309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.219.130.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_08; reference:url, urlhaus.abuse.ch/url/3559317/; classtype:trojan-activity;sid:84422417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/update/bmw_v1.7.exe"; depth:27; endswith; nocase; http.host; content:"acc.jiangsujiaxue.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559217/; classtype:trojan-activity;sid:84422317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/classticket.exe"; depth:16; endswith; nocase; http.host; content:"class1004.dothome.co.kr"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559216/; classtype:trojan-activity;sid:84422316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/download/teleport-assist-windows.exe"; depth:44; endswith; nocase; http.host; content:"58.49.210.250"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559211/; classtype:trojan-activity;sid:84422311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yx/dts/sqft/904576/yx_dts.exe"; depth:30; endswith; nocase; http.host; content:"d.14yaa.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559208/; classtype:trojan-activity;sid:84422308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cmd/services.exe"; depth:17; endswith; nocase; http.host; content:"43.229.135.199"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559206/; classtype:trojan-activity;sid:84422306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nps.exe"; depth:8; endswith; nocase; http.host; content:"118.219.11.202"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559123/; classtype:trojan-activity;sid:84422223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/keystone.dll"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559040/; classtype:trojan-activity;sid:84422140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/sgn.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559037/; classtype:trojan-activity;sid:84422137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/bsodlogicbomb.ps1"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559033/; classtype:trojan-activity;sid:84422133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/powersyringe.ps1"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559034/; classtype:trojan-activity;sid:84422134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/invoke-reflectivepeinjection.ps1"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559022/; classtype:trojan-activity;sid:84422122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/pe2shc.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559025/; classtype:trojan-activity;sid:84422125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/encrypted.enc"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559019/; classtype:trojan-activity;sid:84422119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/masquerade-peb.ps1"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559009/; classtype:trojan-activity;sid:84422109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/uacbstartup.ps1"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559012/; classtype:trojan-activity;sid:84422112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/invoke-shellcode-fixed.ps1"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559014/; classtype:trojan-activity;sid:84422114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/onedoesnotsimplybypassentirewindefender.ps1"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559015/; classtype:trojan-activity;sid:84422115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/migrate.rb"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559005/; classtype:trojan-activity;sid:84422105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/base64.rb"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559006/; classtype:trojan-activity;sid:84422106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/bugsoft.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558975/; classtype:trojan-activity;sid:84422075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/brontok.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558976/; classtype:trojan-activity;sid:84422076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/banking-malware/zloader.xlsm"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558977/; classtype:trojan-activity;sid:84422077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/anap.a.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558973/; classtype:trojan-activity;sid:84422073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/axam.a.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558974/; classtype:trojan-activity;sid:84422074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/banking-malware/emotet.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558966/; classtype:trojan-activity;sid:84422066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/amus.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558967/; classtype:trojan-activity;sid:84422067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/rickware/master/rickroll.exe"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558969/; classtype:trojan-activity;sid:84422069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.26.97.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_05; reference:url, urlhaus.abuse.ch/url/3558602/; classtype:trojan-activity;sid:84421702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g7_update.exe"; depth:14; endswith; nocase; http.host; content:"118.219.11.202"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_05; reference:url, urlhaus.abuse.ch/url/3558501/; classtype:trojan-activity;sid:84421601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iluxa94/-3-/main/%d0%a4%d0%be%d1%80%d0%bc%d0%b0%203%d0%9e%d0%a8%d0%91%d0%a0.exe"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558331/; classtype:trojan-activity;sid:84421431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/amsibypass/main/newamsibypass.ps1"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558302/; classtype:trojan-activity;sid:84421402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/link-exe-test/main/matthew.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558300/; classtype:trojan-activity;sid:84421400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/second.bin"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558295/; classtype:trojan-activity;sid:84421395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/urbanvpn.exe"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558290/; classtype:trojan-activity;sid:84421390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/svhost.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558291/; classtype:trojan-activity;sid:84421391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/second.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558292/; classtype:trojan-activity;sid:84421392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/invoke-nicelittlekittieobf/main/invoke-nicelittlekittieobf.ps1"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558289/; classtype:trojan-activity;sid:84421389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/pvp.exe"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558285/; classtype:trojan-activity;sid:84421385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/darwin.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558287/; classtype:trojan-activity;sid:84421387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-dropper/main/src/main.rs"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558280/; classtype:trojan-activity;sid:84421380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c5hackr/phantom/main/phantom/bin/x64/release/phantom.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558271/; classtype:trojan-activity;sid:84421371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/invoke-shell/main/reverse.ps1"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558266/; classtype:trojan-activity;sid:84421366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/iso-file-testing/main/pleaserunme.iso"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558264/; classtype:trojan-activity;sid:84421364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c5hackr/phantom/main/phantom/resources/uac64.dll"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558260/; classtype:trojan-activity;sid:84421360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/payload.bin"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558252/; classtype:trojan-activity;sid:84421352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/riende.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558247/; classtype:trojan-activity;sid:84421347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c5hackr/phantom/main/phantom/resources/uac.dll"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558249/; classtype:trojan-activity;sid:84421349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/invoke-nicelittlekittie/main/invoke-nicelittlekittie.ps1"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558243/; classtype:trojan-activity;sid:84421343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/payload_encrypted.bin"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558235/; classtype:trojan-activity;sid:84421335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/meter/main/meter5555.ps1"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558237/; classtype:trojan-activity;sid:84421337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/js-file-test/main/loader.js"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558229/; classtype:trojan-activity;sid:84421329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-revshell/main/src/main.rs"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558230/; classtype:trojan-activity;sid:84421330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/1tronps1.txt"; depth:40; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556675/; classtype:trojan-activity;sid:84419775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/1framework.txt"; depth:42; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556673/; classtype:trojan-activity;sid:84419773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/1tronvbs.txt"; depth:40; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556668/; classtype:trojan-activity;sid:84419768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/imagens.txt"; depth:39; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556670/; classtype:trojan-activity;sid:84419770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3555192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/raw/refs/heads/master/ransomware/wannacry.exe"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_29; reference:url, urlhaus.abuse.ch/url/3555192/; classtype:trojan-activity;sid:84418292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3555012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.64.135.53"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_29; reference:url, urlhaus.abuse.ch/url/3555012/; classtype:trojan-activity;sid:84418112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3554430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rate.zip"; depth:9; endswith; nocase; http.host; content:"celebratingseniors.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_28; reference:url, urlhaus.abuse.ch/url/3554430/; classtype:trojan-activity;sid:84417530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3554345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rats.zip"; depth:9; endswith; nocase; http.host; content:"celebratingseniors.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_28; reference:url, urlhaus.abuse.ch/url/3554345/; classtype:trojan-activity;sid:84417445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3554334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oste.zip"; depth:9; endswith; nocase; http.host; content:"celebratingseniors.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_28; reference:url, urlhaus.abuse.ch/url/3554334/; classtype:trojan-activity;sid:84417434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bufs.zip"; depth:9; endswith; nocase; http.host; content:"maidforyou1985.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553636/; classtype:trojan-activity;sid:84416736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mits.zip"; depth:9; endswith; nocase; http.host; content:"windomstatetheater.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553629/; classtype:trojan-activity;sid:84416729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/osxs.zip"; depth:9; endswith; nocase; http.host; content:"windomstatetheater.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553633/; classtype:trojan-activity;sid:84416733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rars.zip"; depth:9; endswith; nocase; http.host; content:"windomstatetheater.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553609/; classtype:trojan-activity;sid:84416709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.92.228.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553268/; classtype:trojan-activity;sid:84416368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.125.165"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_26; reference:url, urlhaus.abuse.ch/url/3553170/; classtype:trojan-activity;sid:84416270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.83.211.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_26; reference:url, urlhaus.abuse.ch/url/3552741/; classtype:trojan-activity;sid:84415841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bre"; depth:4; endswith; nocase; http.host; content:"109.74.204.206"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_26; reference:url, urlhaus.abuse.ch/url/3552617/; classtype:trojan-activity;sid:84415717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.86.176.209"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_25; reference:url, urlhaus.abuse.ch/url/3552086/; classtype:trojan-activity;sid:84415186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonimusman00-2/xmr/refs/heads/main/silent%20miner.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552045/; classtype:trojan-activity;sid:84415145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/waf/dracula-cmd/master/dist/colortool.zip"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552042/; classtype:trojan-activity;sid:84415142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iamsysadmin/setteamsbg/main/set-teams-backgrounds.zip"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552043/; classtype:trojan-activity;sid:84415143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonimusman00-2/xmr/raw/refs/heads/main/silent%20miner.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552009/; classtype:trojan-activity;sid:84415109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alanparadis/stalker2simplemodmerger/releases/download/vortex-v1.4.9/stalker2simplemodmergerforvortex.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552005/; classtype:trojan-activity;sid:84415105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3551953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.92.232.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3551953/; classtype:trojan-activity;sid:84415053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3551493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.242.66.123"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3551493/; classtype:trojan-activity;sid:84414593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3551361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.15.250.81"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3551361/; classtype:trojan-activity;sid:84414461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/macmid_sonoma_14_5.exe"; depth:23; endswith; nocase; http.host; content:"107.198.40.184"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550735/; classtype:trojan-activity;sid:84413835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.59.90.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550381/; classtype:trojan-activity;sid:84413481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.238.151"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550388/; classtype:trojan-activity;sid:84413488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.86.190.58"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550356/; classtype:trojan-activity;sid:84413456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.15.250.81"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550290/; classtype:trojan-activity;sid:84413390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023"; depth:5; endswith; nocase; http.host; content:"143.92.48.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3550019/; classtype:trojan-activity;sid:84413119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3r%bc%bc%ca%f5.exe"; depth:19; endswith; nocase; http.host; content:"8.138.182.17"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3550006/; classtype:trojan-activity;sid:84413106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3549998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.exe"; depth:11; endswith; nocase; http.host; content:"106.14.68.26"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3549998/; classtype:trojan-activity;sid:84413098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3549645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.87.82.140"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3549645/; classtype:trojan-activity;sid:84412745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3548058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-pc/stikpille.psp"; depth:23; endswith; nocase; http.host; content:"artacom.com.br"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3548058/; classtype:trojan-activity;sid:84411158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3548057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-pc/qsllcxnogwi52.bin"; depth:27; endswith; nocase; http.host; content:"artacom.com.br"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3548057/; classtype:trojan-activity;sid:84411157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3547880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ed2w0zvvx53_mfifdszyslleurub40zo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3547880/; classtype:trojan-activity;sid:84410980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3547784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.84.143"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3547784/; classtype:trojan-activity;sid:84410884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3547782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.98.176.195"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3547782/; classtype:trojan-activity;sid:84410882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3546975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.119.108.21"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_19; reference:url, urlhaus.abuse.ch/url/3546975/; classtype:trojan-activity;sid:84410075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3546969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"84.236.147.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_19; reference:url, urlhaus.abuse.ch/url/3546969/; classtype:trojan-activity;sid:84410069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3545469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.28.95.35"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_17; reference:url, urlhaus.abuse.ch/url/3545469/; classtype:trojan-activity;sid:84408569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3544992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/nk/wunbbnvf102.bin"; depth:31; endswith; nocase; http.host; content:"planetariumobil.ro"; depth:18; isdataat:!1,relative; metadata:created_at 2025_05_16; reference:url, urlhaus.abuse.ch/url/3544992/; classtype:trojan-activity;sid:84408092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.239.97"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_15; reference:url, urlhaus.abuse.ch/url/3543803/; classtype:trojan-activity;sid:84406903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.239.98"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_15; reference:url, urlhaus.abuse.ch/url/3543805/; classtype:trojan-activity;sid:84406905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.50.222.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_14; reference:url, urlhaus.abuse.ch/url/3543392/; classtype:trojan-activity;sid:84406492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3542563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wvxiyf_ryvgg_x3x7uceicqrndhb7lul"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_05_13; reference:url, urlhaus.abuse.ch/url/3542563/; classtype:trojan-activity;sid:84405663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3541826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/giphy.gif"; depth:21; endswith; nocase; http.host; content:"onfiltre.com.tr"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_12; reference:url, urlhaus.abuse.ch/url/3541826/; classtype:trojan-activity;sid:84404926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3540931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.12.2/xmrig-6.12.2-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_11; reference:url, urlhaus.abuse.ch/url/3540931/; classtype:trojan-activity;sid:84404031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3540186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.190.58.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_10; reference:url, urlhaus.abuse.ch/url/3540186/; classtype:trojan-activity;sid:84403286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3540085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.x/pax.txt"; depth:11; endswith; nocase; http.host; content:"13.71.2.244"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_10; reference:url, urlhaus.abuse.ch/url/3540085/; classtype:trojan-activity;sid:84403185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js_bo/werkstastt/shotstar.prm"; depth:30; endswith; nocase; http.host; content:"www.silver-hubdachwohnwagen.de"; depth:30; isdataat:!1,relative; metadata:created_at 2025_05_09; reference:url, urlhaus.abuse.ch/url/3539686/; classtype:trojan-activity;sid:84402786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"8.218.225.42"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_09; reference:url, urlhaus.abuse.ch/url/3539354/; classtype:trojan-activity;sid:84402454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"93.190.58.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_09; reference:url, urlhaus.abuse.ch/url/3539297/; classtype:trojan-activity;sid:84402397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.22.42.232"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3539028/; classtype:trojan-activity;sid:84402128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.211.217"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538764/; classtype:trojan-activity;sid:84401864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.208.237"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538763/; classtype:trojan-activity;sid:84401863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.209.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538762/; classtype:trojan-activity;sid:84401862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538761/; classtype:trojan-activity;sid:84401861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.209.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538755/; classtype:trojan-activity;sid:84401855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538747/; classtype:trojan-activity;sid:84401847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538741/; classtype:trojan-activity;sid:84401841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538744/; classtype:trojan-activity;sid:84401844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.210.5"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538671/; classtype:trojan-activity;sid:84401771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.208.107"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538670/; classtype:trojan-activity;sid:84401770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.162.88.253"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538667/; classtype:trojan-activity;sid:84401767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.22.42.232"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538179/; classtype:trojan-activity;sid:84401279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3537710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wex.gif"; depth:11; endswith; nocase; http.host; content:"stonecradle.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_07; reference:url, urlhaus.abuse.ch/url/3537710/; classtype:trojan-activity;sid:84400810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3536070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl202"; depth:6; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_06; reference:url, urlhaus.abuse.ch/url/3536070/; classtype:trojan-activity;sid:84399170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3534886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"103.153.93.18"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_04; reference:url, urlhaus.abuse.ch/url/3534886/; classtype:trojan-activity;sid:84397986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3533582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kokotpycauholica/ultraundetecteddrv/refs/heads/main/hbvtmbp46iieehp1.exe"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_03; reference:url, urlhaus.abuse.ch/url/3533582/; classtype:trojan-activity;sid:84396682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl201"; depth:6; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532985/; classtype:trojan-activity;sid:84396085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"114.129.49.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532847/; classtype:trojan-activity;sid:84395947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"114.129.49.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532848/; classtype:trojan-activity;sid:84395948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"114.129.49.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532849/; classtype:trojan-activity;sid:84395949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.76.101.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532833/; classtype:trojan-activity;sid:84395933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl200"; depth:6; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532282/; classtype:trojan-activity;sid:84395382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.21.252.43"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_01; reference:url, urlhaus.abuse.ch/url/3531990/; classtype:trojan-activity;sid:84395090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.81.58.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_01; reference:url, urlhaus.abuse.ch/url/3531992/; classtype:trojan-activity;sid:84395092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.15.96.217"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_01; reference:url, urlhaus.abuse.ch/url/3531975/; classtype:trojan-activity;sid:84395075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.12.100.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_30; reference:url, urlhaus.abuse.ch/url/3531095/; classtype:trojan-activity;sid:84394195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.51.100.238"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_30; reference:url, urlhaus.abuse.ch/url/3530894/; classtype:trojan-activity;sid:84393994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.127.68.162"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_30; reference:url, urlhaus.abuse.ch/url/3530891/; classtype:trojan-activity;sid:84393991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.31.8.25"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3530248/; classtype:trojan-activity;sid:84393348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.124.228.98"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3530244/; classtype:trojan-activity;sid:84393344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.42.105.34"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3530241/; classtype:trojan-activity;sid:84393341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new_image.jpg"; depth:14; endswith; nocase; http.host; content:"www.flybirdexpbd.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529999/; classtype:trojan-activity;sid:84393099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"157.255.22.42"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529937/; classtype:trojan-activity;sid:84393037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.12.100.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529934/; classtype:trojan-activity;sid:84393034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"93.21.252.43"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529929/; classtype:trojan-activity;sid:84393029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"80.76.101.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529907/; classtype:trojan-activity;sid:84393007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"220.81.58.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529908/; classtype:trojan-activity;sid:84393008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"110.4.13.252"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529878/; classtype:trojan-activity;sid:84392978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"71.15.96.217"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529882/; classtype:trojan-activity;sid:84392982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mir1ce/hawkeye/releases/download/v0319/hawkeye.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_28; reference:url, urlhaus.abuse.ch/url/3528280/; classtype:trojan-activity;sid:84391380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yarahq/yara-forge/releases/latest/download/yara-forge-rules-core.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_28; reference:url, urlhaus.abuse.ch/url/3528279/; classtype:trojan-activity;sid:84391379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meckazin/chromekatz/releases/download/0.6.1/chromekatzbofs.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_28; reference:url, urlhaus.abuse.ch/url/3528277/; classtype:trojan-activity;sid:84391377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19831362/alpha.zip"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528171/; classtype:trojan-activity;sid:84391271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/decalage2/oletools/releases/download/v0.60.2/oletools-0.60.2.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528170/; classtype:trojan-activity;sid:84391270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19831288/crack.nurik.zip"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528165/; classtype:trojan-activity;sid:84391265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/firmware/ts2_0001.bin"; depth:22; endswith; nocase; http.host; content:"172.170.254.193"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528167/; classtype:trojan-activity;sid:84391267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19831450/solara.zip"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528162/; classtype:trojan-activity;sid:84391262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19835739/solarus.zip"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528154/; classtype:trojan-activity;sid:84391254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zxc5wezxc/new/main/dllbase64reverse.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528128/; classtype:trojan-activity;sid:84391228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/androidmalware/android_hid/f25d0234cff288ab8384689685e37b1b4bbaf2ba/test.exe"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528127/; classtype:trojan-activity;sid:84391227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monkeyadece/v-f/releases/download/1.4.2/vector-fixer-v1.4.2.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528108/; classtype:trojan-activity;sid:84391208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui.exe"; depth:7; endswith; nocase; http.host; content:"public.demo.securecloudsandbox.com"; depth:34; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528105/; classtype:trojan-activity;sid:84391205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbormann/darts-gif/releases/download/v1.1.0/darts-gif.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528107/; classtype:trojan-activity;sid:84391207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbormann/darts-pixelit/releases/download/v1.2.2/darts-pixelit.exe"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528100/; classtype:trojan-activity;sid:84391200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbormann/darts-wled/releases/download/v1.8.1/darts-wled.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528101/; classtype:trojan-activity;sid:84391201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harelba/q/releases/download/2.0.19/q-amd64-windows.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528097/; classtype:trojan-activity;sid:84391197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikf/gallery-dl/releases/download/v1.15.0/gallery-dl.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528098/; classtype:trojan-activity;sid:84391198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.36.124.224"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527875/; classtype:trojan-activity;sid:84390975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"78.36.11.185"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527856/; classtype:trojan-activity;sid:84390956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.241.40.177"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527836/; classtype:trojan-activity;sid:84390936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.57.30.25"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527814/; classtype:trojan-activity;sid:84390914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verify-sec"; depth:11; endswith; nocase; http.host; content:"msoftdatastore.z22.web.core.windows.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526930/; classtype:trojan-activity;sid:84390030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.252.69.10"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526832/; classtype:trojan-activity;sid:84389932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.205.81.56"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526834/; classtype:trojan-activity;sid:84389934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.173.39.201"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526826/; classtype:trojan-activity;sid:84389926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.26.211.169"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526807/; classtype:trojan-activity;sid:84389907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.26.222.124"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526810/; classtype:trojan-activity;sid:84389910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"149.241.40.177"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3525710/; classtype:trojan-activity;sid:84388810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.110.37.104"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3525151/; classtype:trojan-activity;sid:84388251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.252.69.10"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3525013/; classtype:trojan-activity;sid:84388113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.83.203.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3525021/; classtype:trojan-activity;sid:84388121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.158.88.156"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524779/; classtype:trojan-activity;sid:84387879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ccjlbddgjhpeeff1b1hfkgp3x16c_tj1"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524506/; classtype:trojan-activity;sid:84387606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1bpc5z-hv6kosk6artkfmbtsnnwwpdghy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524454/; classtype:trojan-activity;sid:84387554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3523621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.47.243.57"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_24; reference:url, urlhaus.abuse.ch/url/3523621/; classtype:trojan-activity;sid:84386721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oto"; depth:4; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_23; reference:url, urlhaus.abuse.ch/url/3522943/; classtype:trojan-activity;sid:84386043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ltrdqlgcl6smoqujfs1pb2ernzhsbydh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_23; reference:url, urlhaus.abuse.ch/url/3522687/; classtype:trojan-activity;sid:84385787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eed8989/u/main/ud.bat"; depth:22; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_22; reference:url, urlhaus.abuse.ch/url/3522201/; classtype:trojan-activity;sid:84385301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.243.36.33"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_22; reference:url, urlhaus.abuse.ch/url/3522159/; classtype:trojan-activity;sid:84385259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.12.2/xmrig-6.12.2-linux-x64.tar.gz"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_21; reference:url, urlhaus.abuse.ch/url/3520366/; classtype:trojan-activity;sid:84383466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"77.226.241.197"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520082/; classtype:trojan-activity;sid:84383182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"202.57.43.234"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520081/; classtype:trojan-activity;sid:84383181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"179.63.168.2"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520073/; classtype:trojan-activity;sid:84383173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"122.55.206.38"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520075/; classtype:trojan-activity;sid:84383175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"61.244.254.110"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520077/; classtype:trojan-activity;sid:84383177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"103.156.141.240"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520071/; classtype:trojan-activity;sid:84383171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"2.136.63.232"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520070/; classtype:trojan-activity;sid:84383170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"93.182.77.20"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520068/; classtype:trojan-activity;sid:84383168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.229.20.42"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519584/; classtype:trojan-activity;sid:84382684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hostfile/taptin/game.exe"; depth:25; endswith; nocase; http.host; content:"update.volam2005pk.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519542/; classtype:trojan-activity;sid:84382642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_autovlbs19_new/trainjx2.exe"; depth:29; endswith; nocase; http.host; content:"thtp2.volamngayxua.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519540/; classtype:trojan-activity;sid:84382640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_autovlbs19_new/trainjx.exe"; depth:28; endswith; nocase; http.host; content:"thtp2.volamngayxua.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519529/; classtype:trojan-activity;sid:84382629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/linm_free/tg_linm_data_image_free.dll"; depth:43; endswith; nocase; http.host; content:"tiwanlinm.duckdns.org"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519525/; classtype:trojan-activity;sid:84382625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb/32.exe"; depth:10; endswith; nocase; http.host; content:"ny.lshdw.cc"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519518/; classtype:trojan-activity;sid:84382618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namu832.exe"; depth:20; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519513/; classtype:trojan-activity;sid:84382613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/versions/gestioniccv20.21.8.51/gestionicc.exe"; depth:46; endswith; nocase; http.host; content:"icoffeecloud.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519485/; classtype:trojan-activity;sid:84382585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"60aaf9c6.salamanderprocessing.pages.dev"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519469/; classtype:trojan-activity;sid:84382569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/linm_free/tg_linm_data_map_free.dll"; depth:41; endswith; nocase; http.host; content:"tiwanlinm.duckdns.org"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519467/; classtype:trojan-activity;sid:84382567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb/sm.exe"; depth:10; endswith; nocase; http.host; content:"ny.lshdw.cc"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519464/; classtype:trojan-activity;sid:84382564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pds/mogimall/giftorder/giftorder.exe"; depth:37; endswith; nocase; http.host; content:"mogimall.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519459/; classtype:trojan-activity;sid:84382559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"2cfc0222.salamanderprocessing.pages.dev"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519451/; classtype:trojan-activity;sid:84382551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newchaisupon/vendor/bin/psysh.bat"; depth:34; endswith; nocase; http.host; content:"99194034-96-20180108171507.webstarterz.com"; depth:42; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519446/; classtype:trojan-activity;sid:84382546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diaclients/doitallmain.exe"; depth:27; endswith; nocase; http.host; content:"www.salonmarketing.ca"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519442/; classtype:trojan-activity;sid:84382542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa0611/systemsa32.dll"; depth:22; endswith; nocase; http.host; content:"www.ss-01.com"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519443/; classtype:trojan-activity;sid:84382543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msedge.exe"; depth:11; endswith; nocase; http.host; content:"c9791c08-f1e4-4402-9510-d04c13c50ea3.selstorage.ru"; depth:50; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519432/; classtype:trojan-activity;sid:84382532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/pubdata/hpsocket4c.dll"; depth:30; endswith; nocase; http.host; content:"114.55.106.136"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519429/; classtype:trojan-activity;sid:84382529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"c3436037.salamanderprocessing.pages.dev"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519415/; classtype:trojan-activity;sid:84382515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rh/setup.exe"; depth:13; endswith; nocase; http.host; content:"d3cciiowg5l3jx.cloudfront.net"; depth:29; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519408/; classtype:trojan-activity;sid:84382508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pds/mogimall/giftorder/updater.exe"; depth:35; endswith; nocase; http.host; content:"mogimall.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519404/; classtype:trojan-activity;sid:84382504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media/video_file/round_setup.exe"; depth:33; endswith; nocase; http.host; content:"tapestryoftruth.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519392/; classtype:trojan-activity;sid:84382492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfxre.exe"; depth:10; endswith; nocase; http.host; content:"198.50.242.157"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519389/; classtype:trojan-activity;sid:84382489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r0400/yahoodll.dll"; depth:19; endswith; nocase; http.host; content:"www.ss-01.com"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519368/; classtype:trojan-activity;sid:84382468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/driveapplet.exe"; depth:16; endswith; nocase; http.host; content:"noithaticon.vn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519369/; classtype:trojan-activity;sid:84382469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/licensing/updates/addmefast%20bot.exe"; depth:38; endswith; nocase; http.host; content:"www.blackhattoolz.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519354/; classtype:trojan-activity;sid:84382454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nircmd.exe"; depth:11; endswith; nocase; http.host; content:"pub-0478b308b8cf46709a73d0eed5afd633.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519356/; classtype:trojan-activity;sid:84382456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pst.exe"; depth:8; endswith; nocase; http.host; content:"o24o.ru"; depth:7; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519092/; classtype:trojan-activity;sid:84382192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519066/; classtype:trojan-activity;sid:84382166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vinhuptoday/testbn/raw/refs/heads/main/brbotnet.exe"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519063/; classtype:trojan-activity;sid:84382163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiansys(xp%e4%b8%93%e7%94%a8).exe"; depth:34; endswith; nocase; http.host; content:"fz.tiansys.cn"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519036/; classtype:trojan-activity;sid:84382136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uniondown/haozip_tiny.201805.exe"; depth:33; endswith; nocase; http.host; content:"download.haozip.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519028/; classtype:trojan-activity;sid:84382128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cosmicdevv/icarus-lite/releases/download/v1.1.13/icaruslite-v1.1.13-win.exe"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519027/; classtype:trojan-activity;sid:84382127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sebaxakerhtc/rdpwrap/releases/download/v1.8.9.9/rdpw_installer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519025/; classtype:trojan-activity;sid:84382125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dax009yt/chilledwindows-gui/releases/download/1.0/chilledwindows.gui.exe"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519026/; classtype:trojan-activity;sid:84382126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackson2323/mohradiant/blob/master/updt.exe|3f|raw=true"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519019/; classtype:trojan-activity;sid:84382119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/pkexu0ytxar3.exe"; depth:22; endswith; nocase; http.host; content:"115.159.149.113"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519020/; classtype:trojan-activity;sid:84382120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bol-van/zapret/releases/download/v70.6/zapret-v70.6.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519016/; classtype:trojan-activity;sid:84382116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vexcentry/vex/raw/refs/heads/main/runtimebroker.exe"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519000/; classtype:trojan-activity;sid:84382100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3518861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns3.jpg"; depth:8; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3518861/; classtype:trojan-activity;sid:84381961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3518860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns1.jpg"; depth:8; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3518860/; classtype:trojan-activity;sid:84381960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3517053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3517053/; classtype:trojan-activity;sid:84380153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3517040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"2.57.122.121"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3517040/; classtype:trojan-activity;sid:84380140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3516658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vinhuptoday/testbn/raw/refs/heads/main/brbotnet.exe"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3516658/; classtype:trojan-activity;sid:84379758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3516584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.219.49.173"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3516584/; classtype:trojan-activity;sid:84379684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3516107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3516107/; classtype:trojan-activity;sid:84379207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3515978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"120.79.64.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3515978/; classtype:trojan-activity;sid:84379078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3515917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"118.31.114.149"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3515917/; classtype:trojan-activity;sid:84379017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3514570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hrp9lnasbplclnhppp1abwb1uwv4kdvs"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3514570/; classtype:trojan-activity;sid:84377670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3514066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkminash/my-codd/raw/896d806a9b4569c9c3a275f200ebe7d2ecec5702/snd16061.exe"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3514066/; classtype:trojan-activity;sid:84377166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3510901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl16"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_14; reference:url, urlhaus.abuse.ch/url/3510901/; classtype:trojan-activity;sid:84374001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahmounben/lc/refs/heads/main/xclient.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509907/; classtype:trojan-activity;sid:84373007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justjzero/ahh/refs/heads/main/cloudy.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509904/; classtype:trojan-activity;sid:84373004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justjzero/ahh/raw/refs/heads/main/cloudy.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509901/; classtype:trojan-activity;sid:84373001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/niggedddx/dependenciuesfeife/raw/refs/heads/main/bruterv3.1.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509872/; classtype:trojan-activity;sid:84372972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"onyxguardify.de"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509590/; classtype:trojan-activity;sid:84372690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3507942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.60.246.15"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_11; reference:url, urlhaus.abuse.ch/url/3507942/; classtype:trojan-activity;sid:84371042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3507456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mimikatz.exe"; depth:17; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_11; reference:url, urlhaus.abuse.ch/url/3507456/; classtype:trojan-activity;sid:84370556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3507452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/misterlobster22/mimik/blob/main/mimikatz.exe|3f|raw=true"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_11; reference:url, urlhaus.abuse.ch/url/3507452/; classtype:trojan-activity;sid:84370552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3506392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepakmeena2006/lib/6753a65f543afe81079459a8439ec1e0c0a660b4/s86.txt"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_10; reference:url, urlhaus.abuse.ch/url/3506392/; classtype:trojan-activity;sid:84369492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3506391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepakmeena2006/lib/6753a65f543afe81079459a8439ec1e0c0a660b4/s64.txt"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_10; reference:url, urlhaus.abuse.ch/url/3506391/; classtype:trojan-activity;sid:84369491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3506346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kcbhxhjt-bdxszgxt1nfnzdt5hpvkwk4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_10; reference:url, urlhaus.abuse.ch/url/3506346/; classtype:trojan-activity;sid:84369446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1muftth-5lscdi3ovd5vn7sjkeit2h9k1"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505672/; classtype:trojan-activity;sid:84368772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/electrichermit/vegas-pro-version/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505377/; classtype:trojan-activity;sid:84368477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ergin3432432/movie-mates/releases/download/v1.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505382/; classtype:trojan-activity;sid:84368482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yumyumdonuts/free-youtube-to-mp3-converter-free/releases/download/1.1.2/freeyoutubetomp3converterfree-1.1.2.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505334/; classtype:trojan-activity;sid:84368434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmattioni/upload/raw/refs/heads/master/software.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505313/; classtype:trojan-activity;sid:84368413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anamesias580/upload/refs/heads/master/software.zip"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505307/; classtype:trojan-activity;sid:84368407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phanu85/upload/raw/refs/heads/master/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505305/; classtype:trojan-activity;sid:84368405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pantay/upload/raw/refs/heads/master/software.zip"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505304/; classtype:trojan-activity;sid:84368404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.238.31"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504713/; classtype:trojan-activity;sid:84367813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.244.41.133"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504717/; classtype:trojan-activity;sid:84367817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jbfdbfasync.txt"; depth:16; endswith; nocase; http.host; content:"www.flybirdexpbd.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504092/; classtype:trojan-activity;sid:84367192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new_image.jpg"; depth:14; endswith; nocase; http.host; content:"www.flybirdexpbd.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504091/; classtype:trojan-activity;sid:84367191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3503657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.43.17.123"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_07; reference:url, urlhaus.abuse.ch/url/3503657/; classtype:trojan-activity;sid:84366757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3503409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tirtekeka/rat-client/zip/refs/heads/main"; depth:41; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_04_07; reference:url, urlhaus.abuse.ch/url/3503409/; classtype:trojan-activity;sid:84366509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3503003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/konsol.exe"; depth:20; endswith; nocase; http.host; content:"backupso.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_06; reference:url, urlhaus.abuse.ch/url/3503003/; classtype:trojan-activity;sid:84366103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3502701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.210.214.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_06; reference:url, urlhaus.abuse.ch/url/3502701/; classtype:trojan-activity;sid:84365801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3501608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"35.137.185.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_05; reference:url, urlhaus.abuse.ch/url/3501608/; classtype:trojan-activity;sid:84364708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chin/ifjjmktge.mp3"; depth:19; endswith; nocase; http.host; content:"dcrun.co.uk"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500891/; classtype:trojan-activity;sid:84363991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.185.1.70"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500747/; classtype:trojan-activity;sid:84363847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.102.74.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500733/; classtype:trojan-activity;sid:84363833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.173.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500726/; classtype:trojan-activity;sid:84363826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3499993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roniel8/apex-no-recoil/releases/download/v2.5.1-alpha.3/apex-no-recoil-v2-5-1-alpha-3.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_03; reference:url, urlhaus.abuse.ch/url/3499993/; classtype:trojan-activity;sid:84363093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3499801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe|3f|i=|7c|26|7c|e=support|7c|26|7c|y=guest|7c|26|7c|r="; depth:77; endswith; nocase; http.host; content:"onyxphantomlock.de"; depth:18; isdataat:!1,relative; metadata:created_at 2025_04_03; reference:url, urlhaus.abuse.ch/url/3499801/; classtype:trojan-activity;sid:84362901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3499150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.124.72.22"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_02; reference:url, urlhaus.abuse.ch/url/3499150/; classtype:trojan-activity;sid:84362250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juanbustoss/src/raw/refs/heads/master/application.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498482/; classtype:trojan-activity;sid:84361582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellyacm/imgx/releases/download/v1.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498084/; classtype:trojan-activity;sid:84361184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellyacm/imgx/releases/download/v2.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498082/; classtype:trojan-activity;sid:84361182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demonsofhe/onion-rings/releases/download/3.1.7/onion-rings-3.1.7.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498070/; classtype:trojan-activity;sid:84361170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/warisalishah/mytube/releases/download/v1.1/soft.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498072/; classtype:trojan-activity;sid:84361172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rippez/wordkeeper/releases/download/caseharden/release.caseharden.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498073/; classtype:trojan-activity;sid:84361173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jxx1234567890jxx/datatransformationchecker/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498076/; classtype:trojan-activity;sid:84361176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frank698/localocr/releases/download/v2.3.3/localocr_v2.3.3.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498067/; classtype:trojan-activity;sid:84361167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfeifefeifef/pokemon-crud/releases/download/v1.1/soft.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498056/; classtype:trojan-activity;sid:84361156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/julia2806/stock-watch/releases/download/v1.0/application.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498059/; classtype:trojan-activity;sid:84361159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ushii/weather_app/releases/download/v1.0/installer.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498045/; classtype:trojan-activity;sid:84361145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahulpa045/cphishtermux/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498047/; classtype:trojan-activity;sid:84361147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfeifefeifef/pokemon-crud/releases/download/v1.2/soft.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498050/; classtype:trojan-activity;sid:84361150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jxx1234567890jxx/datatransformationchecker/releases/download/v1.0/application.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498053/; classtype:trojan-activity;sid:84361153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamer615/acdsee-photo-studio-professional-download/releases/download/v1.0/software.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498033/; classtype:trojan-activity;sid:84361133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ushii/weather_app/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498034/; classtype:trojan-activity;sid:84361134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamer615/acdsee-photo-studio-professional-download/releases/download/v2.0/software.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498036/; classtype:trojan-activity;sid:84361136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/php-library-system/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498038/; classtype:trojan-activity;sid:84361138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/warisalishah/mytube/releases/download/v1.2/soft.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498040/; classtype:trojan-activity;sid:84361140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497826/; classtype:trojan-activity;sid:84360926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v2.0/program.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497822/; classtype:trojan-activity;sid:84360922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unlimxts2/password-manager-intermediate/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497823/; classtype:trojan-activity;sid:84360923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497825/; classtype:trojan-activity;sid:84360925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ffxjevefi/nix-system-services-hardened/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497805/; classtype:trojan-activity;sid:84360905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supreme-snaze/permutations/releases/download/v1.0/program.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497797/; classtype:trojan-activity;sid:84360897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zackkung688/split-fiction/releases/download/lavalike/splitfiction-lavalike.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497772/; classtype:trojan-activity;sid:84360872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simplefastfunnels254/tg-cybersec/releases/download/v2.7.1/tg-cybersec-v2.7.1.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497761/; classtype:trojan-activity;sid:84360861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ykn1/dishost/releases/download/1.3.8/dishost.1.3.8.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497760/; classtype:trojan-activity;sid:84360860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/repirate/asset-recovery-tool/releases/download/v1.7.6/asset-recovery-tool-v1.7.6.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497758/; classtype:trojan-activity;sid:84360858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ander12342/pugdns/releases/download/1.3.1/pugdns_v1.3.1.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497739/; classtype:trojan-activity;sid:84360839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuriia-i/palia-script/releases/download/anisoin/palia-script_anisoin.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497692/; classtype:trojan-activity;sid:84360792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devpev777/d/refs/heads/main/r.msi"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497677/; classtype:trojan-activity;sid:84360777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.4.13.252"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497309/; classtype:trojan-activity;sid:84360409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dodobaba25/repo/refs/heads/master/s64.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3497120/; classtype:trojan-activity;sid:84360220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dodobaba25/repo/refs/heads/master/s86.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3497121/; classtype:trojan-activity;sid:84360221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benkku25/assets/raw/41f4f8f16b76af39e1bc3f8024b66010dd2617c7/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496952/; classtype:trojan-activity;sid:84360052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syklon99/ai-chatbot-svelte/releases/download/v1.4.9/ai-chatbot-svelte-v1.4.9.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496664/; classtype:trojan-activity;sid:84359764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohamedbama/spider-man-2/releases/download/1.6.7/spider-man-2_v1.6.7.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496663/; classtype:trojan-activity;sid:84359763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sigarikafat/xeet/releases/download/1.6.4/xeet_v1.6.4.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496662/; classtype:trojan-activity;sid:84359762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naoval19/tacos/releases/download/v1.0/program.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496645/; classtype:trojan-activity;sid:84359745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naoval19/tacos/releases/download/v2.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496646/; classtype:trojan-activity;sid:84359746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vandalyz/nodejs-dockerized-app/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496628/; classtype:trojan-activity;sid:84359728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rle123/ai-self-coding-book/releases/download/v1.0/program.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496631/; classtype:trojan-activity;sid:84359731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vandalyz/nodejs-dockerized-app/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496625/; classtype:trojan-activity;sid:84359725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yahabaha/exam-quiz-test/releases/download/v2.9.2/exam-quiz-test-v2.9.2.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496604/; classtype:trojan-activity;sid:84359704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klaus998851/github-achievements/releases/download/3.5.8/github-achievements-3.5.8.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496592/; classtype:trojan-activity;sid:84359692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibidi-crypto/quarkus-openapi-problem/releases/download/v1.4.2/quarkus-openapi-problem-v1.4.2.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496594/; classtype:trojan-activity;sid:84359694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aboubakar909/dreamdance/releases/download/v2.5.1/dreamdance.v2.5.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496585/; classtype:trojan-activity;sid:84359685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stepbox23/assets/60af1f798cc4708a2872a66cebab351e529e43f8/software.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496564/; classtype:trojan-activity;sid:84359664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new_image.jpg"; depth:14; endswith; nocase; http.host; content:"talentrecruitments.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3496067/; classtype:trojan-activity;sid:84359167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eed8989/u/raw/refs/heads/main/ud.bat"; depth:37; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3496061/; classtype:trojan-activity;sid:84359161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eed8989/u/raw/main/ud.bat"; depth:26; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3496058/; classtype:trojan-activity;sid:84359158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3495857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsl/downloader.exe"; depth:19; endswith; nocase; http.host; content:"tobecation.github.io"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3495857/; classtype:trojan-activity;sid:84358957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3494793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl20"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_29; reference:url, urlhaus.abuse.ch/url/3494793/; classtype:trojan-activity;sid:84357893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3493868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order_svea.js"; depth:14; endswith; nocase; http.host; content:"lindenappliances.co.za"; depth:22; isdataat:!1,relative; metadata:created_at 2025_03_28; reference:url, urlhaus.abuse.ch/url/3493868/; classtype:trojan-activity;sid:84356968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3493608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aussieonzaza/assets/refs/heads/master/launcher.zip"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_28; reference:url, urlhaus.abuse.ch/url/3493608/; classtype:trojan-activity;sid:84356708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3493604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rafael1679/assets/raw/refs/heads/master/launcher.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_28; reference:url, urlhaus.abuse.ch/url/3493604/; classtype:trojan-activity;sid:84356704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3493102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.23.17.166"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3493102/; classtype:trojan-activity;sid:84356202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/wild-storage/releases/download/v1.0/app.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492619/; classtype:trojan-activity;sid:84355719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdeu-cpu/coap-mqtt-encryption/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492622/; classtype:trojan-activity;sid:84355722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forzon96/cataclismo/releases/download/1.4.6/cataclismo_1.4.6.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492611/; classtype:trojan-activity;sid:84355711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjunaid87/tokenset/releases/download/v2.8.1/tokenset.v2.8.1.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492613/; classtype:trojan-activity;sid:84355713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joacokia/oopd/releases/download/bretschneideraceae/oopd_bretschneideraceae.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492608/; classtype:trojan-activity;sid:84355708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stayns/glpwnme/releases/download/3.1.1/glpwnme-3.1.1.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492601/; classtype:trojan-activity;sid:84355701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/catexec/signature-recognition-cnn/releases/download/v1.6.8/signature-recognition-cnn-v1.6.8.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492602/; classtype:trojan-activity;sid:84355702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tombalestra/m3-spatial/releases/download/v3.3.4/m3-spatial-v3.3.4.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492604/; classtype:trojan-activity;sid:84355704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mardecilnonp568/assasin-creed-shadows/releases/download/v2.7.5/assassin-creed-shadows-v2.7.5.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492600/; classtype:trojan-activity;sid:84355700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudip1801/loyalty/releases/download/v3.4.4-alpha.1/loyalty_v3.4.4-alpha.1.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492591/; classtype:trojan-activity;sid:84355691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reninstem/productlisting/releases/download/2.6.1/productlisting-2.6.1.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492563/; classtype:trojan-activity;sid:84355663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suvam-01/alayalite/releases/download/v1.4.8/alayalite_v1.4.8.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492557/; classtype:trojan-activity;sid:84355657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ricardocrc735/navicatpwn/releases/download/3.2.3/navicatpwn-3.2.3.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492553/; classtype:trojan-activity;sid:84355653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lordland929on6/1ab-phantasystaronline2b/releases/download/p7ew0zthra/156qeiu3fhnohcj2.rar"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492224/; classtype:trojan-activity;sid:84355324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eding442gfm/1ar-bladeandsoulr/releases/download/4sd7l2qydh/37uji8i2.rar"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492188/; classtype:trojan-activity;sid:84355288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eding442gfm/1ax-bladeandsoulx/releases/download/n6seqop1o4/q.rar"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492186/; classtype:trojan-activity;sid:84355286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/howlux40worthyfp4h/1af-starwars-theoldrepublicf/releases/download/j0ndd81djg/eskf6bqczzc2j.rar"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492168/; classtype:trojan-activity;sid:84355268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uragon005/ai-chatbot-svelte/releases/download/v2.4.5/ai-chatbot-svelte_v2.4.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492160/; classtype:trojan-activity;sid:84355260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdeguay/seed-phrase-generator/releases/download/v1.0/release.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492135/; classtype:trojan-activity;sid:84355235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdeguay/seed-phrase-generator/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492134/; classtype:trojan-activity;sid:84355234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mathists9/abaqus-aluminum-bending-ductile-damage-3d/releases/download/2.7.3/release.2.7.3.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492123/; classtype:trojan-activity;sid:84355223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solarcrownyt/learning-sqlx/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492112/; classtype:trojan-activity;sid:84355212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aussieonzaza/assets/raw/refs/heads/master/launcher.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492056/; classtype:trojan-activity;sid:84355156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phamkhanhhung208/assets/refs/heads/master/launcher.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490432/; classtype:trojan-activity;sid:84353532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rafael1679/assets/refs/heads/master/launcher.zip"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490427/; classtype:trojan-activity;sid:84353527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast2122006/assignment/238415a963aab57f18fd2c2ef60995d7c0b39fe0/library.txt"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490409/; classtype:trojan-activity;sid:84353509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilganrat342/dertyom/refs/heads/main/setup.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490350/; classtype:trojan-activity;sid:84353450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rh/setup.exe"; depth:13; endswith; nocase; http.host; content:"d3cciiowg5l3jx.cloudfront.net"; depth:29; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490349/; classtype:trojan-activity;sid:84353449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kammywammyman/boyboy/main/chromeupdate.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490313/; classtype:trojan-activity;sid:84353413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tacocat2222/materia-fivem/refs/heads/main/loader.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490294/; classtype:trojan-activity;sid:84353394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl18"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490235/; classtype:trojan-activity;sid:84353335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aldenpogznet22/hamster-bot/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489509/; classtype:trojan-activity;sid:84352609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/worakom99/carbon-executor/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489508/; classtype:trojan-activity;sid:84352608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thurynw/uoffice_library_uot/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489502/; classtype:trojan-activity;sid:84352602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jamescarlzafra/dx9ware-roblox/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489501/; classtype:trojan-activity;sid:84352601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toanminh2004/duan1/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489474/; classtype:trojan-activity;sid:84352574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/loco/releases/download/v1.0/application.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489476/; classtype:trojan-activity;sid:84352576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/loco/releases/download/v2.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489478/; classtype:trojan-activity;sid:84352578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-2/releases/download/v1.0/application.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489479/; classtype:trojan-activity;sid:84352579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cistelsa/predictive-sentiment-analysis-of-twitter-for-btc/releases/download/v1.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489480/; classtype:trojan-activity;sid:84352580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-proxytv/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489481/; classtype:trojan-activity;sid:84352581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cistelsa/predictive-sentiment-analysis-of-twitter-for-btc/releases/download/v2.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489471/; classtype:trojan-activity;sid:84352571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-proxytv/releases/download/v1.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489472/; classtype:trojan-activity;sid:84352572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-2/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489473/; classtype:trojan-activity;sid:84352573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/new/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489333/; classtype:trojan-activity;sid:84352433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akashnilrecovered/text-formatting-crash-course/releases/download/v2.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489336/; classtype:trojan-activity;sid:84352436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akashnilrecovered/text-formatting-crash-course/releases/download/v1.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489340/; classtype:trojan-activity;sid:84352440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/new/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489331/; classtype:trojan-activity;sid:84352431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-authentication-breeze/releases/download/v1.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489310/; classtype:trojan-activity;sid:84352410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/githubtutorial/releases/download/v1.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489313/; classtype:trojan-activity;sid:84352413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-authentication-breeze/releases/download/v2.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489314/; classtype:trojan-activity;sid:84352414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/fortify-auth-laravel/releases/download/v1.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489315/; classtype:trojan-activity;sid:84352415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/newlaravel/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489317/; classtype:trojan-activity;sid:84352417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/fortify-auth-laravel/releases/download/v2.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489307/; classtype:trojan-activity;sid:84352407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/book-e-commerce/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489308/; classtype:trojan-activity;sid:84352408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/book-e-commerce/releases/download/v1.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489300/; classtype:trojan-activity;sid:84352400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/newlaravel/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489303/; classtype:trojan-activity;sid:84352403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samueltonao/frontendmentor/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489274/; classtype:trojan-activity;sid:84352374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/ui-package-email-verify/releases/download/v2.0/software.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489275/; classtype:trojan-activity;sid:84352375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samueltonao/frontendmentor/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489280/; classtype:trojan-activity;sid:84352380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/ui-package-email-verify/releases/download/v1.0/software.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489288/; classtype:trojan-activity;sid:84352388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bootable_recovery/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489266/; classtype:trojan-activity;sid:84352366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hackslash-nitp/healthcare-web-page/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489265/; classtype:trojan-activity;sid:84352365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinycompress/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489263/; classtype:trojan-activity;sid:84352363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amandwivedi0/device_xiaomi_santoni/releases/download/v1.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489264/; classtype:trojan-activity;sid:84352364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vyshnavidevi11/frtproject/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489245/; classtype:trojan-activity;sid:84352345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_build/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489247/; classtype:trojan-activity;sid:84352347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_json-c/releases/download/v1.0/application.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489248/; classtype:trojan-activity;sid:84352348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-ecommerce-project/releases/download/v1.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489251/; classtype:trojan-activity;sid:84352351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinycompress/releases/download/v1.0/application.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489252/; classtype:trojan-activity;sid:84352352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_build/releases/download/v1.0/application.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489253/; classtype:trojan-activity;sid:84352353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/proyecto_final/releases/download/v1.0/app.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489254/; classtype:trojan-activity;sid:84352354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_selinux/releases/download/v1.0/application.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489255/; classtype:trojan-activity;sid:84352355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_json-c/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489256/; classtype:trojan-activity;sid:84352356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amandwivedi0/device_xiaomi_santoni/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489260/; classtype:trojan-activity;sid:84352360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinyxml/releases/download/v1.0/application.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489261/; classtype:trojan-activity;sid:84352361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/final/releases/download/v2.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489262/; classtype:trojan-activity;sid:84352362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_sqlite/releases/download/v1.0/application.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489231/; classtype:trojan-activity;sid:84352331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bootable_recovery/releases/download/v1.0/application.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489232/; classtype:trojan-activity;sid:84352332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bionic/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489240/; classtype:trojan-activity;sid:84352340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_sqlite/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489242/; classtype:trojan-activity;sid:84352342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-ecommerce-project/releases/download/v2.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489243/; classtype:trojan-activity;sid:84352343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ambassadorscoders/togonon_motiv.poster/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489227/; classtype:trojan-activity;sid:84352327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bionic/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489228/; classtype:trojan-activity;sid:84352328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/12-03assignment/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489214/; classtype:trojan-activity;sid:84352314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvm010/nucleus/releases/download/v1.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489215/; classtype:trojan-activity;sid:84352315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/eltrapico2/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489218/; classtype:trojan-activity;sid:84352318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puram-supriya/amazon/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489219/; classtype:trojan-activity;sid:84352319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/fri-app/releases/download/v1.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489205/; classtype:trojan-activity;sid:84352305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puram-supriya/ecommerce/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489207/; classtype:trojan-activity;sid:84352307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/student-chicken/fit-track-goal-progress/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489211/; classtype:trojan-activity;sid:84352311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puram-supriya/resume/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489212/; classtype:trojan-activity;sid:84352312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvm010/movie/releases/download/v1.0/software.zip"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489202/; classtype:trojan-activity;sid:84352302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vernaloqui/farmer-shubreact/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489203/; classtype:trojan-activity;sid:84352303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desmonsd/blazingtool/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489177/; classtype:trojan-activity;sid:84352277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desmonsd/blazingtool/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489179/; classtype:trojan-activity;sid:84352279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boomerxd69/fixing-error-0xc00000ba/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489173/; classtype:trojan-activity;sid:84352273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manuxing/deploy-admin/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489175/; classtype:trojan-activity;sid:84352275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manuxing/manuxing/releases/download/v1.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489166/; classtype:trojan-activity;sid:84352266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/matimazzia/worldgame-web/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489171/; classtype:trojan-activity;sid:84352271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anas200321/kernel-memory-reading-writing/releases/download/v1.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489153/; classtype:trojan-activity;sid:84352253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yosif9999/hamster-clicker/releases/download/v3.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489155/; classtype:trojan-activity;sid:84352255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suffer220/bbuild/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489147/; classtype:trojan-activity;sid:84352247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suffer220/bbuild/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489149/; classtype:trojan-activity;sid:84352249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yosif9999/hamster-clicker/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489151/; classtype:trojan-activity;sid:84352251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drankrych/fakebtcsend/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489127/; classtype:trojan-activity;sid:84352227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom3dx/array-base-scatter-filled/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489128/; classtype:trojan-activity;sid:84352228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluecheatah123/apex/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489129/; classtype:trojan-activity;sid:84352229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lethanhdat0403/earnorm/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489131/; classtype:trojan-activity;sid:84352231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/firematheo00x/chat-app-mern/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489135/; classtype:trojan-activity;sid:84352235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monyigamer/bliss_browser_janet/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489137/; classtype:trojan-activity;sid:84352237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theboss6921/json-to-typescript/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489116/; classtype:trojan-activity;sid:84352216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monyigamer/bliss_browser_janet/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489118/; classtype:trojan-activity;sid:84352218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/firematheo00x/chat-app-mern/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489120/; classtype:trojan-activity;sid:84352220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theboss6921/json-to-typescript/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489121/; classtype:trojan-activity;sid:84352221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shirfor/autoforjob/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489106/; classtype:trojan-activity;sid:84352206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shirfor/autoforjob/releases/download/v1.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489107/; classtype:trojan-activity;sid:84352207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juliocesarmara/emojico/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489098/; classtype:trojan-activity;sid:84352198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lilanders123/act/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489090/; classtype:trojan-activity;sid:84352190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/project-hub/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489088/; classtype:trojan-activity;sid:84352188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/project-hub/releases/download/v1.0/application.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489083/; classtype:trojan-activity;sid:84352183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basterfg/myproject/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489063/; classtype:trojan-activity;sid:84352163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booody123/manual-brick-breaker/releases/download/v1.0/program.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489054/; classtype:trojan-activity;sid:84352154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lucksssssss/flick_share/releases/download/v1.0/application.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489056/; classtype:trojan-activity;sid:84352156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lucksssssss/flick_share/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489059/; classtype:trojan-activity;sid:84352159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basterfg/myproject/releases/download/v1.0/application.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489049/; classtype:trojan-activity;sid:84352149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booody123/manual-brick-breaker/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489047/; classtype:trojan-activity;sid:84352147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pedrokax/webscraper-to-identify-which-girls-and-how-many-of-them-my-boyfriend-follows-on-github/releases/download/v1.0/application.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489032/; classtype:trojan-activity;sid:84352132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nash-abella/organization-service/releases/download/v1.0.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489035/; classtype:trojan-activity;sid:84352135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oneshotviper24/g-n-rateur-de-robots.txt-et-sitemap.xml/releases/download/v1.0/application.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489036/; classtype:trojan-activity;sid:84352136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nash-abella/organization-service/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489027/; classtype:trojan-activity;sid:84352127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pedrokax/webscraper-to-identify-which-girls-and-how-many-of-them-my-boyfriend-follows-on-github/releases/download/v2.0/software.zip"; depth:132; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489028/; classtype:trojan-activity;sid:84352128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oneshotviper24/g-n-rateur-de-robots.txt-et-sitemap.xml/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489029/; classtype:trojan-activity;sid:84352129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tailstheflyingfox/subghost/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489020/; classtype:trojan-activity;sid:84352120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/majorclient/html-crypto-currency-chart-snippets/releases/download/v2.0/software.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488996/; classtype:trojan-activity;sid:84352096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whathedogding/bitpay-crypto-signal-trading-bot-analysis-signal-masters-trading-crypto/releases/download/v1.0/release.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489002/; classtype:trojan-activity;sid:84352102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tailstheflyingfox/subghost/releases/download/v1.0/release.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489003/; classtype:trojan-activity;sid:84352103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v1.0/application.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489004/; classtype:trojan-activity;sid:84352104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basemnabill/stock-forecasting-rnn/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489005/; classtype:trojan-activity;sid:84352105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seiolonmsk/contextindent.nvim/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489006/; classtype:trojan-activity;sid:84352106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basemnabill/stock-forecasting-rnn/releases/download/v1.0/application.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489007/; classtype:trojan-activity;sid:84352107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclearcatlegit/simple_bank/releases/download/v1.0/application.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489009/; classtype:trojan-activity;sid:84352109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seiolonmsk/contextindent.nvim/releases/download/v1.0/application.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489010/; classtype:trojan-activity;sid:84352110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v1.0/program.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489011/; classtype:trojan-activity;sid:84352111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whathedogding/bitpay-crypto-signal-trading-bot-analysis-signal-masters-trading-crypto/releases/download/v2.0/software.zip"; depth:122; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489014/; classtype:trojan-activity;sid:84352114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naiahahah/musicbox/releases/download/v1.0/release.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489015/; classtype:trojan-activity;sid:84352115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclearcatlegit/simple_bank/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488994/; classtype:trojan-activity;sid:84352094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seiolonmsk/contextindent.nvim/releases/download/v1.0/program.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488995/; classtype:trojan-activity;sid:84352095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/majorclient/html-crypto-currency-chart-snippets/releases/download/v1.0/release.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488983/; classtype:trojan-activity;sid:84352083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peloixitu35/javascript-questions-pro/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488966/; classtype:trojan-activity;sid:84352066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peloixitu35/javascript-questions-pro/releases/download/v1.0/program.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488969/; classtype:trojan-activity;sid:84352069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/konnuyu/0xbuilder/releases/download/v1.0/release_x64.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488950/; classtype:trojan-activity;sid:84352050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/finn9633/batchgenie/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488940/; classtype:trojan-activity;sid:84352040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/konnuyu/0xbuilder/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488941/; classtype:trojan-activity;sid:84352041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rakkunsatura/p.e.n.i.s./releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488943/; classtype:trojan-activity;sid:84352043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thiagx08/bue-introduction-to-programming-and-problem-solving/releases/download/v1.0/release_x64.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488945/; classtype:trojan-activity;sid:84352045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thiagx08/bue-introduction-to-programming-and-problem-solving/releases/download/v2.0/software.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488946/; classtype:trojan-activity;sid:84352046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t7dela/shadowtool/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488926/; classtype:trojan-activity;sid:84352026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samix151210/ndarray-base-normalize-indices/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488890/; classtype:trojan-activity;sid:84351990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdadadsaasdsadas991/database-project/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488880/; classtype:trojan-activity;sid:84351980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/merosegamerx/pizza_webapp/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488874/; classtype:trojan-activity;sid:84351974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/merosegamerx/pizza_webapp/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488879/; classtype:trojan-activity;sid:84351979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astral-ash/deployeride-erc20-toolkit/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488849/; classtype:trojan-activity;sid:84351949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kleteee/injectra/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488850/; classtype:trojan-activity;sid:84351950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astral-ash/deployeride-erc20-toolkit/releases/download/v1.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488854/; classtype:trojan-activity;sid:84351954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imenapr/crime-news-ai-nlp-machine-learning/releases/download/v1.0/application.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488842/; classtype:trojan-activity;sid:84351942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imenapr/crime-news-ai-nlp-machine-learning/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488839/; classtype:trojan-activity;sid:84351939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feelingfishy/challenge-backend-anotaai/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488821/; classtype:trojan-activity;sid:84351921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsgaming999/lottery/releases/download/v1.0/application.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488822/; classtype:trojan-activity;sid:84351922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruka232323/network-traffic-visualizer/releases/download/v1.0/application.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488799/; classtype:trojan-activity;sid:84351899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feelingfishy/challenge-backend-anotaai/releases/download/v1.0/application.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488800/; classtype:trojan-activity;sid:84351900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruka232323/network-traffic-visualizer/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488802/; classtype:trojan-activity;sid:84351902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pietro152/tgbot-for-orders/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488806/; classtype:trojan-activity;sid:84351906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsgaming999/lottery/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488793/; classtype:trojan-activity;sid:84351893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pietro152/tgbot-for-orders/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488795/; classtype:trojan-activity;sid:84351895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hza3o/covid-19_dashboard/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488779/; classtype:trojan-activity;sid:84351879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hza3o/covid-19_dashboard/releases/download/v1.0.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488780/; classtype:trojan-activity;sid:84351880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1set-t/ai-model/releases/download/v1.0.0/application.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488765/; classtype:trojan-activity;sid:84351865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1set-t/ai-model/releases/download/v2.0/software.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488758/; classtype:trojan-activity;sid:84351858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mah-22/room-occupancy-prediction-using-environmental-sensor-data/releases/download/v1.0/application.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488755/; classtype:trojan-activity;sid:84351855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mah-22/room-occupancy-prediction-using-environmental-sensor-data/releases/download/v2.0/software.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488746/; classtype:trojan-activity;sid:84351846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serbianty/eureka-framework/releases/download/v1.0/soft.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488751/; classtype:trojan-activity;sid:84351851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serbianty/eureka-framework/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488752/; classtype:trojan-activity;sid:84351852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaylnjohnart/vertex-ai-chat-prompting-tablular-data-bq/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488729/; classtype:trojan-activity;sid:84351829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrx-slayer/ai-resume-parser/releases/download/v1.0/application.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488730/; classtype:trojan-activity;sid:84351830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrx-slayer/ai-resume-parser/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488732/; classtype:trojan-activity;sid:84351832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/papajszef/web-devapp/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488733/; classtype:trojan-activity;sid:84351833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gopuatop100/badan-hukum/releases/download/v1.0/release.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488734/; classtype:trojan-activity;sid:84351834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jobetsison/working-with-form-validation-in-an-asp.net-core-rich-text-editor/releases/download/v1.0/program.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488735/; classtype:trojan-activity;sid:84351835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/papajszef/web-devapp/releases/download/v1.0/application.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488736/; classtype:trojan-activity;sid:84351836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrx-slayer/ai-resume-parser/releases/download/v1.0/program.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488739/; classtype:trojan-activity;sid:84351839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as3dyasen/portfolio/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488740/; classtype:trojan-activity;sid:84351840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as3dyasen/portfolio/releases/download/v1.0/release.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488742/; classtype:trojan-activity;sid:84351842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gopuatop100/badan-hukum/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488725/; classtype:trojan-activity;sid:84351825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jobetsison/working-with-form-validation-in-an-asp.net-core-rich-text-editor/releases/download/v2.0/software.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488728/; classtype:trojan-activity;sid:84351828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaylnjohnart/vertex-ai-chat-prompting-tablular-data-bq/releases/download/v1.0/program.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488722/; classtype:trojan-activity;sid:84351822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/papajszef/web-devapp/releases/download/v1.0/program.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488723/; classtype:trojan-activity;sid:84351823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azw1/suction-funnel-for-bosch-click-clean-system/releases/download/v1.0/program.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488720/; classtype:trojan-activity;sid:84351820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zrty456/web-development-project-2/releases/download/v1.0/program.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488711/; classtype:trojan-activity;sid:84351811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekin441/urban_company_clone/releases/download/v1.0/program.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488712/; classtype:trojan-activity;sid:84351812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekin441/urban_company_clone/releases/download/v1.0/application.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488713/; classtype:trojan-activity;sid:84351813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flameoptics/xkucoinbot-script-autoclicker/releases/download/v1.0/program.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488714/; classtype:trojan-activity;sid:84351814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flameoptics/xkucoinbot-script-autoclicker/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488716/; classtype:trojan-activity;sid:84351816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psxdupes028/comfyui-bs_kokoro-onnx/releases/download/v1.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488717/; classtype:trojan-activity;sid:84351817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zrty456/web-development-project-2/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488706/; classtype:trojan-activity;sid:84351806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azw1/suction-funnel-for-bosch-click-clean-system/releases/download/v1.0/application.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488708/; classtype:trojan-activity;sid:84351808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekin441/urban_company_clone/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488702/; classtype:trojan-activity;sid:84351802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azw1/suction-funnel-for-bosch-click-clean-system/releases/download/v2.0/software.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488703/; classtype:trojan-activity;sid:84351803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psxdupes028/comfyui-bs_kokoro-onnx/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488704/; classtype:trojan-activity;sid:84351804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psxdupes028/comfyui-bs_kokoro-onnx/releases/download/v1.0/program.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488699/; classtype:trojan-activity;sid:84351799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antonio12gkn71/underlayer/releases/download/v1.0/application.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488684/; classtype:trojan-activity;sid:84351784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sundarlalji/autoimport/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488686/; classtype:trojan-activity;sid:84351786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sundarlalji/autoimport/releases/download/v1.0.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488682/; classtype:trojan-activity;sid:84351782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antonio12gkn71/underlayer/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488679/; classtype:trojan-activity;sid:84351779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samueltonao/lauth/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488673/; classtype:trojan-activity;sid:84351773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hadesxyzz/baichuan-m1-14b/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488674/; classtype:trojan-activity;sid:84351774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hadesxyzz/baichuan-m1-14b/releases/download/v1.0/application.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488663/; classtype:trojan-activity;sid:84351763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samueltonao/lauth/releases/download/v1.0/application.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488666/; classtype:trojan-activity;sid:84351766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muum1209/couplers/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488647/; classtype:trojan-activity;sid:84351747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muum1209/couplers/releases/download/v1.0/application.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488649/; classtype:trojan-activity;sid:84351749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/npcgamingyt-thegoat/telegram-robot-handler/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488654/; classtype:trojan-activity;sid:84351754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/npcgamingyt-thegoat/telegram-robot-handler/releases/download/v1.0/application.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488643/; classtype:trojan-activity;sid:84351743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18630095/software.zip"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488636/; classtype:trojan-activity;sid:84351736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericsribas/linux-studies/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488637/; classtype:trojan-activity;sid:84351737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasara21/hypermatch/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488630/; classtype:trojan-activity;sid:84351730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18630095/software.zip"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488632/; classtype:trojan-activity;sid:84351732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brevidade/fleet-pattern/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488634/; classtype:trojan-activity;sid:84351734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saninmysore/aws-face-recognition/releases/download/v1.0/software.zip/"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488620/; classtype:trojan-activity;sid:84351720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericsribas/linux-studies/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488599/; classtype:trojan-activity;sid:84351699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v1.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488602/; classtype:trojan-activity;sid:84351702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binnizenobiocordovaleandro/apachimuhkayqui-server/releases/download/v2.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488605/; classtype:trojan-activity;sid:84351705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bryandejesusrt/reconocimiento-de-placas-con-ia-bytecoders/releases/download/v2.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488606/; classtype:trojan-activity;sid:84351706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boomerxd69/amog-os-lts/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488608/; classtype:trojan-activity;sid:84351708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roblox12400z/dx9ware-roblox/releases/download/v1.0/app.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488609/; classtype:trojan-activity;sid:84351709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasonsh2450/bananan-shooter-hack-interna-/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488614/; classtype:trojan-activity;sid:84351714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18722098/application.zip"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488615/; classtype:trojan-activity;sid:84351715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18722098/application.zip"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488595/; classtype:trojan-activity;sid:84351695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/razzisproatgaming/hacathon-backend-smit/releases/download/v1.0/application.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488582/; classtype:trojan-activity;sid:84351682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/farizalsalman21/keon/releases/download/v2.0/release_x64.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488567/; classtype:trojan-activity;sid:84351667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/razzisproatgaming/hacathon-backend-smit/releases/download/v2.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488580/; classtype:trojan-activity;sid:84351680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nass3344/trello-like-api/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488548/; classtype:trojan-activity;sid:84351648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toe2132313/zorvex-cat/releases/download/v1.0/software.zip/"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488549/; classtype:trojan-activity;sid:84351649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaviertya/.dotfiles/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488550/; classtype:trojan-activity;sid:84351650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v2.0/software.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488552/; classtype:trojan-activity;sid:84351652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naiahahah/musicbox/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488555/; classtype:trojan-activity;sid:84351655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaviertya/.dotfiles/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488533/; classtype:trojan-activity;sid:84351633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aufahuhs/advanced-machine-learning-personal-project/releases/download/v1.0/software.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488537/; classtype:trojan-activity;sid:84351637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggusercool/pancakeswapbnbprediction/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488543/; classtype:trojan-activity;sid:84351643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12301530/pump-fun-frontend/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488511/; classtype:trojan-activity;sid:84351611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huizuohaode/ai-image-generator/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488505/; classtype:trojan-activity;sid:84351605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giiyu12/codex-roblox/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488477/; classtype:trojan-activity;sid:84351577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahulpa045/cphishtermux/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488478/; classtype:trojan-activity;sid:84351578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davinjoeevano/batch-project-scaffolds/releases/download/v2.0/software.zip/"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488483/; classtype:trojan-activity;sid:84351583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488487/; classtype:trojan-activity;sid:84351587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bashspicerb/quasarrat-remote-access-tool/releases/download/v2.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488488/; classtype:trojan-activity;sid:84351588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vyshnavidevi11/frtproject/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488490/; classtype:trojan-activity;sid:84351590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cartervr/taxdatabase-sql-tableau/releases/download/v2.0/software.zip/"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488492/; classtype:trojan-activity;sid:84351592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/githubtutorial/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488496/; classtype:trojan-activity;sid:84351596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/globalnewsory/layeredge-auto-bot/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488497/; classtype:trojan-activity;sid:84351597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinyxml/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488501/; classtype:trojan-activity;sid:84351601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muterfree/nexus-roblox/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488470/; classtype:trojan-activity;sid:84351570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agr1us/roblox-oxygen/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488471/; classtype:trojan-activity;sid:84351571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loudwens/displayindex/releases/download/v2.0/software.zip/"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488460/; classtype:trojan-activity;sid:84351560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufferfish420/fixing-error-0x8007000e/releases/download/v2.0/program.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488441/; classtype:trojan-activity;sid:84351541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v2.0/program.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488443/; classtype:trojan-activity;sid:84351543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elijahhx/dead1ock-h4ck/releases/download/v2.0/program.zip/"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488436/; classtype:trojan-activity;sid:84351536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elijahhx/dead1ock-h4ck/releases/download/v2.0/program.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488433/; classtype:trojan-activity;sid:84351533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rag7720/coretech-solutions-custom-odoo-module/releases/download/v1.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488426/; classtype:trojan-activity;sid:84351526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rag7720/coretech-solutions-custom-odoo-module/releases/download/v2.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488425/; classtype:trojan-activity;sid:84351525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevinborgesz/the-data-engineering-academy/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488403/; classtype:trojan-activity;sid:84351503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevinborgesz/the-data-engineering-academy/releases/download/v1.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488406/; classtype:trojan-activity;sid:84351506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notready155/whatsapp-chat-analysis/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488368/; classtype:trojan-activity;sid:84351468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilovedoo/ted-lasso-gpt/releases/download/v1.0/application.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488350/; classtype:trojan-activity;sid:84351450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerovr988/apaphx_ads1015/releases/download/v1.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488355/; classtype:trojan-activity;sid:84351455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notready155/whatsapp-chat-analysis/releases/download/v1.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488359/; classtype:trojan-activity;sid:84351459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilovedoo/ted-lasso-gpt/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488360/; classtype:trojan-activity;sid:84351460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerovr988/apaphx_ads1015/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488363/; classtype:trojan-activity;sid:84351463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigdaveyy/react-form-validator-pro/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488346/; classtype:trojan-activity;sid:84351446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin49/gym-management-system-/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488334/; classtype:trojan-activity;sid:84351434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin49/gym-management-system-/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488336/; classtype:trojan-activity;sid:84351436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigdaveyy/react-form-validator-pro/releases/download/v1.0/installer.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488339/; classtype:trojan-activity;sid:84351439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yunichi/livekit-voice-ai-agent-setup/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488325/; classtype:trojan-activity;sid:84351425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dianfauzi16/school-project/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488309/; classtype:trojan-activity;sid:84351409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvkleon/text-classification-sentiment-analysis/releases/download/v2.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488314/; classtype:trojan-activity;sid:84351414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvkleon/text-classification-sentiment-analysis/releases/download/v1.0/installer.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488306/; classtype:trojan-activity;sid:84351406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thandoman/seedtool/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488307/; classtype:trojan-activity;sid:84351407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thandoman/seedtool/releases/download/v1.0/application.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488304/; classtype:trojan-activity;sid:84351404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/solana-trading-bot/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488294/; classtype:trojan-activity;sid:84351394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bashspicerb/quasarrat-remote-access-tool/releases/download/v1.0/installer.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488268/; classtype:trojan-activity;sid:84351368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marig1204/dmail_classicemail/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488269/; classtype:trojan-activity;sid:84351369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itztoastie/email2_classicemail/releases/download/v1.0/installer.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488273/; classtype:trojan-activity;sid:84351373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marig1204/dmail_classicemail/releases/download/v1.0/installer.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488274/; classtype:trojan-activity;sid:84351374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/solana-trading-bot/releases/download/v1.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488278/; classtype:trojan-activity;sid:84351378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cartervr/taxdatabase-sql-tableau/releases/download/v1.0/release.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488282/; classtype:trojan-activity;sid:84351382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itztoastie/email2_classicemail/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488264/; classtype:trojan-activity;sid:84351364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bashspicerb/quasarrat-remote-access-tool/releases/download/v2.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488261/; classtype:trojan-activity;sid:84351361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pyc888/dbcachinglayer/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488243/; classtype:trojan-activity;sid:84351343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolfymcplayer/intermag/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488233/; classtype:trojan-activity;sid:84351333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolfymcplayer/intermag/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488234/; classtype:trojan-activity;sid:84351334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pyc888/dbcachinglayer/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488239/; classtype:trojan-activity;sid:84351339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kirito1110/licenses/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488214/; classtype:trojan-activity;sid:84351314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsparedes/pycalc/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488213/; classtype:trojan-activity;sid:84351313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibiditoilet123xx/sinav-otomasyonu-prototip/releases/download/v2.0/software.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488208/; classtype:trojan-activity;sid:84351308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibiditoilet123xx/sinav-otomasyonu-prototip/releases/download/v1.0/software.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488209/; classtype:trojan-activity;sid:84351309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fluidx2/roombooking_application/releases/download/v1.0/software.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488210/; classtype:trojan-activity;sid:84351310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/viper700pro/serum-vst-installer-2024-free/releases/download/v1.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488211/; classtype:trojan-activity;sid:84351311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damaonly/android-worker/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488206/; classtype:trojan-activity;sid:84351306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ella00311/erugo/releases/download/v1.0/software.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488203/; classtype:trojan-activity;sid:84351303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nour10381/cosmicstar/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488182/; classtype:trojan-activity;sid:84351282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nour10381/cosmicstar/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488184/; classtype:trojan-activity;sid:84351284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerangermerah/esp8266_esp32_web_file_manager/releases/download/v2.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488185/; classtype:trojan-activity;sid:84351285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerangermerah/esp8266_esp32_web_file_manager/releases/download/v1.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488186/; classtype:trojan-activity;sid:84351286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aufahuhs/advanced-machine-learning-personal-project/releases/download/v1.0/software.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488181/; classtype:trojan-activity;sid:84351281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/berstarhunter/deepseek-start/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488162/; classtype:trojan-activity;sid:84351262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeremiah95676t/openmetadata-helm-argocd/releases/download/v2.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488161/; classtype:trojan-activity;sid:84351261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davinjoeevano/batch-project-scaffolds/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488157/; classtype:trojan-activity;sid:84351257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfanr-source/synthtweet/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488156/; classtype:trojan-activity;sid:84351256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arya-gg/axium/releases/download/v1.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488147/; classtype:trojan-activity;sid:84351247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davinjoeevano/batch-project-scaffolds/releases/download/v1.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488148/; classtype:trojan-activity;sid:84351248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeremiah95676t/openmetadata-helm-argocd/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488149/; classtype:trojan-activity;sid:84351249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/berstarhunter/deepseek-start/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488152/; classtype:trojan-activity;sid:84351252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toe2132313/zorvex-cat/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488153/; classtype:trojan-activity;sid:84351253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfanr-source/synthtweet/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488146/; classtype:trojan-activity;sid:84351246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loudwens/displayindex/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488128/; classtype:trojan-activity;sid:84351228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12301530/pump-fun-frontend/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488131/; classtype:trojan-activity;sid:84351231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loudwens/displayindex/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488132/; classtype:trojan-activity;sid:84351232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iguit-1/instagramuseranalysis/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488134/; classtype:trojan-activity;sid:84351234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12301530/pump-fun-frontend/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488125/; classtype:trojan-activity;sid:84351225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lleonex/marsdevx/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488114/; classtype:trojan-activity;sid:84351214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saninmysore/aws-face-recognition/releases/download/v1.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488103/; classtype:trojan-activity;sid:84351203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flarerealfr/url-biblioteca-web/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488110/; classtype:trojan-activity;sid:84351210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prakrititz/deepwater/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488098/; classtype:trojan-activity;sid:84351198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hackedbysushi/local_deep_seek/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488099/; classtype:trojan-activity;sid:84351199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huizuohaode/leaf/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488100/; classtype:trojan-activity;sid:84351200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/futurinav/esteai/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488102/; classtype:trojan-activity;sid:84351202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maxiazzinnari/mint-nft-on-sui/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488090/; classtype:trojan-activity;sid:84351190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alsooory/svg-templates/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488079/; classtype:trojan-activity;sid:84351179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moshe236/vanishmail/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488083/; classtype:trojan-activity;sid:84351183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bobbysaremine/hb2/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488085/; classtype:trojan-activity;sid:84351185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manuxing/cloudflare-dns-swarm/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488088/; classtype:trojan-activity;sid:84351188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_airbnb-lottie/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488075/; classtype:trojan-activity;sid:84351175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayobcoding/deep-research-py/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488061/; classtype:trojan-activity;sid:84351161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keanusmall/sahimatch.ai/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488054/; classtype:trojan-activity;sid:84351154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alejandro5486/infestuswebapp/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488057/; classtype:trojan-activity;sid:84351157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kossiw/olievra/releases/download/v1.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488035/; classtype:trojan-activity;sid:84351135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rila111/content2map/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488024/; classtype:trojan-activity;sid:84351124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alfa786-creator/pic-squeeze/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488025/; classtype:trojan-activity;sid:84351125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcaptain27/lianjiascraper/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488030/; classtype:trojan-activity;sid:84351130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yogeshnicks/loader-ldtk/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488034/; classtype:trojan-activity;sid:84351134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vukhang16/ggg/releases/download/v1.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488023/; classtype:trojan-activity;sid:84351123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_airbnb-lottie/releases/download/v1.0/application.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488021/; classtype:trojan-activity;sid:84351121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titiaswe12/rozetka-admin-panel/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488010/; classtype:trojan-activity;sid:84351110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yourmumsbad/testkanban/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488017/; classtype:trojan-activity;sid:84351117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/perish76b/ratter-app/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488018/; classtype:trojan-activity;sid:84351118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/invenstock/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488000/; classtype:trojan-activity;sid:84351100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titiaswe12/rozetka-admin-panel/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487995/; classtype:trojan-activity;sid:84351095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeidmakic/quorixjwt/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487983/; classtype:trojan-activity;sid:84351083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeidmakic/quorixjwt/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487977/; classtype:trojan-activity;sid:84351077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amoni2019/fonepaw-screen-recorder-free/releases/download/v1.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487974/; classtype:trojan-activity;sid:84351074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brotimer24/chargingassignment.withtests/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487975/; classtype:trojan-activity;sid:84351075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mkiuk/jullus2api/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487961/; classtype:trojan-activity;sid:84351061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay3x/auto-commit/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487947/; classtype:trojan-activity;sid:84351047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brotimer24/chargingassignment.withtests/releases/download/v2.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487950/; classtype:trojan-activity;sid:84351050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amoni2019/fonepaw-screen-recorder-free/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487952/; classtype:trojan-activity;sid:84351052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daveyisbricked/movie-finder-react/releases/download/v1.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487953/; classtype:trojan-activity;sid:84351053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daveyisbricked/movie-finder-react/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487954/; classtype:trojan-activity;sid:84351054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay3x/auto-commit/releases/download/v1.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487955/; classtype:trojan-activity;sid:84351055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quynh814/teafibot/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487956/; classtype:trojan-activity;sid:84351056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okijuinhbugvygbuhi/concept/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487943/; classtype:trojan-activity;sid:84351043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hafijulkhan786/fhnw-dashboard/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487944/; classtype:trojan-activity;sid:84351044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quynh814/teafibot/releases/download/v1.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487939/; classtype:trojan-activity;sid:84351039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/invenstock/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487935/; classtype:trojan-activity;sid:84351035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yourmumsbad/testkanban/releases/download/v1.0/app.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487937/; classtype:trojan-activity;sid:84351037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justnem/deep-research/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487930/; classtype:trojan-activity;sid:84351030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rofix12/spring-microservices/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487931/; classtype:trojan-activity;sid:84351031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justnem/deep-research/releases/download/v1.0/app.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487929/; classtype:trojan-activity;sid:84351029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mkiuk/jullus2api/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487927/; classtype:trojan-activity;sid:84351027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeff2807/githubaipy/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487918/; classtype:trojan-activity;sid:84351018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul110110/rocket-telemetry-logger-using-raspberry-pi-pico/releases/download/v1.0/software.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487920/; classtype:trojan-activity;sid:84351020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeff2807/githubaipy/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487921/; classtype:trojan-activity;sid:84351021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binnizenobiocordovaleandro/apachimuhkayqui-server/releases/download/v2.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487916/; classtype:trojan-activity;sid:84351016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rofix12/spring-microservices/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487909/; classtype:trojan-activity;sid:84351009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul110110/rocket-telemetry-logger-using-raspberry-pi-pico/releases/download/v2.0/software.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487905/; classtype:trojan-activity;sid:84351005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bryandejesusrt/reconocimiento-de-placas-con-ia-bytecoders/releases/download/v2.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487902/; classtype:trojan-activity;sid:84351002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wer812/bhh666666666666/raw/refs/heads/main/service.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487360/; classtype:trojan-activity;sid:84350460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wer812/vbvgghjjio999000/raw/refs/heads/main/bnoaprihjatuasss.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487363/; classtype:trojan-activity;sid:84350463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wer812/bbgy555555551/raw/refs/heads/main/ntladlklthawd.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487364/; classtype:trojan-activity;sid:84350464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl19"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487069/; classtype:trojan-activity;sid:84350169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3486793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.47.103.116"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3486793/; classtype:trojan-activity;sid:84349893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3486184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilganrat342/dgasgxc/refs/heads/main/setup.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_22; reference:url, urlhaus.abuse.ch/url/3486184/; classtype:trojan-activity;sid:84349284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh.txt"; depth:7; endswith; nocase; http.host; content:"8.218.50.207"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485331/; classtype:trojan-activity;sid:84348431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aasdasdqrunshkkkkkkk"; depth:21; endswith; nocase; http.host; content:"8.218.50.207"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485332/; classtype:trojan-activity;sid:84348432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdqsadsdahhhhhtxt"; depth:19; endswith; nocase; http.host; content:"8.218.50.207"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485330/; classtype:trojan-activity;sid:84348430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps_z.txt"; depth:9; endswith; nocase; http.host; content:"8.218.50.207"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485329/; classtype:trojan-activity;sid:84348429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curly3/n3xus-scr1pt-r0bl0x/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485213/; classtype:trojan-activity;sid:84348313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roblox12400z/dx9ware-roblox/releases/download/v1.0/app.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485214/; classtype:trojan-activity;sid:84348314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massambaf/dx9ware-roblox/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485196/; classtype:trojan-activity;sid:84348296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khalid2344/mint-executor/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485193/; classtype:trojan-activity;sid:84348293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1k4idibw1vtsntpbqtvbfabfgm2h5s14d"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485144/; classtype:trojan-activity;sid:84348244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1km_hwk7sn_amuk7q2dk9kttzwk1taelw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485126/; classtype:trojan-activity;sid:84348226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ek4th7ucqd9_h2yf9orhzhuallukeo0n"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485125/; classtype:trojan-activity;sid:84348225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3484493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl17"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3484493/; classtype:trojan-activity;sid:84347593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3484465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stepegemeyod/codex-roblox/releases/download/v1.0.2/release-x64.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3484465/; classtype:trojan-activity;sid:84347565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3484464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stepegemeyod/codex-roblox/releases/download/v1.0.1/release-x64.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3484464/; classtype:trojan-activity;sid:84347564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483995/; classtype:trojan-activity;sid:84347095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v3.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483984/; classtype:trojan-activity;sid:84347084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v2.0/program.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483979/; classtype:trojan-activity;sid:84347079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483980/; classtype:trojan-activity;sid:84347080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1q6iji-1uq5ksrr3luufy3to-jfs4ec4d"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483406/; classtype:trojan-activity;sid:84346506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1inbpqtz2qyus0zqldnbhutbzwgdghhs0"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483319/; classtype:trojan-activity;sid:84346419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1g4q6iay5qjzlgigjqnwftkdc5-o_2pqx"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483317/; classtype:trojan-activity;sid:84346417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cl-nvhrrue_wg2zkpuxmvk40tk3knacb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483309/; classtype:trojan-activity;sid:84346409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omio-saha/spotify_data_pipe_snowflake/releases/download/v1.0/release_x64.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482360/; classtype:trojan-activity;sid:84345460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v1.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482367/; classtype:trojan-activity;sid:84345467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482368/; classtype:trojan-activity;sid:84345468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/sunrise/xundfaxgnsp84.bin"; depth:46; endswith; nocase; http.host; content:"www.automobile-bk.de"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482262/; classtype:trojan-activity;sid:84345362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bear/2020/goldarnedest.aca"; depth:27; endswith; nocase; http.host; content:"www.support-data.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482257/; classtype:trojan-activity;sid:84345357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3481956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/numonehittaboy/cdn/refs/heads/main/cvf.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3481956/; classtype:trojan-activity;sid:84345056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3481600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.218.189.41"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_18; reference:url, urlhaus.abuse.ch/url/3481600/; classtype:trojan-activity;sid:84344700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3481344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alishazara/api/refs/heads/master/rh_s.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_18; reference:url, urlhaus.abuse.ch/url/3481344/; classtype:trojan-activity;sid:84344444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/u/raw/main/ud.bat"; depth:25; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480616/; classtype:trojan-activity;sid:84343716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elijahhx/dead1ock-h4ck/releases/download/v2.0/program.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480361/; classtype:trojan-activity;sid:84343461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nurraif/mytonwallet/releases/download/v2.0/program.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480359/; classtype:trojan-activity;sid:84343459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasara21/hypermatch/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480322/; classtype:trojan-activity;sid:84343422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gollfinho/browser-testing/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480274/; classtype:trojan-activity;sid:84343374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monggosporlyp/circlexo/releases/download/v1.2/soft.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480243/; classtype:trojan-activity;sid:84343343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3478498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.149.178.117"; depth:15; isdataat:!1,relative; metadata:created_at 2025_03_15; reference:url, urlhaus.abuse.ch/url/3478498/; classtype:trojan-activity;sid:84341598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/farizalsalman21/keon/releases/download/v2.0/release_x64.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475894/; classtype:trojan-activity;sid:84338994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufferfish420/fixing-error-0x8007000e/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475656/; classtype:trojan-activity;sid:84338756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/githubtutorial/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475642/; classtype:trojan-activity;sid:84338742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phamtaino/fixing-error-0x80004005-unspecified/releases/download/v2.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475644/; classtype:trojan-activity;sid:84338744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attorneywenn/pragati_backend_2025/releases/download/v2.0/application.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475645/; classtype:trojan-activity;sid:84338745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufferfish420/fixing-error-0x8007000e/releases/download/v2.0/program.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475646/; classtype:trojan-activity;sid:84338746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_selinux/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475651/; classtype:trojan-activity;sid:84338751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boomerxd69/amog-os-lts/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475624/; classtype:trojan-activity;sid:84338724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinyxml/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475630/; classtype:trojan-activity;sid:84338730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vyshnavidevi11/frtproject/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475631/; classtype:trojan-activity;sid:84338731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/realtime-chat-app/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475635/; classtype:trojan-activity;sid:84338735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v3.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475636/; classtype:trojan-activity;sid:84338736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasonsh2450/fixing-error-0x80070005-access-denied/releases/download/v2.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475637/; classtype:trojan-activity;sid:84338737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toanminh2004/fixing-error-0x80070424-specified-service/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475639/; classtype:trojan-activity;sid:84338739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naiahahah/musicbox/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475615/; classtype:trojan-activity;sid:84338715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasonsh2450/bananan-shooter-hack-interna-/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475620/; classtype:trojan-activity;sid:84338720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v2.0/software.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475623/; classtype:trojan-activity;sid:84338723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muterfree/nexus-roblox/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474801/; classtype:trojan-activity;sid:84337901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giiyu12/codex-roblox/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474808/; classtype:trojan-activity;sid:84337908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agr1us/roblox-oxygen/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474817/; classtype:trojan-activity;sid:84337917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ishratali007/n3xus-scr1pt-r0bl0x/releases/download/v1.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474749/; classtype:trojan-activity;sid:84337849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cartervr/taxdatabase-sql-tableau/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473787/; classtype:trojan-activity;sid:84336887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggusercool/pancakeswapbnbprediction/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473766/; classtype:trojan-activity;sid:84336866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nass3344/trello-like-api/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473767/; classtype:trojan-activity;sid:84336867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huizuohaode/ai-image-generator/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473774/; classtype:trojan-activity;sid:84336874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brevidade/fleet-pattern/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473776/; classtype:trojan-activity;sid:84336876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yosif9999/hamster-clicker/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473777/; classtype:trojan-activity;sid:84336877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/led-sol/mental-health-chatbot/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473779/; classtype:trojan-activity;sid:84336879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ovluq0bdu-cys5xvyogyjd5qidqb1per"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473576/; classtype:trojan-activity;sid:84336676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1d4aper-gjv3agk8yeny5scayonlc68yo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_10; reference:url, urlhaus.abuse.ch/url/3473160/; classtype:trojan-activity;sid:84336260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3472675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_10; reference:url, urlhaus.abuse.ch/url/3472675/; classtype:trojan-activity;sid:84335775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3470757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.175.229.200"; depth:15; isdataat:!1,relative; metadata:created_at 2025_03_07; reference:url, urlhaus.abuse.ch/url/3470757/; classtype:trojan-activity;sid:84333857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3470366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.49.65.2"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_07; reference:url, urlhaus.abuse.ch/url/3470366/; classtype:trojan-activity;sid:84333466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3469685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"128.127.102.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_03_06; reference:url, urlhaus.abuse.ch/url/3469685/; classtype:trojan-activity;sid:84332785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3468872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xraqwapfu.pdf"; depth:14; endswith; nocase; http.host; content:"galerisenimutiara.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3468872/; classtype:trojan-activity;sid:84331972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1eczx8yjtfxwos26grqtdixajed3ukcao"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467628/; classtype:trojan-activity;sid:84330728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1drptefwc7xybtum52bikrhp4j4l6lttc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467629/; classtype:trojan-activity;sid:84330729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2d42ffe-779b-4107-ac42-7f36375aab37/downloads/fojik.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467546/; classtype:trojan-activity;sid:84330646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/61705749605.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467537/; classtype:trojan-activity;sid:84330637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dd3b43cd-389e-413e-87b9-e21f40c2630d/downloads/guledazawabumoda.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467538/; classtype:trojan-activity;sid:84330638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/637623a6-af9b-4a69-90a8-85cd562c999e/downloads/niwexokaburule.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467533/; classtype:trojan-activity;sid:84330633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/96f90b6e-3939-4cac-a3ad-eba9fb8219bf/downloads/71599608952.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467528/; classtype:trojan-activity;sid:84330628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3e712c63-2f24-4e6b-a5dc-ff3233100bea/downloads/72290413200.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467523/; classtype:trojan-activity;sid:84330623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2eabcd0a-1fbf-48aa-8399-71392232a891/downloads/rafubagosewuniwudob.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467524/; classtype:trojan-activity;sid:84330624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/70485427967.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467525/; classtype:trojan-activity;sid:84330625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e9dc005a-39e6-474d-bf2f-ef67b812a261/downloads/xenogipojadamomixaxulute.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467526/; classtype:trojan-activity;sid:84330626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/9089368795.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467527/; classtype:trojan-activity;sid:84330627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/96b6a2f4-8317-413b-a7e3-44adb2eb81f5/downloads/safari_magazine_2019_download.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467516/; classtype:trojan-activity;sid:84330616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8014aeaa-17b8-4bcd-a9d7-094ad1ff7644/downloads/fusoze.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467517/; classtype:trojan-activity;sid:84330617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/plan_technique_piscine_a_debordement.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467519/; classtype:trojan-activity;sid:84330619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/83838390139.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467521/; classtype:trojan-activity;sid:84330621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6104a42e-c9ca-496d-9156-92538fddca06/downloads/vevowezirebojikidebof.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467510/; classtype:trojan-activity;sid:84330610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/temisipilotiba.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467513/; classtype:trojan-activity;sid:84330613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/79427765137.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467501/; classtype:trojan-activity;sid:84330601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/examples_of_employee_goals_for_performance_review.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467478/; classtype:trojan-activity;sid:84330578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/50228966329.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467477/; classtype:trojan-activity;sid:84330577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/educational_leadership_philosophy_examples.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467475/; classtype:trojan-activity;sid:84330575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/299c0676-bac5-4db6-8fea-3075091e1687/downloads/61526216713.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467476/; classtype:trojan-activity;sid:84330576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/gumofeke.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467465/; classtype:trojan-activity;sid:84330565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/mawanigokur.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467466/; classtype:trojan-activity;sid:84330566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/36054141231.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467469/; classtype:trojan-activity;sid:84330569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37fc73a-27ae-4e8d-87b6-7c807b298be6/downloads/85925649248.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467470/; classtype:trojan-activity;sid:84330570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/educacion_financiera_avanzada_partiendo_de_cero_autor_gregor.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467471/; classtype:trojan-activity;sid:84330571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/663ae0bf-1142-4d7a-8653-755553f6852e/downloads/lejafarezafig.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467472/; classtype:trojan-activity;sid:84330572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/biwejukajurel.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467474/; classtype:trojan-activity;sid:84330574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/6083216094.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467458/; classtype:trojan-activity;sid:84330558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62128af0-82d0-4bae-b967-d393a4304003/downloads/69065118383.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467459/; classtype:trojan-activity;sid:84330559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/51e053ea-8122-46e3-bee6-6c00a935619c/downloads/40061082597.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467461/; classtype:trojan-activity;sid:84330561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/94224235634.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467462/; classtype:trojan-activity;sid:84330562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/739cff78-28a4-4749-8c7f-abf371b6a947/downloads/62789327536.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467463/; classtype:trojan-activity;sid:84330563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ee12fbcb-3848-4c54-8690-0d9c760d3837/downloads/5683334295.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467464/; classtype:trojan-activity;sid:84330564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d9b3f7f8-355a-428e-bb44-74bff775274d/downloads/supix.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467453/; classtype:trojan-activity;sid:84330553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/670646a4-4ce8-4367-bccc-c52d2083c9a3/downloads/chronogramme_dune_these_de_doctorat.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467454/; classtype:trojan-activity;sid:84330554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1e222df8-d197-4254-b90b-be3d3b023ef4/downloads/zopawakabubijipek.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467455/; classtype:trojan-activity;sid:84330555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/27590969755.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467456/; classtype:trojan-activity;sid:84330556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kudokexogikekuporeso.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467457/; classtype:trojan-activity;sid:84330557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/48255006417.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467452/; classtype:trojan-activity;sid:84330552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09540d0c-1db9-4e3c-a32d-6eed7b48ae00/downloads/3841723103.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467448/; classtype:trojan-activity;sid:84330548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/exemple_de_dossier_raep_redige.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467443/; classtype:trojan-activity;sid:84330543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3007465f-aa28-4ea8-964e-00ec10d6daef/downloads/reinforced_concrete_wall_design_examples.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467444/; classtype:trojan-activity;sid:84330544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/munich_tourist_attractions_map.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467445/; classtype:trojan-activity;sid:84330545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4a17de4-bdbb-4d1a-aaee-49990939d4cf/downloads/problue_7_nordson_manual.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467438/; classtype:trojan-activity;sid:84330538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/30229793875.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467440/; classtype:trojan-activity;sid:84330540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/cooling_tower_working.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467433/; classtype:trojan-activity;sid:84330533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/corporate_signature_authority_matrix_template_printable.pdf"; depth:117; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467434/; classtype:trojan-activity;sid:84330534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/continental_online_assessment_test_answers.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467425/; classtype:trojan-activity;sid:84330525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/465f36af-7a24-4906-9c2a-986dcb6b15f8/downloads/where_can_i_get_edo_state_of_origin_certificate_in_lagos.pdf"; depth:118; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467426/; classtype:trojan-activity;sid:84330526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/sample_testimonials_for_employees.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467427/; classtype:trojan-activity;sid:84330527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bf8d6b31-0867-4cc2-b138-2d2dbb23ec3a/downloads/bawananulufobomoderawulen.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467428/; classtype:trojan-activity;sid:84330528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/90dc87b4-fd7e-4412-9a6a-76e20db16dbd/downloads/23425133870.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467429/; classtype:trojan-activity;sid:84330529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37fc73a-27ae-4e8d-87b6-7c807b298be6/downloads/86119351354.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467422/; classtype:trojan-activity;sid:84330522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/kagoferoxotopelabalim.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467423/; classtype:trojan-activity;sid:84330523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/how_to_write_letter_against_show_cause_notice.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467411/; classtype:trojan-activity;sid:84330511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/bevakabopodo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467412/; classtype:trojan-activity;sid:84330512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/55669141050.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467416/; classtype:trojan-activity;sid:84330516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fb13673c-7b10-403f-be9e-1b04622101d6/downloads/61656569082.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467417/; classtype:trojan-activity;sid:84330517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/98264302577.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467418/; classtype:trojan-activity;sid:84330518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/grammar_plus_class_8.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467408/; classtype:trojan-activity;sid:84330508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/32575227287.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467409/; classtype:trojan-activity;sid:84330509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/xavibow.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467410/; classtype:trojan-activity;sid:84330510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b566d4a5-149a-4042-a2b5-fa837a998781/downloads/62246613540.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467400/; classtype:trojan-activity;sid:84330500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a5d43283-67be-4a3b-9041-1427b691166f/downloads/dotadaxokokimidupoz.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467401/; classtype:trojan-activity;sid:84330501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a19a3dcf-f832-45fe-91ff-ed566d492286/downloads/31803450103.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467403/; classtype:trojan-activity;sid:84330503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/26449761459.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467404/; classtype:trojan-activity;sid:84330504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/manual_de_uso_cummins_insite.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467395/; classtype:trojan-activity;sid:84330495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/83127272265.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467397/; classtype:trojan-activity;sid:84330497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/50013116393.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467389/; classtype:trojan-activity;sid:84330489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/sowuluxoranevoxivobu.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467391/; classtype:trojan-activity;sid:84330491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/jw_public_talk_outlines.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467392/; classtype:trojan-activity;sid:84330492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/muxem.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467386/; classtype:trojan-activity;sid:84330486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aa930190-2e12-4ce7-8bd7-0454f2ef6721/downloads/remonstration_visum_ablehnung_muster.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467381/; classtype:trojan-activity;sid:84330481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1cd14ca4-3aaa-4349-a92b-5919cb2c71ee/downloads/37493963429.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467382/; classtype:trojan-activity;sid:84330482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/26417869572.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467383/; classtype:trojan-activity;sid:84330483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/zutufukatozoxogunubikok.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467384/; classtype:trojan-activity;sid:84330484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/vawazu.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467385/; classtype:trojan-activity;sid:84330485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4240411-5b76-4ebe-95b9-c00242399cf6/downloads/libevisuxalozusofaze.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467370/; classtype:trojan-activity;sid:84330470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d07e2353-3643-42fe-ba11-ffa772b1a28d/downloads/61695596025.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467371/; classtype:trojan-activity;sid:84330471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/remebemakuvomurixulat.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467372/; classtype:trojan-activity;sid:84330472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/35713869772.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467377/; classtype:trojan-activity;sid:84330477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/popezefere.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467363/; classtype:trojan-activity;sid:84330463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/57373027197.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467365/; classtype:trojan-activity;sid:84330465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1e00f0b9-c207-4cb1-9a9a-c11d057e31a3/downloads/request_letter_for_hold_amount_release.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467367/; classtype:trojan-activity;sid:84330467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9569c183-65dc-4f14-a45e-e7944584cb65/downloads/58650400832.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467369/; classtype:trojan-activity;sid:84330469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0684881f-11f6-455b-9188-fb070acdb368/downloads/you_too_can_be_prosperous.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467358/; classtype:trojan-activity;sid:84330458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e51c42a2-48a1-43ea-b124-a034de3679a6/downloads/sizusobimemitu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467359/; classtype:trojan-activity;sid:84330459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/fosodevo.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467360/; classtype:trojan-activity;sid:84330460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/her_yonuyle_modern_almanca_dursun_zengin.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467353/; classtype:trojan-activity;sid:84330453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/towedokunorazageleside.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467354/; classtype:trojan-activity;sid:84330454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/65604431763.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467355/; classtype:trojan-activity;sid:84330455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/ruwuxa.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467357/; classtype:trojan-activity;sid:84330457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c725aa89-ce3b-4b0b-861e-e7c40702153d/downloads/sulupob.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467347/; classtype:trojan-activity;sid:84330447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a2e88a7-385b-4aed-a81e-123c037cba5d/downloads/57067255053.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467348/; classtype:trojan-activity;sid:84330448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2ad58263-1b5c-4da7-bc4a-7b8f99e22218/downloads/2544897802.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467350/; classtype:trojan-activity;sid:84330450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/66812037618.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467352/; classtype:trojan-activity;sid:84330452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b4da0e1a-7caf-4ed8-aaa9-0949952990f3/downloads/49347806429.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467344/; classtype:trojan-activity;sid:84330444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7399f648-106b-4174-b8c0-6d6694895ad3/downloads/vakoxumem.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467339/; classtype:trojan-activity;sid:84330439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/gununemedusotojipime.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467340/; classtype:trojan-activity;sid:84330440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/92c7bb30-769c-4722-92cc-8b01b59910e0/downloads/36512394005.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467334/; classtype:trojan-activity;sid:84330434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7592d1e2-3dca-48f2-9f42-bb08c23dfb67/downloads/zutav.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467337/; classtype:trojan-activity;sid:84330437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8f97cb07-1cfa-4fca-b6d8-3f1bf47f56b3/downloads/dulerugufep.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467326/; classtype:trojan-activity;sid:84330426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/nopurumonufulelu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467328/; classtype:trojan-activity;sid:84330428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2b44aaa8-926a-4cbd-9774-e30385fa65ac/downloads/zexesotusipedelew.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467329/; classtype:trojan-activity;sid:84330429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/security_daily_activity_report_template.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467321/; classtype:trojan-activity;sid:84330421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a3d7189d-efc6-47e1-bbe5-dc5eeaf610a0/downloads/rtca_do-160g.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467312/; classtype:trojan-activity;sid:84330412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ac66f4da-754b-4df9-b080-4728fb201349/downloads/nimoma.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467313/; classtype:trojan-activity;sid:84330413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c877865a-29ce-446f-b8f8-42c8a2318eff/downloads/personal_loan_closure_letter_format_in_word.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467314/; classtype:trojan-activity;sid:84330414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/11677680583.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467317/; classtype:trojan-activity;sid:84330417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/elkonin_boxes_word_list.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467318/; classtype:trojan-activity;sid:84330418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f4482b02-adbc-4511-a01d-8f5a32444a75/downloads/zudelejanegine.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467320/; classtype:trojan-activity;sid:84330420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c3d6560-d229-4015-8af2-a70ad89bde0a/downloads/80071621679.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467307/; classtype:trojan-activity;sid:84330407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/lapeke.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467305/; classtype:trojan-activity;sid:84330405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/kapabemirowajuzaxadirokef.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467303/; classtype:trojan-activity;sid:84330403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/modexad.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467304/; classtype:trojan-activity;sid:84330404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0bdc9896-149c-4815-8e37-9e55432c4120/downloads/bofugesugipufibutunida.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467298/; classtype:trojan-activity;sid:84330398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c30937d-c8da-4e7b-9f7a-432344b46400/downloads/xuguxupevubitutuzoju.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467300/; classtype:trojan-activity;sid:84330400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/rubejemi.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467301/; classtype:trojan-activity;sid:84330401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/atividades_de_concordancia_verbal_5o_ano_com_gabarito.pdf"; depth:115; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467286/; classtype:trojan-activity;sid:84330386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/78c14b69-39ed-4d94-8d63-a7b29776e43c/downloads/45524925955.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467287/; classtype:trojan-activity;sid:84330387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/cyberark_psmp_admin_guide.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467292/; classtype:trojan-activity;sid:84330392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/kitab_shams_al_maarif.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467295/; classtype:trojan-activity;sid:84330395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3298be68-ecf2-4e6e-8fa7-1bf1d7657489/downloads/xagoje.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467283/; classtype:trojan-activity;sid:84330383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/83df8ca9-16c2-4244-8f9e-8be918c4b8a3/downloads/86611585002.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467279/; classtype:trojan-activity;sid:84330379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/41138401642.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467280/; classtype:trojan-activity;sid:84330380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ddc49093-0792-428b-8073-6170b30113a2/downloads/hepatorenales_syndrom.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467281/; classtype:trojan-activity;sid:84330381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fae029f6-27b1-4578-94bc-ae0bbaeebde4/downloads/53744052149.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467271/; classtype:trojan-activity;sid:84330371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9927c1c5-c61c-4f5e-807e-67bd1833b3e4/downloads/nijalox.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467274/; classtype:trojan-activity;sid:84330374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/how_to_change_font_size_in_xchange_editor.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467275/; classtype:trojan-activity;sid:84330375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/limitorque_mx_ordering_guide.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467277/; classtype:trojan-activity;sid:84330377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/timex_expedition_indiglo_wr50m_manual.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467266/; classtype:trojan-activity;sid:84330366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a3b63b5-3e6a-48ac-8e49-14ed0037cbc4/downloads/hitachi_cd_sem_operation_manual.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467269/; classtype:trojan-activity;sid:84330369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/87483152555.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467264/; classtype:trojan-activity;sid:84330364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/36672004653.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467259/; classtype:trojan-activity;sid:84330359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9dc6fd8e-b629-406d-be34-231dfc94d5e9/downloads/catia_v5_simulation_tutorial.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467260/; classtype:trojan-activity;sid:84330360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/80e9e7c7-d97b-4b5a-96c4-9a83854a3065/downloads/vuzabovamipavowaseke.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467262/; classtype:trojan-activity;sid:84330362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09077edc-9c07-4d95-9708-b2f62b12ca6a/downloads/jikiluwuruwewomurenix.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467254/; classtype:trojan-activity;sid:84330354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/weguma.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467258/; classtype:trojan-activity;sid:84330358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/119d5b03-e78f-4725-87b7-ed496b267f6d/downloads/attributes_of_a_good_research_topic_ppt.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467246/; classtype:trojan-activity;sid:84330346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1663535d-289f-4a17-902d-0bb53881ce69/downloads/kurupojofuxerixutalo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467249/; classtype:trojan-activity;sid:84330349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/mizibatazikitawejubidodog.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467250/; classtype:trojan-activity;sid:84330350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/gibabasakofalulizuwa.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467251/; classtype:trojan-activity;sid:84330351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/meravinuvisudome.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467240/; classtype:trojan-activity;sid:84330340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/64114a94-94a3-4f5d-866a-beee254b955f/downloads/70815730326.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467241/; classtype:trojan-activity;sid:84330341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/86649529175.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467235/; classtype:trojan-activity;sid:84330335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/nims_703_b_answers.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467236/; classtype:trojan-activity;sid:84330336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cf660a09-f805-468d-bb57-fa3593615f41/downloads/tojanigawexulametuzuk.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467237/; classtype:trojan-activity;sid:84330337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bc2ad79b-5832-4a2d-a335-92537db54849/downloads/pinestars_choice.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467230/; classtype:trojan-activity;sid:84330330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/vupegazezo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467231/; classtype:trojan-activity;sid:84330331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/18985117210.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467221/; classtype:trojan-activity;sid:84330321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/03167ecf-a61c-49ea-b541-7a074a81e1da/downloads/6655537579.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467223/; classtype:trojan-activity;sid:84330323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/41957679215.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467225/; classtype:trojan-activity;sid:84330325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/exemple_de_livret_2_vae_rempli.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467226/; classtype:trojan-activity;sid:84330326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f569f34e-b7af-41eb-9a21-0f9939c54b3f/downloads/64195657437.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467228/; classtype:trojan-activity;sid:84330328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/aspen_pims_manual.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467220/; classtype:trojan-activity;sid:84330320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/fivojudu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467219/; classtype:trojan-activity;sid:84330319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/20019605198.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467210/; classtype:trojan-activity;sid:84330310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/45706940387.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467212/; classtype:trojan-activity;sid:84330312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/xajuxe.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467213/; classtype:trojan-activity;sid:84330313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/81f7a7ad-d4fe-4147-943f-584c2d1e9bf5/downloads/because_of_mr_terupt_online.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467214/; classtype:trojan-activity;sid:84330314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/fajupip.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467215/; classtype:trojan-activity;sid:84330315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/minetest_wiki_commands.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467205/; classtype:trojan-activity;sid:84330305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/ohanian_physics_volume_1.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467206/; classtype:trojan-activity;sid:84330306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1c97d706-1093-417b-afec-0c60fc1d8547/downloads/74906999263.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467207/; classtype:trojan-activity;sid:84330307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/900d123a-2557-4fa9-92f6-1446b602b979/downloads/deporiramuga.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467208/; classtype:trojan-activity;sid:84330308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/traffic_light_risk_assessment_template_mental_health.pdf"; depth:114; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467209/; classtype:trojan-activity;sid:84330309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/suritotowid.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467202/; classtype:trojan-activity;sid:84330302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/41821413009.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467196/; classtype:trojan-activity;sid:84330296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/804274b4-5f10-4c26-9de6-df56f38aac7c/downloads/14312384720.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467200/; classtype:trojan-activity;sid:84330300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/37654458598.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467187/; classtype:trojan-activity;sid:84330287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/23776368177.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467188/; classtype:trojan-activity;sid:84330288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/eb8ff9f7-37bb-4420-bfa0-f018b38dcfa6/downloads/17065535031.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467190/; classtype:trojan-activity;sid:84330290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/432a6cf0-f63b-4132-8b03-52615cd2c1c3/downloads/41591669011.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467191/; classtype:trojan-activity;sid:84330291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/2634956565.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467193/; classtype:trojan-activity;sid:84330293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/437a989b-0a84-4105-b8c7-1870eb56af29/downloads/sbi_disbursement_request_form.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467177/; classtype:trojan-activity;sid:84330277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/27f26436-44ad-4647-8929-a76a4ea0ea67/downloads/sample_query_letter_for_negligence_of_duty.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467180/; classtype:trojan-activity;sid:84330280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/sapebufuj.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467181/; classtype:trojan-activity;sid:84330281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4365da4a-8d29-4708-8e67-b3b566794d83/downloads/fovizijazobupukototofosop.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467184/; classtype:trojan-activity;sid:84330284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/93759555539.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467186/; classtype:trojan-activity;sid:84330286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/ligitove.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467175/; classtype:trojan-activity;sid:84330275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/62404701972.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467176/; classtype:trojan-activity;sid:84330276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/069f5eef-b21d-41b6-aaa6-569b53af1c5a/downloads/rawidesukusutalunug.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467171/; classtype:trojan-activity;sid:84330271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d102a54e-7197-4308-a937-d70c58240642/downloads/26442784020.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467172/; classtype:trojan-activity;sid:84330272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/83882971503.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467167/; classtype:trojan-activity;sid:84330267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/modelo_carta_entrega_de_inmueble_word.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467168/; classtype:trojan-activity;sid:84330268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/61905f2a-55dd-4144-8c7c-fce5e91063a8/downloads/british_army_all_arms_tactical_aide_memoire.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467163/; classtype:trojan-activity;sid:84330263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/rakotojifodonosanilorefa.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467166/; classtype:trojan-activity;sid:84330266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1ec2f808-78a9-4c99-aa80-be96e23bf450/downloads/gewikunobapizati.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467157/; classtype:trojan-activity;sid:84330257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7dda8154-e680-4c60-8651-19cf13768d49/downloads/jadol.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467158/; classtype:trojan-activity;sid:84330258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/nojivurajojirezizi.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467154/; classtype:trojan-activity;sid:84330254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98571e96-4bd9-4ee2-bb76-481ac550907e/downloads/genebugutisevijuk.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467156/; classtype:trojan-activity;sid:84330256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ddc49093-0792-428b-8073-6170b30113a2/downloads/jiwekonuwokesarejibezan.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467148/; classtype:trojan-activity;sid:84330248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/159e5f7b-5078-45c9-9b36-63f21684101f/downloads/94962104148.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467149/; classtype:trojan-activity;sid:84330249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9483bc30-bb1c-4c04-9cf3-38d205924dab/downloads/jugilususosu.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467150/; classtype:trojan-activity;sid:84330250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/virapajoridubibakoxofa.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467151/; classtype:trojan-activity;sid:84330251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/319984769.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467152/; classtype:trojan-activity;sid:84330252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/makusikarubikowaxosop.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467142/; classtype:trojan-activity;sid:84330242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/gikuxuze.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467143/; classtype:trojan-activity;sid:84330243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/voxuba.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467146/; classtype:trojan-activity;sid:84330246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/wokaselu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467147/; classtype:trojan-activity;sid:84330247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/963d457e-5dea-4a7e-aae8-47aada2a7cc0/downloads/velafeke.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467135/; classtype:trojan-activity;sid:84330235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/97fcff61-ad1b-4591-bfda-ed7d6d6690f0/downloads/49593663309.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467137/; classtype:trojan-activity;sid:84330237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5e489076-b026-43ca-95da-8c6fe49f6d00/downloads/49103789197.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467138/; classtype:trojan-activity;sid:84330238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/zafekupegagasaza.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467132/; classtype:trojan-activity;sid:84330232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/55585429936.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467133/; classtype:trojan-activity;sid:84330233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/siwevewedelo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467125/; classtype:trojan-activity;sid:84330225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/fedex_air_waybill_form.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467126/; classtype:trojan-activity;sid:84330226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d567d1b9-5a9f-4b97-a387-65a7c02f8ff4/downloads/barapinawowaja.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467127/; classtype:trojan-activity;sid:84330227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/44443741873.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467114/; classtype:trojan-activity;sid:84330214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/ravibopegaxipodek.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467115/; classtype:trojan-activity;sid:84330215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/haojue_chopper_road_150_manual.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467116/; classtype:trojan-activity;sid:84330216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/23c146af-6c5b-426f-944d-9bf55106e4d8/downloads/de_quien_es_hija_elisa_salinas.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467117/; classtype:trojan-activity;sid:84330217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/rewekawejujawidubekafebur.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467118/; classtype:trojan-activity;sid:84330218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3425f1f9-2741-4cdd-9a85-f51cd8a77838/downloads/pyidaungsu_font_keyboard_layout.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467121/; classtype:trojan-activity;sid:84330221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/carte_du_voyage_d_ulysse.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467123/; classtype:trojan-activity;sid:84330223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f11cc6f-a645-4f71-bee4-e3848f35abf2/downloads/livro_domain_driven_design_portugues.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467109/; classtype:trojan-activity;sid:84330209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kulefenev.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467110/; classtype:trojan-activity;sid:84330210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/lobola_letter_example.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467111/; classtype:trojan-activity;sid:84330211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/acquisition_value_negative_in_area_01_aa617.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467108/; classtype:trojan-activity;sid:84330208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d8f5bd9b-2c75-4c1f-8d4d-84a7de1d3443/downloads/widavizuxorig.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467101/; classtype:trojan-activity;sid:84330201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/chris_mccandless_travel_route.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467102/; classtype:trojan-activity;sid:84330202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/17ef1a7d-be6f-43bc-ac3a-a9c4fb65005e/downloads/powejavatunepoxaj.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467103/; classtype:trojan-activity;sid:84330203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/937a3a5d-28a9-4a6d-983b-63f9d4fe1460/downloads/90328489234.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467106/; classtype:trojan-activity;sid:84330206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0319bbe-78e1-4446-90fc-2b4b4cc85a3e/downloads/wurowujezodabod.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467098/; classtype:trojan-activity;sid:84330198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pubobagawu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467099/; classtype:trojan-activity;sid:84330199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/forest_fire_causes_and_effects.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467100/; classtype:trojan-activity;sid:84330200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6b07c7a9-24ea-41b4-835a-7daa4871c250/downloads/16_personality_factors_by_cattell.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467086/; classtype:trojan-activity;sid:84330186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/725aea16-586d-4b26-8216-cd50b4981a76/downloads/wiley_organic_chemistry_solutions_manual.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467087/; classtype:trojan-activity;sid:84330187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2224247e-29ce-4f8d-b838-abfcbdf269c0/downloads/psicoweb_respuestas_2019.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467088/; classtype:trojan-activity;sid:84330188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8e32f5a5-6a1a-4ade-b57e-fa54871724ef/downloads/2040244551.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467091/; classtype:trojan-activity;sid:84330191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/koxisiranarigavod.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467092/; classtype:trojan-activity;sid:84330192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59d4bc6c-1e33-45d9-a430-f89e52f3f795/downloads/subazituwa.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467093/; classtype:trojan-activity;sid:84330193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6f72d87-e560-495a-a5bd-684e976b53e4/downloads/lettre_promesse_dembauche.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467094/; classtype:trojan-activity;sid:84330194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/971e893d-d96e-4c35-b8d0-897850ea3ce6/downloads/ice_quarterly_development_report_example.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467080/; classtype:trojan-activity;sid:84330180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/testigos_tablero_foton.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467081/; classtype:trojan-activity;sid:84330181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/how_to_get_gst_invoice_for_amazon_purchase.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467082/; classtype:trojan-activity;sid:84330182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8df58291-e0db-425a-9cda-a9882386ada6/downloads/24365322622.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467083/; classtype:trojan-activity;sid:84330183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4831e354-44dc-4759-9d14-0dd6cfda589f/downloads/91284214985.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467085/; classtype:trojan-activity;sid:84330185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c5dd25fc-7740-402b-aa70-862b15f3342c/downloads/8958005659.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467078/; classtype:trojan-activity;sid:84330178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/wewofolivofometu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467079/; classtype:trojan-activity;sid:84330179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9e5b6b40-f934-4273-a65f-cbaee9aa4b00/downloads/9665669589.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467072/; classtype:trojan-activity;sid:84330172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/konibaxixim.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467073/; classtype:trojan-activity;sid:84330173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/20a6346a-1701-43f8-be7d-6426912a09c2/downloads/self_introduction_during_interview_example.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467074/; classtype:trojan-activity;sid:84330174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ff494cbe-9d2a-4ae4-802e-f50cfad48f0a/downloads/74334894285.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467075/; classtype:trojan-activity;sid:84330175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/55534301355.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467077/; classtype:trojan-activity;sid:84330177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/tevolutirasuvujivol.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467065/; classtype:trojan-activity;sid:84330165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3f5ecf8d-ba74-430f-ac11-9eb6ace92d02/downloads/73100246338.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467066/; classtype:trojan-activity;sid:84330166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6f72d87-e560-495a-a5bd-684e976b53e4/downloads/earth_making_of_a_planet_national_geographic_worksheet.pdf"; depth:116; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467067/; classtype:trojan-activity;sid:84330167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/exercice_vitesse_6eme_physique.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467068/; classtype:trojan-activity;sid:84330168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/rapport_de_stage_3eme_agence_immobiliere.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467069/; classtype:trojan-activity;sid:84330169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/bisebinalujivefiwugagabu.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467070/; classtype:trojan-activity;sid:84330170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/miludafat.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467064/; classtype:trojan-activity;sid:84330164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ea6e6a77-ad86-47ad-bec1-a500695628d4/downloads/66906319004.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467061/; classtype:trojan-activity;sid:84330161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b77102f9-1066-4a92-8a14-af011902d081/downloads/75162502331.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467062/; classtype:trojan-activity;sid:84330162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/mapisirukuw.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467063/; classtype:trojan-activity;sid:84330163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/guzupuzuradadutov.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467058/; classtype:trojan-activity;sid:84330158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/081e0348-3bf0-4a3e-a723-749adc1aa630/downloads/teks_ratib_al_attas.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467059/; classtype:trojan-activity;sid:84330159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d07e2353-3643-42fe-ba11-ffa772b1a28d/downloads/49693757117.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467060/; classtype:trojan-activity;sid:84330160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/800cff82-04ba-4c47-9f8b-d21367acb04d/downloads/sabre_red_workspace_commands.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467050/; classtype:trojan-activity;sid:84330150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6702c9de-d943-4d22-b78e-7985c91f7713/downloads/84525111813.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467051/; classtype:trojan-activity;sid:84330151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/26bbb7e6-2f83-462e-b1a0-c9b7b5a50d38/downloads/training_needs_assessment_questionnaire_for_sales.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467052/; classtype:trojan-activity;sid:84330152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/najovozulubameto.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467053/; classtype:trojan-activity;sid:84330153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/225bb15f-2915-4639-a3a1-bcedb142b1ef/downloads/letter_format_for_reply_to_show_cause_notice.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467054/; classtype:trojan-activity;sid:84330154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c718f9e1-28ba-4c02-b434-4456f7af09a8/downloads/masizaz.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467055/; classtype:trojan-activity;sid:84330155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/51274200809.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467049/; classtype:trojan-activity;sid:84330149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/rolinejagogid.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467044/; classtype:trojan-activity;sid:84330144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/buxam.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467042/; classtype:trojan-activity;sid:84330142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6be9a470-c465-4776-ab76-53713c51537a/downloads/nokura.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467032/; classtype:trojan-activity;sid:84330132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/69da2f53-c229-4dc7-a889-7b67b52b1a78/downloads/nokejafowikazuvojoj.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467033/; classtype:trojan-activity;sid:84330133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e43067a0-6374-4a70-a00d-00ee3b01ce8d/downloads/93917384180.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467035/; classtype:trojan-activity;sid:84330135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0336533-680f-4ead-a55e-7e292796b70a/downloads/veteluruxoge.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467037/; classtype:trojan-activity;sid:84330137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/sirijega.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467024/; classtype:trojan-activity;sid:84330124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5c2804a6-aa9c-48a0-92fa-b4e2830d3e94/downloads/ladakh_tourist_map.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467025/; classtype:trojan-activity;sid:84330125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cc5e3c0a-70ce-48cf-a48d-87f83c6b3256/downloads/major_problems_in_african_american_history.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467027/; classtype:trojan-activity;sid:84330127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d38d43db-37ad-45ec-b237-63ac8c84a196/downloads/latovin.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467029/; classtype:trojan-activity;sid:84330129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c10f3982-2d8c-41ef-9c88-95b9c7e0984b/downloads/exagrid_admin_guide.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467018/; classtype:trojan-activity;sid:84330118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/2880955338.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467019/; classtype:trojan-activity;sid:84330119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f4350e3-635b-45ba-b69f-b1a7e95f309e/downloads/24638138520.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467020/; classtype:trojan-activity;sid:84330120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/54349718441.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467022/; classtype:trojan-activity;sid:84330122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/satyanarayan_puja_vidhi_in_sanskrit.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467023/; classtype:trojan-activity;sid:84330123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/sample_letter_to_be_excused_from_jury_service.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467016/; classtype:trojan-activity;sid:84330116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cf660a09-f805-468d-bb57-fa3593615f41/downloads/vumemaxexepemetesa.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467011/; classtype:trojan-activity;sid:84330111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/93a7eb93-9eef-4244-8f20-7f48de1f8294/downloads/95493308607.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467012/; classtype:trojan-activity;sid:84330112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/91589198920.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467013/; classtype:trojan-activity;sid:84330113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/learn_korean_language_in_30_days.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467014/; classtype:trojan-activity;sid:84330114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/right_to_information_act_application_form_malayalam.pdf"; depth:113; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467015/; classtype:trojan-activity;sid:84330115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/zesowafasunufezef.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467006/; classtype:trojan-activity;sid:84330106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8e46fb0c-8d21-4b8c-82fc-88315c96ddde/downloads/bevurusip.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467008/; classtype:trojan-activity;sid:84330108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09d72da9-ee58-43de-9ce0-8696fa874a10/downloads/zanozibiwakixubunifelok.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467002/; classtype:trojan-activity;sid:84330102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5d8bfe2e-b91e-431f-9bdc-3f0ea97e388e/downloads/hbc_radiomatic_fse_727_manual.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467003/; classtype:trojan-activity;sid:84330103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e4335d81-d2e5-4638-9638-30640b1be91f/downloads/sofipidegib.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466999/; classtype:trojan-activity;sid:84330099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/54040f30-acd4-4a4c-a314-5c4c261b537d/downloads/printable_foods_high_in_uric_acid_chart.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467000/; classtype:trojan-activity;sid:84330100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/15318963311.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466992/; classtype:trojan-activity;sid:84330092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0f7f4ed-2d7c-4134-aa94-503b1eb6600b/downloads/pagulabomezex.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466993/; classtype:trojan-activity;sid:84330093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/katisugenifikipevas.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466996/; classtype:trojan-activity;sid:84330096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/xowawetavudazinomo.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466997/; classtype:trojan-activity;sid:84330097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7662afb9-5d02-4eb9-bd3b-6426a66215ee/downloads/2312138967.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466985/; classtype:trojan-activity;sid:84330085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/evaluation_geographie_6eme_habiter_une_metropole.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466986/; classtype:trojan-activity;sid:84330086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9441f8ad-6e79-4d4a-9602-3585b1269b7e/downloads/kobumedigudopixemevuwef.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466987/; classtype:trojan-activity;sid:84330087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8fc62093-f93e-447d-8e21-b1e235f4d9cc/downloads/vadigoxevujo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466989/; classtype:trojan-activity;sid:84330089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/64414313920.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466991/; classtype:trojan-activity;sid:84330091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/mizoxuloniwi.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466979/; classtype:trojan-activity;sid:84330079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/66244318284.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466984/; classtype:trojan-activity;sid:84330084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6cdacb6d-7fbf-4d09-a986-56cdfa4edeb2/downloads/15247939327.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466971/; classtype:trojan-activity;sid:84330071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/example_of_a_lobola_letter_in_zulu.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466972/; classtype:trojan-activity;sid:84330072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ea25ddad-ebb0-4880-b714-a3f2cdadcbd9/downloads/notas_de_dinheiro_para_imprimir.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466973/; classtype:trojan-activity;sid:84330073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/606585da-2917-4da6-a9df-810ae6e7fbc1/downloads/asme_sec_8_div_1_appendix_8.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466975/; classtype:trojan-activity;sid:84330075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/segaxifalawanevake.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466976/; classtype:trojan-activity;sid:84330076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/3d_converter_for_autodesk_navisworks.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466968/; classtype:trojan-activity;sid:84330068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2c827e54-9a2c-449a-9d97-e20f9555c87a/downloads/pearson_iit_foundation_class_9_maths.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466969/; classtype:trojan-activity;sid:84330069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d2c6212-591e-450b-b673-947709e569a9/downloads/jidikegegudafipi.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466970/; classtype:trojan-activity;sid:84330070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62bebe3a-24c2-4a56-9b26-65d7a4a8233d/downloads/gupira.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466966/; classtype:trojan-activity;sid:84330066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/79599984772.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466958/; classtype:trojan-activity;sid:84330058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/actaris_meter_manual.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466957/; classtype:trojan-activity;sid:84330057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/passaic_county_technical_institute_salary_guide.pdf"; depth:109; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466946/; classtype:trojan-activity;sid:84330046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0c2227e9-a807-4022-9307-9c68c8629142/downloads/59021495355.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466950/; classtype:trojan-activity;sid:84330050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3abea8f6-1776-4586-b4e6-47b414d29e30/downloads/mozosadoboligemuwisuwet.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466951/; classtype:trojan-activity;sid:84330051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/malaysia_company_employee_handbook.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466952/; classtype:trojan-activity;sid:84330052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/988c0021-e131-496b-8725-ae310052894b/downloads/berakigevep.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466937/; classtype:trojan-activity;sid:84330037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0325f5e-ab4f-48af-8631-8757a310624e/downloads/87631223928.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466938/; classtype:trojan-activity;sid:84330038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/majisumilorenanevivo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466941/; classtype:trojan-activity;sid:84330041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/risukepidupapa.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466944/; classtype:trojan-activity;sid:84330044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c272bee0-a4e4-45f4-a8ce-0b066973e0cb/downloads/gateman_wk_20_english_manual.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466933/; classtype:trojan-activity;sid:84330033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/koxid.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466934/; classtype:trojan-activity;sid:84330034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/sasufazovosonufowam.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466935/; classtype:trojan-activity;sid:84330035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/6554737977.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466929/; classtype:trojan-activity;sid:84330029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4b7c63a1-8c4d-413e-83dc-2db6954011c6/downloads/42942412664.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466931/; classtype:trojan-activity;sid:84330031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/43589756342.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466928/; classtype:trojan-activity;sid:84330028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/juporuko.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466923/; classtype:trojan-activity;sid:84330023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1d231bc1-15b8-4d3d-b451-c05909392126/downloads/71014366481.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466924/; classtype:trojan-activity;sid:84330024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/29389545569.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466920/; classtype:trojan-activity;sid:84330020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fbb7d95c-19ce-4e6b-832c-1ccce7746b31/downloads/jebagokapinezax.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466915/; classtype:trojan-activity;sid:84330015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cb46680e-64d4-4308-8a44-9926381d0750/downloads/85747587751.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466916/; classtype:trojan-activity;sid:84330016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/ending_a_lease_letter_to_landlord.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466919/; classtype:trojan-activity;sid:84330019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/possession_letter_format_from_builder.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466909/; classtype:trojan-activity;sid:84330009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/mopuma.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466910/; classtype:trojan-activity;sid:84330010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a618ca0f-2608-47c2-ab22-bbc2ca127bb7/downloads/saziva.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466911/; classtype:trojan-activity;sid:84330011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/229e00b6-6232-4273-bd27-55f919ca28b8/downloads/financas_corporativas_teoria_e_pratica.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466912/; classtype:trojan-activity;sid:84330012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/76c40511-888a-4b14-bb65-87429974a9ff/downloads/gemotukuwitawusagulobez.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466913/; classtype:trojan-activity;sid:84330013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/vupenamubow.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466903/; classtype:trojan-activity;sid:84330003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/10269055308.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466904/; classtype:trojan-activity;sid:84330004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ab86f22-a419-4e4f-91d4-5a654823f744/downloads/21711123451.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466905/; classtype:trojan-activity;sid:84330005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9e5b6b40-f934-4273-a65f-cbaee9aa4b00/downloads/14203617612.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466900/; classtype:trojan-activity;sid:84330000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e4ad6e04-69d1-4aa9-ba9f-c194e0ac5eef/downloads/lotavawofasopupe.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466902/; classtype:trojan-activity;sid:84330002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/mental_state_examination_checklist.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466898/; classtype:trojan-activity;sid:84329998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e5728c18-e5b3-4c69-bf59-a4be42aea8ac/downloads/22515332125.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466893/; classtype:trojan-activity;sid:84329993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/metso_neles_positioner_manual.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466894/; classtype:trojan-activity;sid:84329994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/9840498620.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466895/; classtype:trojan-activity;sid:84329995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3fffd8a4-4d1d-42f8-a3e8-f124f6724c06/downloads/kejawisenukasi.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466897/; classtype:trojan-activity;sid:84329997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/72065953692.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466885/; classtype:trojan-activity;sid:84329985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1ecb10a4-49e9-4fe5-a6bc-f0f227949dd2/downloads/60627448414.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466890/; classtype:trojan-activity;sid:84329990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/ramevedasap.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466881/; classtype:trojan-activity;sid:84329981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fbb7d95c-19ce-4e6b-832c-1ccce7746b31/downloads/67882203250.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466882/; classtype:trojan-activity;sid:84329982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/df312c7d-f650-4c0e-a98f-02aee1a43694/downloads/77125885812.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466877/; classtype:trojan-activity;sid:84329977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37e9011-77af-43eb-9e7b-dd6853450512/downloads/27721436213.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466864/; classtype:trojan-activity;sid:84329964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6abf7f7e-d12c-48f3-aa9a-703f4ccff8d7/downloads/81403469667.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466866/; classtype:trojan-activity;sid:84329966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/zikirifusotuxusomel.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466869/; classtype:trojan-activity;sid:84329969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/antibiotic_sensitivity_chart_sanford_guide.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466870/; classtype:trojan-activity;sid:84329970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c8a6489-894f-4446-8722-19ef31b6a173/downloads/26803015720.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466872/; classtype:trojan-activity;sid:84329972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4d2b55bf-cda3-4071-bf2e-8c27282b789f/downloads/chambre_de_tirage_telecom.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466873/; classtype:trojan-activity;sid:84329973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/48283c5b-b198-4860-9bf9-7f30a2f8146b/downloads/10387443769.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466875/; classtype:trojan-activity;sid:84329975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/zasuporuxumuza.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466876/; classtype:trojan-activity;sid:84329976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d0a6e54-c95b-4e67-871e-882f39f9c203/downloads/77235011630.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466861/; classtype:trojan-activity;sid:84329961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/luvuges.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466863/; classtype:trojan-activity;sid:84329963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tovidesukowoxam.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466858/; classtype:trojan-activity;sid:84329958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a5a93100-d349-4291-8bce-18547efeb268/downloads/14773335318.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466859/; classtype:trojan-activity;sid:84329959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62bebe3a-24c2-4a56-9b26-65d7a4a8233d/downloads/xijawef.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466845/; classtype:trojan-activity;sid:84329945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a6301bc9-fbf1-4861-936b-8ce401d46d09/downloads/non_renewal_of_contract_letter_sample.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466846/; classtype:trojan-activity;sid:84329946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98fd26ea-5c50-4ebf-945e-7ed158ebe1b6/downloads/75925905792.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466847/; classtype:trojan-activity;sid:84329947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/561eb1da-cbac-4811-84b8-e841d63e56cb/downloads/fomogivazugararux.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466848/; classtype:trojan-activity;sid:84329948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3ccd9234-721c-480b-91a1-84bae34c2069/downloads/votudomafuze.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466849/; classtype:trojan-activity;sid:84329949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ed3e7e73-6deb-4ec1-95e4-868a6659fe93/downloads/manning_guide_hotel_sample.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466851/; classtype:trojan-activity;sid:84329951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/45596981954.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466852/; classtype:trojan-activity;sid:84329952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/tilovapexof.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466853/; classtype:trojan-activity;sid:84329953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/najufijirubedejalu.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466838/; classtype:trojan-activity;sid:84329938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/ludejawirusoxodofe.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466839/; classtype:trojan-activity;sid:84329939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/4959938645.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466843/; classtype:trojan-activity;sid:84329943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/52e9408f-c536-4a35-bd81-6078a5dce549/downloads/98085965001.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466832/; classtype:trojan-activity;sid:84329932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/dasuxugolod.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466833/; classtype:trojan-activity;sid:84329933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/804274b4-5f10-4c26-9de6-df56f38aac7c/downloads/attestation_de_non_affiliation_cnas_algerie.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466827/; classtype:trojan-activity;sid:84329927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72502959-bd3f-431c-9582-055fb0eb9e9d/downloads/vw_gehaltstabelle_2022.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466828/; classtype:trojan-activity;sid:84329928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nidugapageru.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466830/; classtype:trojan-activity;sid:84329930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f6f33080-7dde-4e51-88ef-59c9fd931fca/downloads/latoletevuwogerovug.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466831/; classtype:trojan-activity;sid:84329931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/40119004199.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466818/; classtype:trojan-activity;sid:84329918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d128fcda-7fcc-4d89-85b3-e79c54d4414e/downloads/talivejo.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466822/; classtype:trojan-activity;sid:84329922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/ansul_piranha_system_installation_manual.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466824/; classtype:trojan-activity;sid:84329924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/scada_system_architecture.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466813/; classtype:trojan-activity;sid:84329913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/63541235931.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466814/; classtype:trojan-activity;sid:84329914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/gaylord_texan_hotel_map.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466802/; classtype:trojan-activity;sid:84329902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/laxokuzigurebudisinatonu.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466803/; classtype:trojan-activity;sid:84329903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09d72da9-ee58-43de-9ce0-8696fa874a10/downloads/kojutaz.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466805/; classtype:trojan-activity;sid:84329905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/civil_engineer_experience_certificate_word_format.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466808/; classtype:trojan-activity;sid:84329908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/55d28ff0-9d0b-42b4-8190-887f90038148/downloads/gimisomogaro.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466799/; classtype:trojan-activity;sid:84329899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/950f7924-fa6b-44be-bda3-22eaf526f43f/downloads/how_to_write_a_letter_to_society_for_car_parking.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466800/; classtype:trojan-activity;sid:84329900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/78dac1c1-e6f9-4066-ad39-7cbcdc39e651/downloads/93448099882.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466801/; classtype:trojan-activity;sid:84329901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/payment_under_protest_letter_sample.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466794/; classtype:trojan-activity;sid:84329894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/43447829480.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466797/; classtype:trojan-activity;sid:84329897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/97374790135.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466798/; classtype:trojan-activity;sid:84329898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/71423402684.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466788/; classtype:trojan-activity;sid:84329888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5c9ed0ab-abf7-4895-9a79-d81e87aed60a/downloads/nezumizegorazulamalit.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466790/; classtype:trojan-activity;sid:84329890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a4c519f1-5301-485e-9e9c-56d1397df289/downloads/79371210580.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466791/; classtype:trojan-activity;sid:84329891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kekososiwixokaz.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466792/; classtype:trojan-activity;sid:84329892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/14889765830.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466778/; classtype:trojan-activity;sid:84329878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/rikisiwudepelapopazi.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466779/; classtype:trojan-activity;sid:84329879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/boriwivamafegujiser.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466781/; classtype:trojan-activity;sid:84329881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/seaworld_donation_request_orlando.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466782/; classtype:trojan-activity;sid:84329882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/schumacher_battery_charger_parts_se-4022.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466786/; classtype:trojan-activity;sid:84329886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d83328cf-50de-409a-9bf6-de7a48f66ed6/downloads/40650293844.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466787/; classtype:trojan-activity;sid:84329887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/ap_cm_relief_fund_application_process.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466777/; classtype:trojan-activity;sid:84329877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/narigokukeminozitema.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466768/; classtype:trojan-activity;sid:84329868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/32231114245.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466770/; classtype:trojan-activity;sid:84329870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fa0b65d5-8cfc-4875-922a-b490488b42be/downloads/schmersal_de-_42279_datasheet.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466771/; classtype:trojan-activity;sid:84329871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/checklist_format_for_housekeeping_in_hospital.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466772/; classtype:trojan-activity;sid:84329872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/91812224211.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466773/; classtype:trojan-activity;sid:84329873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/rizepigarebovubugebo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466774/; classtype:trojan-activity;sid:84329874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/kawopixar.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466775/; classtype:trojan-activity;sid:84329875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/58311665155.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466767/; classtype:trojan-activity;sid:84329867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0325f5e-ab4f-48af-8631-8757a310624e/downloads/93503353547.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466763/; classtype:trojan-activity;sid:84329863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6974f1eb-71bf-4f90-8572-d8ac4e4f765d/downloads/wazakovefonetak.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466764/; classtype:trojan-activity;sid:84329864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9978fe41-dbcb-4b88-8a80-a839de3f86b5/downloads/42576721881.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466758/; classtype:trojan-activity;sid:84329858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/73769466656.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466759/; classtype:trojan-activity;sid:84329859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/suvuraxelikubok.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466761/; classtype:trojan-activity;sid:84329861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3e09336e-0817-489c-96db-d43d5fd51fc4/downloads/i9_birth_certificate_example.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466762/; classtype:trojan-activity;sid:84329862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/stromer_st1_owners_manual.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466750/; classtype:trojan-activity;sid:84329850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/7215421885.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466753/; classtype:trojan-activity;sid:84329853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/37979647215.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466754/; classtype:trojan-activity;sid:84329854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/af0be9d0-b995-4f2a-8f66-25f04f50db42/downloads/tejovejujepotobafoba.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466755/; classtype:trojan-activity;sid:84329855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/43947647531.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466756/; classtype:trojan-activity;sid:84329856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/97640682614.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466747/; classtype:trojan-activity;sid:84329847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2ec5b631-127b-4a5e-84ff-7de19674a208/downloads/daxukipavibipukoj.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466748/; classtype:trojan-activity;sid:84329848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/66a9f463-0ae0-4403-bef2-3061bb9e36ef/downloads/rate_list_of_test_in_dr.lal_pathlabs.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466740/; classtype:trojan-activity;sid:84329840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c8939508-8a93-4f90-8b11-ddca3342e83a/downloads/4803379677.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466742/; classtype:trojan-activity;sid:84329842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ddc49093-0792-428b-8073-6170b30113a2/downloads/taski_procarpet_45_manual.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466745/; classtype:trojan-activity;sid:84329845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/gomik.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466738/; classtype:trojan-activity;sid:84329838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ef27ce0e-c911-4d37-baad-bea065e796b8/downloads/kirekafusofo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466736/; classtype:trojan-activity;sid:84329836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/wiremabodopigotaf.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466732/; classtype:trojan-activity;sid:84329832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/67856105857.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466733/; classtype:trojan-activity;sid:84329833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/af0be9d0-b995-4f2a-8f66-25f04f50db42/downloads/rubetugetafapojopodibom.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466734/; classtype:trojan-activity;sid:84329834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/3048437595.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466724/; classtype:trojan-activity;sid:84329824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cc370600-8080-4216-8e6c-52a7f34eeccf/downloads/iso_weld_symbols_chart.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466726/; classtype:trojan-activity;sid:84329826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/47b969d8-0664-43a5-a1cb-4ec8411e9eef/downloads/powerflex_755_user_manual_espanol.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466728/; classtype:trojan-activity;sid:84329828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7539d3e4-198a-4c91-addc-38e6066bfe55/downloads/2305786492.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466729/; classtype:trojan-activity;sid:84329829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/kangwon_land_inc_annual_report.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466730/; classtype:trojan-activity;sid:84329830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c0bdcf4-6f9c-40c3-8219-8cbbbcfb4026/downloads/wanigukanewalew.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466731/; classtype:trojan-activity;sid:84329831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/watiwime.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466715/; classtype:trojan-activity;sid:84329815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/638993752.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466716/; classtype:trojan-activity;sid:84329816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/milagetuxinofu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466717/; classtype:trojan-activity;sid:84329817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7eafcf9d-33bd-4fd4-8489-654d240ab2f3/downloads/51295545026.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466719/; classtype:trojan-activity;sid:84329819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/xezumiriruko.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466720/; classtype:trojan-activity;sid:84329820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/cleavage_front_row_amy_measurements.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466721/; classtype:trojan-activity;sid:84329821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/diamond_sieve_chart.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466708/; classtype:trojan-activity;sid:84329808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09b152c4-bf66-44a7-8224-2992cea3ed0a/downloads/sample_indian_renunciation_form.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466710/; classtype:trojan-activity;sid:84329810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/pelebesepasirokirefukew.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466711/; classtype:trojan-activity;sid:84329811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/455fd801-8453-4cfe-b6ee-1af9e2a627f6/downloads/7558215776.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466712/; classtype:trojan-activity;sid:84329812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e262bb3c-3205-4bb6-954b-f565479d59e0/downloads/50787175728.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466713/; classtype:trojan-activity;sid:84329813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/rotem_sigma_user_manual.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466706/; classtype:trojan-activity;sid:84329806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/lista_de_verbos_em_italiano.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466705/; classtype:trojan-activity;sid:84329805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a580c741-29a0-435a-a011-6aa538a5edae/downloads/25870917787.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466702/; classtype:trojan-activity;sid:84329802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/siwetofulugo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466694/; classtype:trojan-activity;sid:84329794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0739216d-b619-42bb-83b4-7432b4331862/downloads/26798739628.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466695/; classtype:trojan-activity;sid:84329795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/23513409250.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466696/; classtype:trojan-activity;sid:84329796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/the_long_dark_crumbling_highway_map.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466697/; classtype:trojan-activity;sid:84329797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2eabcd0a-1fbf-48aa-8399-71392232a891/downloads/92332863676.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466698/; classtype:trojan-activity;sid:84329798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c633c3b-7c73-43a9-a161-0e7459f617b4/downloads/popajuzokovuluboz.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466682/; classtype:trojan-activity;sid:84329782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4b7c63a1-8c4d-413e-83dc-2db6954011c6/downloads/6759358871.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466684/; classtype:trojan-activity;sid:84329784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41809607-5bd4-4a52-8a62-530dfb6fcdd7/downloads/gelumoxosudasikaxo.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466686/; classtype:trojan-activity;sid:84329786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cb46680e-64d4-4308-8a44-9926381d0750/downloads/47722224691.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466687/; classtype:trojan-activity;sid:84329787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/57326063662.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466689/; classtype:trojan-activity;sid:84329789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8aa13dbf-c0c5-4fe7-ae15-62e5c33a20e4/downloads/hewlett-packard_18e7_motherboard_specs.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466690/; classtype:trojan-activity;sid:84329790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/porebejotenojudud.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466691/; classtype:trojan-activity;sid:84329791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72502959-bd3f-431c-9582-055fb0eb9e9d/downloads/duff_and_phelps_size_premium_2022.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466681/; classtype:trojan-activity;sid:84329781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pass_the_pigs_scoring_sheet.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466674/; classtype:trojan-activity;sid:84329774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ae40ccb-f0fa-4b6b-bfcc-06032a30498c/downloads/logical_thinking_worksheets_for_kindergarten.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466679/; classtype:trojan-activity;sid:84329779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cb46680e-64d4-4308-8a44-9926381d0750/downloads/151743582.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466670/; classtype:trojan-activity;sid:84329770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/13792310994.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466671/; classtype:trojan-activity;sid:84329771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/cessna_172_instrument_panel_layout.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466666/; classtype:trojan-activity;sid:84329766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/24459864622.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466667/; classtype:trojan-activity;sid:84329767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c0bdcf4-6f9c-40c3-8219-8cbbbcfb4026/downloads/10451479360.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466658/; classtype:trojan-activity;sid:84329758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/sap_fico_cutover_activities.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466659/; classtype:trojan-activity;sid:84329759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/98444125074.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466662/; classtype:trojan-activity;sid:84329762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/686c0a2e-9a90-4936-9f96-7d72f3c65f03/downloads/54960661120.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466663/; classtype:trojan-activity;sid:84329763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c30937d-c8da-4e7b-9f7a-432344b46400/downloads/3262231356.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466664/; classtype:trojan-activity;sid:84329764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/livro_pesquisa_bibliografica.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466648/; classtype:trojan-activity;sid:84329748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/37ff6e83-e399-4f09-b7f3-13b9438039c2/downloads/54456550535.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466650/; classtype:trojan-activity;sid:84329750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41780010-2245-4f59-96ea-abe2bb04704f/downloads/request_letter_format_in_marathi_language.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466652/; classtype:trojan-activity;sid:84329752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5809a244-7d90-46f4-9de4-ee86dda3a2de/downloads/evaluation_emc_6eme_devenir_collegien.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466645/; classtype:trojan-activity;sid:84329745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dd809168-aa55-4437-9a0e-42447fbc16fd/downloads/22731947285.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466640/; classtype:trojan-activity;sid:84329740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41780010-2245-4f59-96ea-abe2bb04704f/downloads/hypothecation_cancellation_request_letter_format.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466641/; classtype:trojan-activity;sid:84329741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/182ae1b8-0b64-4790-be7b-698d5e8b3d57/downloads/gidatigexapufalumiwolagad.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466642/; classtype:trojan-activity;sid:84329742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/aocs_official_method_ce_1b_89.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466634/; classtype:trojan-activity;sid:84329734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pigogini.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466635/; classtype:trojan-activity;sid:84329735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ab158387-fd14-4136-be83-18d2feafd209/downloads/regonadafufosofujerijasur.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466639/; classtype:trojan-activity;sid:84329739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/xewegemodigu.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466625/; classtype:trojan-activity;sid:84329725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f9b61407-e9a0-4bfb-ac42-6ba811f07eed/downloads/daycare_reference_letter_template.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466626/; classtype:trojan-activity;sid:84329726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/displayport_1.4_spec.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466629/; classtype:trojan-activity;sid:84329729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a49e03e-1cf9-44ed-ac44-c378f90fa5f8/downloads/63521883486.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466632/; classtype:trojan-activity;sid:84329732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/262ea410-a887-458b-b5ec-65748ef01e57/downloads/75258476975.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466633/; classtype:trojan-activity;sid:84329733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9441f8ad-6e79-4d4a-9602-3585b1269b7e/downloads/dajagunowe.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466619/; classtype:trojan-activity;sid:84329719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/432a6cf0-f63b-4132-8b03-52615cd2c1c3/downloads/hypochondria_ielts_reading_answers.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466620/; classtype:trojan-activity;sid:84329720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/migolijidawononavez.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466622/; classtype:trojan-activity;sid:84329722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6286d8b4-6ffa-4d84-aeea-f2a9bc58a594/downloads/hotel_courtesy_call_template.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466623/; classtype:trojan-activity;sid:84329723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/48cf8ef6-fe89-47b6-9b8e-43119a3d3833/downloads/89759746182.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466617/; classtype:trojan-activity;sid:84329717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/poquito_mas_nutrition_facts.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466613/; classtype:trojan-activity;sid:84329713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9a32841c-0d54-4ad0-8acd-a5b15c41cae1/downloads/luxutevosevuke.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466610/; classtype:trojan-activity;sid:84329710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/vamiralu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466611/; classtype:trojan-activity;sid:84329711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/bonunorovekofa.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466605/; classtype:trojan-activity;sid:84329705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/36407415595.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466606/; classtype:trojan-activity;sid:84329706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/82707682561.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466607/; classtype:trojan-activity;sid:84329707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a0620227-6f33-427f-8ac7-1fb80d24bd78/downloads/loxabafefomukewizirefa.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466608/; classtype:trojan-activity;sid:84329708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/metric_bolt_specification_chart.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466609/; classtype:trojan-activity;sid:84329709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6875802-d83d-45fa-a01c-dd9f30c53739/downloads/22305465780.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466597/; classtype:trojan-activity;sid:84329697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/efeaa59e-2423-41d8-b482-9a37e80979c7/downloads/ge_disconnect_switch.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466598/; classtype:trojan-activity;sid:84329698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7518eff6-349e-4445-8380-e1c43aacea7b/downloads/gemudewefedevovep.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466600/; classtype:trojan-activity;sid:84329700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41809607-5bd4-4a52-8a62-530dfb6fcdd7/downloads/tugojokuru.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466601/; classtype:trojan-activity;sid:84329701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/hadoop_notes_by_durgasoft_ramakrishna.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466602/; classtype:trojan-activity;sid:84329702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/compassionate_leave_letter_examples.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466603/; classtype:trojan-activity;sid:84329703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2294c0f6-d737-4b16-8fca-94076227dda5/downloads/garrison_carbon_monoxide_and_gas_detector_manual.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466604/; classtype:trojan-activity;sid:84329704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/kuradorug.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466593/; classtype:trojan-activity;sid:84329693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7eafcf9d-33bd-4fd4-8489-654d240ab2f3/downloads/38053692779.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466594/; classtype:trojan-activity;sid:84329694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4240411-5b76-4ebe-95b9-c00242399cf6/downloads/26107131918.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466595/; classtype:trojan-activity;sid:84329695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tozivagal.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466587/; classtype:trojan-activity;sid:84329687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1b026e03-5af6-461d-a832-b5e23f93b19f/downloads/rojumedevunez.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466591/; classtype:trojan-activity;sid:84329691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nefusajoxepisajejod.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466585/; classtype:trojan-activity;sid:84329685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/tubewerapip.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466581/; classtype:trojan-activity;sid:84329681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/18645484853.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466583/; classtype:trojan-activity;sid:84329683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/50ab7773-f1d2-4be6-a8e2-1065b2477787/downloads/4850921377.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466584/; classtype:trojan-activity;sid:84329684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/basimonuje.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466567/; classtype:trojan-activity;sid:84329667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4490da21-0774-43c2-8f10-26fe1384ffab/downloads/convention_collective_ucanss_mutatio.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466568/; classtype:trojan-activity;sid:84329668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2f6bcf3c-4b23-42e7-95db-7e5e3070b630/downloads/29680644903.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466569/; classtype:trojan-activity;sid:84329669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e297ab99-26f3-4763-8aa9-4b5ba8336826/downloads/61556440139.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466571/; classtype:trojan-activity;sid:84329671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/93a7eb93-9eef-4244-8f20-7f48de1f8294/downloads/rikeleneliteta.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466572/; classtype:trojan-activity;sid:84329672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/dupibutemuxubezukexe.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466559/; classtype:trojan-activity;sid:84329659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/58f82e37-5723-4fc5-be87-1ca34da7fc9c/downloads/ladovarudugusujo.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466561/; classtype:trojan-activity;sid:84329661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/93623530863.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466562/; classtype:trojan-activity;sid:84329662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f4482b02-adbc-4511-a01d-8f5a32444a75/downloads/31982364803.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466563/; classtype:trojan-activity;sid:84329663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c29905cb-cab1-47d6-9263-d073f5bcab67/downloads/manually_update_officescan_server.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466564/; classtype:trojan-activity;sid:84329664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/meligofat.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466565/; classtype:trojan-activity;sid:84329665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pibajusapasadasizuvabo.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466566/; classtype:trojan-activity;sid:84329666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/vuguvukopipokimukunoju.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466552/; classtype:trojan-activity;sid:84329652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/vmware_horizon_not_loading.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466553/; classtype:trojan-activity;sid:84329653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/gekepozokenaxaketojakoj.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466556/; classtype:trojan-activity;sid:84329656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/xekinozu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466557/; classtype:trojan-activity;sid:84329657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/tanaber.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466558/; classtype:trojan-activity;sid:84329658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/lokodemerukezabakexa.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466546/; classtype:trojan-activity;sid:84329646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/wijigezafububofelib.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466547/; classtype:trojan-activity;sid:84329647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1a64ed17-85a2-4cee-b266-878ed957a17a/downloads/wezixipusafa.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466548/; classtype:trojan-activity;sid:84329648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ed9a7df-8325-4b88-b206-4975011bd8d3/downloads/73303046927.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466551/; classtype:trojan-activity;sid:84329651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/vafibezesixura.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466544/; classtype:trojan-activity;sid:84329644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cdf9b72e-240a-4a41-ac28-e187be75db3e/downloads/10008295817.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466542/; classtype:trojan-activity;sid:84329642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/35017680871.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466539/; classtype:trojan-activity;sid:84329639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b5346c1d-c474-4a92-9b4c-cbf0eee37189/downloads/jamupipenimewuroveg.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466534/; classtype:trojan-activity;sid:84329634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ddc49093-0792-428b-8073-6170b30113a2/downloads/ritiwuga.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466523/; classtype:trojan-activity;sid:84329623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/697088a1-6c9a-496e-9a4d-922308cd97be/downloads/98558988287.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466524/; classtype:trojan-activity;sid:84329624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d8c405e-d09a-43e6-b2b9-f8bbfe0e4b05/downloads/japifitakudisudupuweb.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466525/; classtype:trojan-activity;sid:84329625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b7519557-5091-4de7-b104-8e86c3953c5d/downloads/66697702965.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466527/; classtype:trojan-activity;sid:84329627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4d8863b-da23-437d-86ed-df2351a23265/downloads/sazodaxorega.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466528/; classtype:trojan-activity;sid:84329628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/36655168913.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466512/; classtype:trojan-activity;sid:84329612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/wevularaboxurewugawe.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466513/; classtype:trojan-activity;sid:84329613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/rubizegelolulagexarunup.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466514/; classtype:trojan-activity;sid:84329614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c29905cb-cab1-47d6-9263-d073f5bcab67/downloads/pipe_fittings_surface_area_chart.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466515/; classtype:trojan-activity;sid:84329615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/ludirov.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466517/; classtype:trojan-activity;sid:84329617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/jedibam.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466521/; classtype:trojan-activity;sid:84329621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c2f5ec0b-52d8-40cb-8fa6-a66f6f891fa9/downloads/64630520522.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466522/; classtype:trojan-activity;sid:84329622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/19f0e93a-8f01-4f21-8964-dcc990dea571/downloads/honeywell_dc3002_manual.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466506/; classtype:trojan-activity;sid:84329606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/30963207670.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466507/; classtype:trojan-activity;sid:84329607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/963d457e-5dea-4a7e-aae8-47aada2a7cc0/downloads/36202936872.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466508/; classtype:trojan-activity;sid:84329608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/738cd3ca-10f0-4f1e-865e-c0932904fbb2/downloads/28412734415.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466509/; classtype:trojan-activity;sid:84329609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/af067739-2dfe-40f3-ae00-a758e587d7d3/downloads/wepepuv.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466510/; classtype:trojan-activity;sid:84329610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/atpco_fare_filing_manual_s.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466503/; classtype:trojan-activity;sid:84329603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/gartner_magic_quadrant_ips.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466504/; classtype:trojan-activity;sid:84329604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2215a6c-0436-4d82-8033-c5d079398259/downloads/xawegifurixikinixi.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466505/; classtype:trojan-activity;sid:84329605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nolovafitavire.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466501/; classtype:trojan-activity;sid:84329601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f11cc6f-a645-4f71-bee4-e3848f35abf2/downloads/mojijodexiv.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466495/; classtype:trojan-activity;sid:84329595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/64114a94-94a3-4f5d-866a-beee254b955f/downloads/xipefodefanotare.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466497/; classtype:trojan-activity;sid:84329597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/gekulafemidafalijuw.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466498/; classtype:trojan-activity;sid:84329598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/types_of_lines_in_construction_drawings.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466489/; classtype:trojan-activity;sid:84329589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/psa_birth_certificate_authorization_letter.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466490/; classtype:trojan-activity;sid:84329590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/53202951-38c7-4c35-8280-6cefaf47915f/downloads/libububodanusakamarad.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466492/; classtype:trojan-activity;sid:84329592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/41202776349.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466480/; classtype:trojan-activity;sid:84329580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dc583f51-62de-45fb-b9c6-f152dd4c2594/downloads/combining_like_terms_pyramid_worksheet_answers.pdf"; depth:108; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466481/; classtype:trojan-activity;sid:84329581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1dc2c198-09f6-4966-96bb-2e160c7d78e2/downloads/55840145977.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466482/; classtype:trojan-activity;sid:84329582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/puzenesariwalez.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466484/; classtype:trojan-activity;sid:84329584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0eb552d-3ccf-4b3e-a340-0e3717106147/downloads/kalozarisi.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466485/; classtype:trojan-activity;sid:84329585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/wilikof.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466486/; classtype:trojan-activity;sid:84329586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/geruzirejexexani.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466487/; classtype:trojan-activity;sid:84329587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/de9d9f96-a289-4877-85d4-e6d2d4cc419c/downloads/minerva_t2000_manual.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466476/; classtype:trojan-activity;sid:84329576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/siemens_pcs_7_full_training_manual.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466474/; classtype:trojan-activity;sid:84329574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/sojawamiluredowad.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466472/; classtype:trojan-activity;sid:84329572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/add57eeb-0480-4d3e-871c-79d9b8fe2772/downloads/lozataroziwukurejigax.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466462/; classtype:trojan-activity;sid:84329562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/capacitor_bank_preventive_maintenance_checklist.pdf"; depth:109; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466463/; classtype:trojan-activity;sid:84329563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/jesafi.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466464/; classtype:trojan-activity;sid:84329564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/wofewipawo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466465/; classtype:trojan-activity;sid:84329565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/58423586845.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466468/; classtype:trojan-activity;sid:84329568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/89849145142.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466469/; classtype:trojan-activity;sid:84329569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c26a93a-50bb-4104-895b-059e3fc9a02c/downloads/zoxinigexozojadidara.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466460/; classtype:trojan-activity;sid:84329560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/96b6a2f4-8317-413b-a7e3-44adb2eb81f5/downloads/demande_d_allocation_chomage_pole_emploi.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466454/; classtype:trojan-activity;sid:84329554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tutorialspoint_sap_pp.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466459/; classtype:trojan-activity;sid:84329559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/lafebokoz.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466449/; classtype:trojan-activity;sid:84329549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/advance_payment_request_letter_format_word.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466450/; classtype:trojan-activity;sid:84329550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a0c7596-8583-4967-abed-67d8d1ffd610/downloads/boilermaker_drawings_and_developments.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466452/; classtype:trojan-activity;sid:84329552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8532eb1d-13c2-4756-9d41-225750b056f4/downloads/litimuwabu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466453/; classtype:trojan-activity;sid:84329553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/telcordia_sr_332_issue_4.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466444/; classtype:trojan-activity;sid:84329544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/stopaq_application_manual_2018.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466445/; classtype:trojan-activity;sid:84329545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3daad7b2-98c5-4dc1-b37a-5570afcba267/downloads/40472163846.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466447/; classtype:trojan-activity;sid:84329547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/89247847196.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466439/; classtype:trojan-activity;sid:84329539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/72993487295.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466440/; classtype:trojan-activity;sid:84329540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/de9155fa-7173-4766-94c3-9e400d4aed58/downloads/def_stan_91-91.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466441/; classtype:trojan-activity;sid:84329541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/42d6a3b4-bbc0-47ab-bf86-c3ddb806b2ed/downloads/rafadaduveputev.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466443/; classtype:trojan-activity;sid:84329543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3924d65b-e08d-4f21-8d71-a0b15eb654bb/downloads/63720952596.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466429/; classtype:trojan-activity;sid:84329529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/woleb.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466417/; classtype:trojan-activity;sid:84329517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/dururotilonid.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466418/; classtype:trojan-activity;sid:84329518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/150_dialogues_en_francais.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466419/; classtype:trojan-activity;sid:84329519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/88031585580.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466420/; classtype:trojan-activity;sid:84329520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/dollar_general_cbl_answers_robbery_prevention.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466423/; classtype:trojan-activity;sid:84329523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4e8158-a082-4b1f-960e-1d82a946a72b/downloads/76239393989.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466424/; classtype:trojan-activity;sid:84329524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/51c1105d-a687-468d-b1aa-293ca9578a34/downloads/giwuroganapedokozijave.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466414/; classtype:trojan-activity;sid:84329514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/50e5aae7-a15c-4d74-a4ed-a8edfca980c4/downloads/atividades_adaptadas_de_ingles_para_deficientes_intelectuais.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466406/; classtype:trojan-activity;sid:84329506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/697088a1-6c9a-496e-9a4d-922308cd97be/downloads/24465842333.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466407/; classtype:trojan-activity;sid:84329507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2d664301-7b5e-474d-97a1-1305c7ece601/downloads/35905190672.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466409/; classtype:trojan-activity;sid:84329509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/12922543008.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466410/; classtype:trojan-activity;sid:84329510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/804274b4-5f10-4c26-9de6-df56f38aac7c/downloads/20643132370.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466412/; classtype:trojan-activity;sid:84329512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/95435099570.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466413/; classtype:trojan-activity;sid:84329513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2bb4e8cb-ec7e-44c1-a645-d94d4534f3a4/downloads/far_from_you_tess_sharpe.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466401/; classtype:trojan-activity;sid:84329501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/87076889980.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466403/; classtype:trojan-activity;sid:84329503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/40331451843.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466396/; classtype:trojan-activity;sid:84329496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/71d9f42f-0bad-4406-8a48-95c698e57e68/downloads/sumitomo_f50_compressor_manual.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466397/; classtype:trojan-activity;sid:84329497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tusosexukitut.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466398/; classtype:trojan-activity;sid:84329498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/chambre_de_tirage_telecom.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466387/; classtype:trojan-activity;sid:84329487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d45c0d9d-8581-471d-bee0-51d1b9891f05/downloads/nisisot.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466389/; classtype:trojan-activity;sid:84329489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tojabuka.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466390/; classtype:trojan-activity;sid:84329490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/16219919996.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466391/; classtype:trojan-activity;sid:84329491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/famous_athletes_banned_for_drug_use.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466392/; classtype:trojan-activity;sid:84329492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/31075581028.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466393/; classtype:trojan-activity;sid:84329493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/table_trigonometrique_complet.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466394/; classtype:trojan-activity;sid:84329494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f20719e2-319c-4f10-aabc-5dffb4a98912/downloads/45233279752.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466385/; classtype:trojan-activity;sid:84329485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/10e01255-b324-4a54-ae63-f4e28a319147/downloads/how_to_make_authorization_letter_to_claim_money_in_palawan.pdf"; depth:120; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466376/; classtype:trojan-activity;sid:84329476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a69ed85-566a-4d22-8bd3-47a8a314b3bf/downloads/baropuzijavalerivotenujop.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466378/; classtype:trojan-activity;sid:84329478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/15135097712.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466379/; classtype:trojan-activity;sid:84329479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4831e354-44dc-4759-9d14-0dd6cfda589f/downloads/demag_ac_350_dwg.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466366/; classtype:trojan-activity;sid:84329466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f6479094-5bf7-4b46-9ced-d0f3d0d49751/downloads/63982701040.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466370/; classtype:trojan-activity;sid:84329470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e35dded4-68df-49bc-a9b0-aad8c63628c2/downloads/polipuzikiwelines.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466371/; classtype:trojan-activity;sid:84329471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/jakirezimukixinirivuvizuw.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466372/; classtype:trojan-activity;sid:84329472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4bf44b4-a39c-49f8-89f5-4b487ef61751/downloads/safety_precautions_during_rainy_season_ppt.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466373/; classtype:trojan-activity;sid:84329473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/gasanon.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466358/; classtype:trojan-activity;sid:84329458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/87218120165.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466359/; classtype:trojan-activity;sid:84329459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6c9fdcec-b167-4620-b064-54b8917c32b8/downloads/57211354597.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466364/; classtype:trojan-activity;sid:84329464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9927c1c5-c61c-4f5e-807e-67bd1833b3e4/downloads/2687436544.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466355/; classtype:trojan-activity;sid:84329455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/astonishment_report_example_template_free.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466356/; classtype:trojan-activity;sid:84329456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4454ad30-3f6f-488a-b5e6-19e7bcca2146/downloads/duzinijilufixikedaluw.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466353/; classtype:trojan-activity;sid:84329453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/47a03532-4838-4d3f-b185-a29c87fa882c/downloads/24511080679.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466340/; classtype:trojan-activity;sid:84329440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/35512569741.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466341/; classtype:trojan-activity;sid:84329441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/fiselarodinolapin.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466344/; classtype:trojan-activity;sid:84329444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/fonuferin.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466348/; classtype:trojan-activity;sid:84329448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/59681288373.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466349/; classtype:trojan-activity;sid:84329449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9db526fb-d62a-447a-9766-8665158ad47a/downloads/skf_linear_bearing_catalogue.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466350/; classtype:trojan-activity;sid:84329450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/45838770375.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466351/; classtype:trojan-activity;sid:84329451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98a1791f-f3a9-4ef2-ac34-41b3393c3d1d/downloads/original_documents_handover_letter_format.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466336/; classtype:trojan-activity;sid:84329436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/60272662631.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466337/; classtype:trojan-activity;sid:84329437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aa44ab49-4d64-4d64-8bfd-2dfce545052f/downloads/limitations_act_2004_nigeria.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466338/; classtype:trojan-activity;sid:84329438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72cc53f9-3bf4-447c-963a-353f48ad8500/downloads/puwutokok.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466331/; classtype:trojan-activity;sid:84329431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2224247e-29ce-4f8d-b838-abfcbdf269c0/downloads/emdr_cognitive_interweaves.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466333/; classtype:trojan-activity;sid:84329433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/15715958975.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466325/; classtype:trojan-activity;sid:84329425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/sanugesijeviwo.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466326/; classtype:trojan-activity;sid:84329426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/167862b3-31e9-4984-90e5-30766e3a7fa8/downloads/20740408467.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466327/; classtype:trojan-activity;sid:84329427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/22914289512.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466316/; classtype:trojan-activity;sid:84329416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f842cd9f-c67c-4749-ba01-22d7c1ea502c/downloads/93070455772.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466317/; classtype:trojan-activity;sid:84329417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/61240910211.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466319/; classtype:trojan-activity;sid:84329419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/33251318472.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466320/; classtype:trojan-activity;sid:84329420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/800cff82-04ba-4c47-9f8b-d21367acb04d/downloads/84098559127.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466321/; classtype:trojan-activity;sid:84329421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kaxajopisojurivo.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466322/; classtype:trojan-activity;sid:84329422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/vehicle_sale_agreement_format_in_word_kerala_online_applicat.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466324/; classtype:trojan-activity;sid:84329424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/everstart_750_amp_jump_starter_manual.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466312/; classtype:trojan-activity;sid:84329412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/424b0398-579a-4717-a17a-ffb972bf5819/downloads/manual_ppap_4_edicao.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466313/; classtype:trojan-activity;sid:84329413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b2a026b5-555a-437c-867f-3969f62b48d7/downloads/3703775959.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466314/; classtype:trojan-activity;sid:84329414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3f5ecf8d-ba74-430f-ac11-9eb6ace92d02/downloads/womirojepu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466305/; classtype:trojan-activity;sid:84329405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/lord_of_the_flies_script.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466307/; classtype:trojan-activity;sid:84329407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d0a6e54-c95b-4e67-871e-882f39f9c203/downloads/38102271043.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466309/; classtype:trojan-activity;sid:84329409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/depo_provera_osteoporosis_guidelines.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466304/; classtype:trojan-activity;sid:84329404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/397fbc33-145f-44ec-a774-e1fa1b866d82/downloads/fekesijurada.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466301/; classtype:trojan-activity;sid:84329401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1e222df8-d197-4254-b90b-be3d3b023ef4/downloads/78299826683.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466293/; classtype:trojan-activity;sid:84329393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bc2da57a-5cad-4b1e-b658-8efa7e30bee5/downloads/como_transferir_saldo_de_dados_unitel.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466294/; classtype:trojan-activity;sid:84329394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/billetes_didacticos_mexicanos_para_imprimir.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466283/; classtype:trojan-activity;sid:84329383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/xutodorimalibavexididoson.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466284/; classtype:trojan-activity;sid:84329384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/vatalikuxigepiwu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466285/; classtype:trojan-activity;sid:84329385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2fda8269-9b7e-4008-b093-ed7dc0bde9d7/downloads/zinivegosejuriwevagowu.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466286/; classtype:trojan-activity;sid:84329386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/dotuxomolomorapitome.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466288/; classtype:trojan-activity;sid:84329388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/541a1d8b-7a21-4c1f-8013-03406bd1a8ad/downloads/mevuxurike.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466289/; classtype:trojan-activity;sid:84329389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c30937d-c8da-4e7b-9f7a-432344b46400/downloads/jubomumifekomu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466291/; classtype:trojan-activity;sid:84329391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aa25c895-a966-4265-aeb1-bc094284554e/downloads/jifig.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466279/; classtype:trojan-activity;sid:84329379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/90378982159.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466280/; classtype:trojan-activity;sid:84329380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/jodegemotekuseve.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466282/; classtype:trojan-activity;sid:84329382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/46578941429.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466268/; classtype:trojan-activity;sid:84329368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/elenco_corsi_vam_viterbo.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466269/; classtype:trojan-activity;sid:84329369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/17714436684.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466259/; classtype:trojan-activity;sid:84329359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/planet_fitness_membership_cancellation_letter.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466260/; classtype:trojan-activity;sid:84329360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/af067739-2dfe-40f3-ae00-a758e587d7d3/downloads/61105974714.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466261/; classtype:trojan-activity;sid:84329361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/933c3405-1572-4648-b39e-d98567eb5bee/downloads/for_your_kind_perusal_and_necessary_action_meaning.pdf"; depth:112; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466266/; classtype:trojan-activity;sid:84329366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/119d5b03-e78f-4725-87b7-ed496b267f6d/downloads/scrubber_design_calculation_excel.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466267/; classtype:trojan-activity;sid:84329367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6787db73-833d-4393-867e-1b786eb5e101/downloads/60859753638.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466249/; classtype:trojan-activity;sid:84329349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62a7895e-5f81-4049-920b-e70e38d29e37/downloads/why_is_annexure_d_required_for_minor_passport.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466252/; classtype:trojan-activity;sid:84329352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/574284889.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466253/; classtype:trojan-activity;sid:84329353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9e5b6b40-f934-4273-a65f-cbaee9aa4b00/downloads/xikapataxofako.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466254/; classtype:trojan-activity;sid:84329354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/lobigexapi.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466255/; classtype:trojan-activity;sid:84329355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2470d53e-fef7-4646-9c8b-919894e66d18/downloads/72646482584.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466256/; classtype:trojan-activity;sid:84329356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8c16f145-4fc0-4af7-a4db-de4acd818fe4/downloads/46429707192.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466257/; classtype:trojan-activity;sid:84329357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7153ec40-cd7f-411a-a08b-66d173a33455/downloads/standards_australia_handbook_197.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466245/; classtype:trojan-activity;sid:84329345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/55745505506.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466247/; classtype:trojan-activity;sid:84329347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/43311556781.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466241/; classtype:trojan-activity;sid:84329341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/80691091889.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466244/; classtype:trojan-activity;sid:84329344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/sewuxazomuwara.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466238/; classtype:trojan-activity;sid:84329338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ce549e8-3051-428a-a71b-b48f204ac3cd/downloads/rapid_router_level_43_solution.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466231/; classtype:trojan-activity;sid:84329331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0620bed2-a9d8-4f06-ab8c-173ea1a60a70/downloads/jijegarazomimubusawogam.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466232/; classtype:trojan-activity;sid:84329332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/matunekuv.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466233/; classtype:trojan-activity;sid:84329333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/53202951-38c7-4c35-8280-6cefaf47915f/downloads/statsafe_3000_msds.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466230/; classtype:trojan-activity;sid:84329330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/82647770508.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466221/; classtype:trojan-activity;sid:84329321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ee3e2894-0337-41f6-9371-caecf7034a22/downloads/26991821255.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466222/; classtype:trojan-activity;sid:84329322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/gesuzodekutiz.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466226/; classtype:trojan-activity;sid:84329326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62a7895e-5f81-4049-920b-e70e38d29e37/downloads/how_to_register_in_upstox.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466227/; classtype:trojan-activity;sid:84329327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/exercises_for_trigger_thumb.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466228/; classtype:trojan-activity;sid:84329328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/132d13c5-3f89-41bf-85b4-d1a24ddcf61c/downloads/nosiwevixina.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466229/; classtype:trojan-activity;sid:84329329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a56a106f-21b9-46c2-b5bc-12461919334c/downloads/vurarufa.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466215/; classtype:trojan-activity;sid:84329315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/how_to_get_a_wire_transfer_receipt_chase.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466217/; classtype:trojan-activity;sid:84329317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/3175972790.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466219/; classtype:trojan-activity;sid:84329319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62128af0-82d0-4bae-b967-d393a4304003/downloads/apex_sl_vibration_controller_manual.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466213/; classtype:trojan-activity;sid:84329313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/nakozixuwelafi.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466214/; classtype:trojan-activity;sid:84329314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/mobesapovasag.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466205/; classtype:trojan-activity;sid:84329305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fae029f6-27b1-4578-94bc-ae0bbaeebde4/downloads/imperial_vernier_caliper_worksheet.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466206/; classtype:trojan-activity;sid:84329306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e2ab423c-1813-4cd0-becb-6a8adbf01641/downloads/ribafimimeriledok.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466207/; classtype:trojan-activity;sid:84329307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/62228929609.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466208/; classtype:trojan-activity;sid:84329308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/91a706e9-d066-47d7-89af-69535d865c3d/downloads/carteirinha_de_estudante_falsa_em.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466209/; classtype:trojan-activity;sid:84329309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/80e9e7c7-d97b-4b5a-96c4-9a83854a3065/downloads/35740879646.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466196/; classtype:trojan-activity;sid:84329296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2d42ffe-779b-4107-ac42-7f36375aab37/downloads/zeneliginuboripiriza.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466201/; classtype:trojan-activity;sid:84329301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6bb5c8cf-e89d-49c0-aeeb-7278d39f6b32/downloads/fiche_grcf_bts_gpme.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466202/; classtype:trojan-activity;sid:84329302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/77724997403.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466193/; classtype:trojan-activity;sid:84329293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/xinunivigaxelifujukedo.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466181/; classtype:trojan-activity;sid:84329281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/pidipaxiworoguvosifap.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466182/; classtype:trojan-activity;sid:84329282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/rent_receipt_format_in_ms_word.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466183/; classtype:trojan-activity;sid:84329283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nipipuk.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466184/; classtype:trojan-activity;sid:84329284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/081e0348-3bf0-4a3e-a723-749adc1aa630/downloads/67271829455.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466185/; classtype:trojan-activity;sid:84329285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0325f5e-ab4f-48af-8631-8757a310624e/downloads/57390845107.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466186/; classtype:trojan-activity;sid:84329286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/45659404876.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466187/; classtype:trojan-activity;sid:84329287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/80200009732.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466189/; classtype:trojan-activity;sid:84329289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3a657e0c-a872-4028-94b8-811aea249c49/downloads/shl_general_ability_test_answers_reddit.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466190/; classtype:trojan-activity;sid:84329290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06823f9b-45c4-43cb-a44f-1f9f645cebcf/downloads/32406777299.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466175/; classtype:trojan-activity;sid:84329275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/7694747911.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466177/; classtype:trojan-activity;sid:84329277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/danokubiwen.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466178/; classtype:trojan-activity;sid:84329278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62128af0-82d0-4bae-b967-d393a4304003/downloads/xibuvajuxaluvotom.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466179/; classtype:trojan-activity;sid:84329279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a0c7596-8583-4967-abed-67d8d1ffd610/downloads/8393439781.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466180/; classtype:trojan-activity;sid:84329280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/redoripedigi.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466170/; classtype:trojan-activity;sid:84329270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/how_to_cancel_print_job_on_zebra_gk420d.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466172/; classtype:trojan-activity;sid:84329272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b83dcfc0-bbe6-4498-b356-e365ec2ed396/downloads/zofafiba.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466169/; classtype:trojan-activity;sid:84329269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37e9011-77af-43eb-9e7b-dd6853450512/downloads/les_jours_de_la_semaine_exercices.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466161/; classtype:trojan-activity;sid:84329261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/90213521835.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466162/; classtype:trojan-activity;sid:84329262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/28725733968.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466154/; classtype:trojan-activity;sid:84329254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7aa15cc-b2d1-4fef-8a47-8d7810090a9c/downloads/jenuwegipujodunoj.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466149/; classtype:trojan-activity;sid:84329249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/dowuvibatekijutajuvavu.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466151/; classtype:trojan-activity;sid:84329251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/14196656823.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466152/; classtype:trojan-activity;sid:84329252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/44a9091e-2134-47ec-8037-250483142ad3/downloads/kenmore_elite_665.12783_k311_service_manual.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466153/; classtype:trojan-activity;sid:84329253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/50362295282.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466144/; classtype:trojan-activity;sid:84329244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/navy_uic_code_list.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466145/; classtype:trojan-activity;sid:84329245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f2acd38-413e-47a5-ac42-d6305581bfab/downloads/logerafanekox.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466147/; classtype:trojan-activity;sid:84329247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/zakojamoderuvovu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466140/; classtype:trojan-activity;sid:84329240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b2a026b5-555a-437c-867f-3969f62b48d7/downloads/successfactors_recruiting_implementation_guide.pdf"; depth:108; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466133/; classtype:trojan-activity;sid:84329233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/97474238027.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466134/; classtype:trojan-activity;sid:84329234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ddcbbbab-f8a6-4067-a450-a2f971a66e79/downloads/daikin_ac_remote_control_guide.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466135/; classtype:trojan-activity;sid:84329235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/lebuk.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466138/; classtype:trojan-activity;sid:84329238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/71642361311.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466139/; classtype:trojan-activity;sid:84329239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kumujadirifokekikivexe.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466128/; classtype:trojan-activity;sid:84329228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/2818265442.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466130/; classtype:trojan-activity;sid:84329230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e262bb3c-3205-4bb6-954b-f565479d59e0/downloads/examenes_psicometricos_pruebas_psicometricas_gratis_para_imp.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466132/; classtype:trojan-activity;sid:84329232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4252a31f-7a57-4ac8-a31e-ee71b2361194/downloads/61162239689.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466122/; classtype:trojan-activity;sid:84329222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/43b3ecff-25d4-4371-99a8-6df485cf4fd5/downloads/amoeba_sisters_classification_worksheet.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466125/; classtype:trojan-activity;sid:84329225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/fundamentals_of_power_supply_design_book.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466115/; classtype:trojan-activity;sid:84329215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/her_yonuyle_modern_almanca_dursun_zengin.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466116/; classtype:trojan-activity;sid:84329216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/15938565950.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466117/; classtype:trojan-activity;sid:84329217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d5271715-d4c2-447f-bd8c-804dbc17722c/downloads/experience_certificate_format_for_quality_control_engineer.pdf"; depth:120; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466107/; classtype:trojan-activity;sid:84329207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1b7f80b5-fb34-497d-8072-447feb44da09/downloads/lewamagoromizesa.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466109/; classtype:trojan-activity;sid:84329209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/courier_declaration_format.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466110/; classtype:trojan-activity;sid:84329210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/ruripumefenezalizaf.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466104/; classtype:trojan-activity;sid:84329204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/32a18e69-8d9d-488c-b50f-45023ca24343/downloads/87353354077.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466101/; classtype:trojan-activity;sid:84329201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/20305303180.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466092/; classtype:trojan-activity;sid:84329192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/kutapodisub.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466099/; classtype:trojan-activity;sid:84329199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0919b7e4-2541-44dd-b945-9d5e6d22eaf1/downloads/xibegakibojonabawaz.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466100/; classtype:trojan-activity;sid:84329200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/doxuwiponubagexotabos.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466083/; classtype:trojan-activity;sid:84329183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/54308720858.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466084/; classtype:trojan-activity;sid:84329184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/gomanelakog.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466085/; classtype:trojan-activity;sid:84329185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/nx_nastran_element_library_reference_manual.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466089/; classtype:trojan-activity;sid:84329189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/collibra_expert_i_certification_answers_sheet_download_2017.pdf"; depth:121; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466074/; classtype:trojan-activity;sid:84329174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4ec11559-69c0-4903-84a6-3240babfcfe7/downloads/lapagikevipewijumodoru.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466075/; classtype:trojan-activity;sid:84329175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1bfc168f-d0df-43cb-a73e-d0c80e42fe5c/downloads/formulaire_virement_international_banque_postale.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466076/; classtype:trojan-activity;sid:84329176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/96273346643.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466078/; classtype:trojan-activity;sid:84329178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1feaf4a2-3a85-48bd-b975-ab8d5bcee640/downloads/30816276176.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466079/; classtype:trojan-activity;sid:84329179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d8f5bd9b-2c75-4c1f-8d4d-84a7de1d3443/downloads/rent_brokerage_receipt_format_word.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466070/; classtype:trojan-activity;sid:84329170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8439ca10-a5ac-4299-aa09-54ab615a2090/downloads/bozagororaxurivir.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466071/; classtype:trojan-activity;sid:84329171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/54016191818.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466072/; classtype:trojan-activity;sid:84329172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f0d27cad-ce96-47a4-a6b6-d00149677212/downloads/87562723190.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466073/; classtype:trojan-activity;sid:84329173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/swot_analysis_for_poultry_farming.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466066/; classtype:trojan-activity;sid:84329166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/bosokoxa.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466067/; classtype:trojan-activity;sid:84329167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/69034861186.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466063/; classtype:trojan-activity;sid:84329163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/14962502915.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466065/; classtype:trojan-activity;sid:84329165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/42589334771.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466060/; classtype:trojan-activity;sid:84329160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/banksman_hand_signals.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466054/; classtype:trojan-activity;sid:84329154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6cdacb6d-7fbf-4d09-a986-56cdfa4edeb2/downloads/5985868832.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466055/; classtype:trojan-activity;sid:84329155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/voter_list_delhi_2018.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466056/; classtype:trojan-activity;sid:84329156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/99737319160.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466058/; classtype:trojan-activity;sid:84329158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1bfc168f-d0df-43cb-a73e-d0c80e42fe5c/downloads/71653623394.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466045/; classtype:trojan-activity;sid:84329145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/testing_and_commissioning_of_electrical_equipment.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466047/; classtype:trojan-activity;sid:84329147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1ffc09a0-c9a4-4762-8145-43798f2fda71/downloads/back_to_work_from_maternity_leave_email.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466048/; classtype:trojan-activity;sid:84329148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/xepaxijaniwitofoxipoja.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466049/; classtype:trojan-activity;sid:84329149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/de43da9e-bc77-4e56-a909-0e72ba746cf9/downloads/electricity_bill_name_change_noc_format.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466051/; classtype:trojan-activity;sid:84329151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2ad58263-1b5c-4da7-bc4a-7b8f99e22218/downloads/formulaire_ordre_de_virement_banque_postale.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466052/; classtype:trojan-activity;sid:84329152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/76135669664.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466053/; classtype:trojan-activity;sid:84329153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/23ec0b56-0ae7-4e41-8565-08e517b0b386/downloads/gatamalepuberik.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466039/; classtype:trojan-activity;sid:84329139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/97106569323.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466040/; classtype:trojan-activity;sid:84329140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3e3d230e-4918-4f4b-8a10-8ee933aabcaf/downloads/99772344048.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466041/; classtype:trojan-activity;sid:84329141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/wapurexep.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466037/; classtype:trojan-activity;sid:84329137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/19668bf7-0111-4cbb-8050-06562ac08bba/downloads/steps_to_create_template_instance_in_tosca.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466032/; classtype:trojan-activity;sid:84329132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/bidoxefemoduxunirez.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466033/; classtype:trojan-activity;sid:84329133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/88817028453.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466034/; classtype:trojan-activity;sid:84329134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/job_work_challan_format_in_excel.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466027/; classtype:trojan-activity;sid:84329127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34794329-fa5b-49f8-8f60-fb0720b1e556/downloads/14476765670.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466028/; classtype:trojan-activity;sid:84329128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/resignation_letter_template_family_reasons.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466015/; classtype:trojan-activity;sid:84329115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8c16f145-4fc0-4af7-a4db-de4acd818fe4/downloads/14431999044.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466016/; classtype:trojan-activity;sid:84329116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/21303726077.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466017/; classtype:trojan-activity;sid:84329117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/minupawuferogu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466018/; classtype:trojan-activity;sid:84329118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b071d266-376f-40c9-bb70-11ca77d8051b/downloads/36008974689.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466020/; classtype:trojan-activity;sid:84329120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/60919645191.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466021/; classtype:trojan-activity;sid:84329121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/424b0398-579a-4717-a17a-ffb972bf5819/downloads/audit_professional_clearance_letter_template.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466022/; classtype:trojan-activity;sid:84329122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/30072850819.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466023/; classtype:trojan-activity;sid:84329123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/75213021290.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466024/; classtype:trojan-activity;sid:84329124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/law-making_process_in_zimbabwe.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466025/; classtype:trojan-activity;sid:84329125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/363b8b8c-bdd6-4ad7-ac6c-ba65cd60171b/downloads/abaqus_user_subroutine_reference_guide.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466011/; classtype:trojan-activity;sid:84329111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/85845004614.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466014/; classtype:trojan-activity;sid:84329114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/genuwafazapibiwinowafal.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466005/; classtype:trojan-activity;sid:84329105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/20322886839.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466006/; classtype:trojan-activity;sid:84329106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/gagibipawuzepakan.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466008/; classtype:trojan-activity;sid:84329108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/sample_authorization_letter_to_get_psa_marriage_certificate.pdf"; depth:121; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466002/; classtype:trojan-activity;sid:84329102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/8517821794.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465993/; classtype:trojan-activity;sid:84329093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/padanad.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465994/; classtype:trojan-activity;sid:84329094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9971747c-d991-46ae-b932-5ba73958e604/downloads/fojajexuretimototatoles.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465995/; classtype:trojan-activity;sid:84329095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/mosodekasaxozebopajebibe.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465996/; classtype:trojan-activity;sid:84329096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6be9a470-c465-4776-ab76-53713c51537a/downloads/30164245456.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465997/; classtype:trojan-activity;sid:84329097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f264223f-22e7-47f1-947d-9e365a75e217/downloads/96358679127.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465999/; classtype:trojan-activity;sid:84329099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f65856df-6ee2-426f-901a-fbcb5106e767/downloads/22057173676.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466000/; classtype:trojan-activity;sid:84329100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/butterfly_roof_construction_detail.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465984/; classtype:trojan-activity;sid:84329084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/baxejatoxenidomixidedax.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465985/; classtype:trojan-activity;sid:84329085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/17465496427.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465986/; classtype:trojan-activity;sid:84329086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/zabefenakozevopesomewazi.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465989/; classtype:trojan-activity;sid:84329089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/48283c5b-b198-4860-9bf9-7f30a2f8146b/downloads/zoromipubadijivonexon.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465990/; classtype:trojan-activity;sid:84329090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8df58291-e0db-425a-9cda-a9882386ada6/downloads/jaladimurefasetuzukiwaxit.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465991/; classtype:trojan-activity;sid:84329091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/wofalobomosotanavuze.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465992/; classtype:trojan-activity;sid:84329092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0d21a9d5-01df-4a9e-9327-883996b2f71d/downloads/ansi_electrical_symbols_standards.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465980/; classtype:trojan-activity;sid:84329080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a435afa7-bc93-481f-8a35-ce503cc8a972/downloads/sri_rudram_namakam_chamakam_tamil.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465974/; classtype:trojan-activity;sid:84329074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/tumiwujuluxuwaxi.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465975/; classtype:trojan-activity;sid:84329075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/denutetoraditut.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465977/; classtype:trojan-activity;sid:84329077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9569c183-65dc-4f14-a45e-e7944584cb65/downloads/bifidetogatovotuwideki.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465961/; classtype:trojan-activity;sid:84329061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/baroque_guitar_tab.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465962/; classtype:trojan-activity;sid:84329062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7f34267e-2563-449a-82e3-60f19988c45d/downloads/lic_jeevan_saral_plan_165_chart.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465963/; classtype:trojan-activity;sid:84329063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/69187265192.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465965/; classtype:trojan-activity;sid:84329065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d551812a-3c47-48f1-bc1d-3ac42c3f246c/downloads/rigumudusogepivana.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465968/; classtype:trojan-activity;sid:84329068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/5528845131.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465969/; classtype:trojan-activity;sid:84329069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/74129229699.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465971/; classtype:trojan-activity;sid:84329071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/cancionero_catolico_jesed.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465972/; classtype:trojan-activity;sid:84329072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a3b63b5-3e6a-48ac-8e49-14ed0037cbc4/downloads/historietas_del_medio_ambiente_largas.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465957/; classtype:trojan-activity;sid:84329057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/62049175170.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465955/; classtype:trojan-activity;sid:84329055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/10908647555.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465949/; classtype:trojan-activity;sid:84329049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/maxabamuxixotabevifutiw.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465951/; classtype:trojan-activity;sid:84329051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/downgrade_oracle_database_from_19c_to_11g.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465953/; classtype:trojan-activity;sid:84329053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ba9b549d-a804-4d13-a818-3c55b3524acd/downloads/75189909272.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465942/; classtype:trojan-activity;sid:84329042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/individual_development_plan_powerpoint_template.pdf"; depth:109; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465945/; classtype:trojan-activity;sid:84329045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/64954946228.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465946/; classtype:trojan-activity;sid:84329046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/bapozujipo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465939/; classtype:trojan-activity;sid:84329039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4872c6d8-aa46-4e32-b809-43d741337793/downloads/74841624584.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465931/; classtype:trojan-activity;sid:84329031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3a90d4c9-f215-49ec-8178-8e50febf5250/downloads/tedutogonisijetinikiw.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465932/; classtype:trojan-activity;sid:84329032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/wipofuta.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465933/; classtype:trojan-activity;sid:84329033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4cb1e8a7-0f1a-4c3a-ae4d-65ac09f78b80/downloads/fenekipejivatoxeni.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465935/; classtype:trojan-activity;sid:84329035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/wolarodipuxusisug.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465937/; classtype:trojan-activity;sid:84329037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c3be0091-4534-4191-a72e-570acc745d3e/downloads/attestation_de_prise_en_charge_tlscontact.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465938/; classtype:trojan-activity;sid:84329038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fa4295b9-8c98-4187-bbf8-91c9d7ce5f9e/downloads/89606848887.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465924/; classtype:trojan-activity;sid:84329024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/44d0963d-ba71-4620-abdb-e3c6631b392b/downloads/balance_confirmation_letter_format_in_word.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465926/; classtype:trojan-activity;sid:84329026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/rollo_tomassi_the_rational_male_turkce.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465912/; classtype:trojan-activity;sid:84329012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/800bda9c-ed1b-45a1-a7d5-702e4e14f980/downloads/pmp_42_processes_chart.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465914/; classtype:trojan-activity;sid:84329014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/86917927693.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465915/; classtype:trojan-activity;sid:84329015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/methodologie_du_commentaire_compose_francais.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465916/; classtype:trojan-activity;sid:84329016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/gauss_elimination_method_example_with_solution.pdf"; depth:108; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465919/; classtype:trojan-activity;sid:84329019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5f03ee03-a319-4a1e-a052-a99710c59365/downloads/bujulodipesotixugakujup.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465910/; classtype:trojan-activity;sid:84329010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/hsbc_bank_statement.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465906/; classtype:trojan-activity;sid:84329006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/94e1955e-c7d2-4e11-a6ac-7a5ec652d6cd/downloads/suzuki_dt4_owners_manual.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465909/; classtype:trojan-activity;sid:84329009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8f5eeb54-04ec-4a30-bb55-41e413d1f3ed/downloads/open_pit_mine_planning_and_design.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465903/; classtype:trojan-activity;sid:84329003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ceb9a026-f6c4-4e26-a968-d8e0e8d06aaa/downloads/tevedowopalugafaxoro.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465904/; classtype:trojan-activity;sid:84329004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/adb32098-1c7a-4519-9e53-ced990fc5d88/downloads/kuniwuzujujurejovewo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465905/; classtype:trojan-activity;sid:84329005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/76236294804.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465896/; classtype:trojan-activity;sid:84328996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ab86f22-a419-4e4f-91d4-5a654823f744/downloads/pamolitix.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465897/; classtype:trojan-activity;sid:84328997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/697088a1-6c9a-496e-9a4d-922308cd97be/downloads/42508658220.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465898/; classtype:trojan-activity;sid:84328998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/sotax_at_xtend_user_manual.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465885/; classtype:trojan-activity;sid:84328985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5d8bfe2e-b91e-431f-9bdc-3f0ea97e388e/downloads/wovivesapo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465886/; classtype:trojan-activity;sid:84328986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/sample_consent_letter_from_husband_for_wife_to_travel.pdf"; depth:115; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465888/; classtype:trojan-activity;sid:84328988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/formulaire_renouvellement_titre_de_sejour_yvelines.pdf"; depth:112; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465889/; classtype:trojan-activity;sid:84328989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/71d9f42f-0bad-4406-8a48-95c698e57e68/downloads/98599689697.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465891/; classtype:trojan-activity;sid:84328991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/92007305293.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465892/; classtype:trojan-activity;sid:84328992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d07e2353-3643-42fe-ba11-ffa772b1a28d/downloads/duff_phelps_size_premium.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465893/; classtype:trojan-activity;sid:84328993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9213334f-b8c6-41b2-903d-dc8cc5791a0a/downloads/49429599069.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465881/; classtype:trojan-activity;sid:84328981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/22187922858.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465882/; classtype:trojan-activity;sid:84328982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d5e97205-d745-471d-94c2-4bc94f943a29/downloads/nafexasu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465876/; classtype:trojan-activity;sid:84328976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/99401481523.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465878/; classtype:trojan-activity;sid:84328978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/harry_potter_ea_camara_secreta_ilustrado.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465879/; classtype:trojan-activity;sid:84328979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/800cff82-04ba-4c47-9f8b-d21367acb04d/downloads/all_gujarati_magazine.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465870/; classtype:trojan-activity;sid:84328970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/34103705134.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465871/; classtype:trojan-activity;sid:84328971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9a32841c-0d54-4ad0-8acd-a5b15c41cae1/downloads/nagpur_metro_phase_2_dpr.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465872/; classtype:trojan-activity;sid:84328972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/99406712648.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465873/; classtype:trojan-activity;sid:84328973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/96d7062c-715f-4c9e-82c2-ac322bf04d1a/downloads/fawafep.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465874/; classtype:trojan-activity;sid:84328974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/51e053ea-8122-46e3-bee6-6c00a935619c/downloads/28185631859.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465875/; classtype:trojan-activity;sid:84328975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/renamotoxuxesike.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465865/; classtype:trojan-activity;sid:84328965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/wixutazavadupiruzani.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465866/; classtype:trojan-activity;sid:84328966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/vixodamev.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465864/; classtype:trojan-activity;sid:84328964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pulse_secure_network_error_1329.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465852/; classtype:trojan-activity;sid:84328952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8fc62093-f93e-447d-8e21-b1e235f4d9cc/downloads/cibse_psychrometric_chart.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465853/; classtype:trojan-activity;sid:84328953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/citrix_adc_vpx_datasheet.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465857/; classtype:trojan-activity;sid:84328957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cac64821-2205-4248-abd9-55e775312c94/downloads/rosigamosusen.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465847/; classtype:trojan-activity;sid:84328947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/fosofiboma.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465848/; classtype:trojan-activity;sid:84328948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/600b6853-9b14-40c4-b9d1-c0a10f9ad1eb/downloads/mathematics_core_topics_sl.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465850/; classtype:trojan-activity;sid:84328950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6e0acf5f-e652-447e-8a3a-90dcb81c48ee/downloads/loan_cancellation_letter.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465843/; classtype:trojan-activity;sid:84328943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98fd26ea-5c50-4ebf-945e-7ed158ebe1b6/downloads/workplace_printable_hurt_feelings_report.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465844/; classtype:trojan-activity;sid:84328944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/zalekebi.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465845/; classtype:trojan-activity;sid:84328945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/58616986475.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465833/; classtype:trojan-activity;sid:84328933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/one_of_us_is_lying_character_quotes.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465835/; classtype:trojan-activity;sid:84328935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0e65d320-97ed-47cb-9ca0-bcd7400824c9/downloads/jewuzikilodejosowar.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465839/; classtype:trojan-activity;sid:84328939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72fc6eb8-20de-4439-bced-6bfc7eecaa8e/downloads/bogev.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465825/; classtype:trojan-activity;sid:84328925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/58b13a51-176b-4b7e-ab1e-a0c84e7a5487/downloads/currency_market_mechanics_bmc_answers.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465826/; classtype:trojan-activity;sid:84328926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/018aefd4-3541-4598-a5c3-d0911ca60a82/downloads/asce_7-05_espanol_gratis.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465827/; classtype:trojan-activity;sid:84328927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tifunakarexefeguwitoda.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465828/; classtype:trojan-activity;sid:84328928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06a2cc2e-f4bb-4ca4-a0d9-71e2fc8b7812/downloads/molaxoxekex.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465829/; classtype:trojan-activity;sid:84328929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/iata_airport_handling_manual_2019_full.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465830/; classtype:trojan-activity;sid:84328930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c1bf3ae2-f6cc-4078-b639-2ff1ca0b62be/downloads/1172286111.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465831/; classtype:trojan-activity;sid:84328931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/euchre_score_sheets_for_16_players.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465832/; classtype:trojan-activity;sid:84328932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/dungeon_crawl_classics.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465820/; classtype:trojan-activity;sid:84328920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/69904656893.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465804/; classtype:trojan-activity;sid:84328904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/emmaus_walk_letters_of_encouragement.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465806/; classtype:trojan-activity;sid:84328906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fc635392-61de-40bc-86f0-c9844fcf30fd/downloads/gramatica_portugues_brasil.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465809/; classtype:trojan-activity;sid:84328909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/647bfca3-c5f6-48a0-9ec3-35afde17c6e3/downloads/gamokul.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465814/; classtype:trojan-activity;sid:84328914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fa284320-69aa-45db-92e2-86468d4beaf0/downloads/53174458267.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465815/; classtype:trojan-activity;sid:84328915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72502959-bd3f-431c-9582-055fb0eb9e9d/downloads/nike_employee_benefits.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465795/; classtype:trojan-activity;sid:84328895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/97767745983.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465798/; classtype:trojan-activity;sid:84328898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/country_of_origin_letter_template.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465799/; classtype:trojan-activity;sid:84328899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/39834772333.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465802/; classtype:trojan-activity;sid:84328902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/rofaruzev.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465790/; classtype:trojan-activity;sid:84328890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/verismo_701_service_manual.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465791/; classtype:trojan-activity;sid:84328891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/rodudiniruzawame.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465792/; classtype:trojan-activity;sid:84328892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3c8f7a45-f68c-4369-8f63-be6429599400/downloads/butulanimirovubeve.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465785/; classtype:trojan-activity;sid:84328885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c725aa89-ce3b-4b0b-861e-e7c40702153d/downloads/gisewonivikamadoliwozuv.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465786/; classtype:trojan-activity;sid:84328886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d1335ae9-6401-4997-a89d-ffce5d766eb7/downloads/44332900662.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465787/; classtype:trojan-activity;sid:84328887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6f72d87-e560-495a-a5bd-684e976b53e4/downloads/nagano_keiki_km10.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465779/; classtype:trojan-activity;sid:84328879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/76488986948.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465781/; classtype:trojan-activity;sid:84328881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ac62f849-5623-435a-93ad-86e4d8edc83e/downloads/90625111849.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465782/; classtype:trojan-activity;sid:84328882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/72445144906.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465772/; classtype:trojan-activity;sid:84328872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0e65d320-97ed-47cb-9ca0-bcd7400824c9/downloads/wrightbus_streetlite_manual.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465773/; classtype:trojan-activity;sid:84328873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/waste_management_in_dubai.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465776/; classtype:trojan-activity;sid:84328876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/chevening_scholarship_reference_letter_sample.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465777/; classtype:trojan-activity;sid:84328877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/14409296375.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465778/; classtype:trojan-activity;sid:84328878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d128fcda-7fcc-4d89-85b3-e79c54d4414e/downloads/unit_conversion_practice_problems.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465766/; classtype:trojan-activity;sid:84328866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/11197801286.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465768/; classtype:trojan-activity;sid:84328868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/50ab7773-f1d2-4be6-a8e2-1065b2477787/downloads/41229957036.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465769/; classtype:trojan-activity;sid:84328869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/950f7924-fa6b-44be-bda3-22eaf526f43f/downloads/konujidav.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465771/; classtype:trojan-activity;sid:84328871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/burijuterapudupelirebi.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465760/; classtype:trojan-activity;sid:84328860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a85f54ee-11f7-4ab3-9970-dabd8f52d583/downloads/vowivovabafases.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465761/; classtype:trojan-activity;sid:84328861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/acb19439-02ad-48ae-a6e4-8c3bfce04694/downloads/32470708569.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465762/; classtype:trojan-activity;sid:84328862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/xikesoxabafubuwepof.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465763/; classtype:trojan-activity;sid:84328863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/2251478862.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465764/; classtype:trojan-activity;sid:84328864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9d0d7648-4006-4e9a-bf4e-cd4f5c534844/downloads/socomec_ups_service_manual.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465765/; classtype:trojan-activity;sid:84328865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/6098867423.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465757/; classtype:trojan-activity;sid:84328857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2b383d2d-2b5a-4b4f-949f-124c21f71183/downloads/how_to_write_an_introduction_letter_to_an_embassy.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465758/; classtype:trojan-activity;sid:84328858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41780010-2245-4f59-96ea-abe2bb04704f/downloads/38265042738.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465755/; classtype:trojan-activity;sid:84328855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/183feb73-c001-4172-a9c4-8aedcbb9c085/downloads/nosasasoxanuxoxazefuz.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465747/; classtype:trojan-activity;sid:84328847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/gibekewelodi.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465749/; classtype:trojan-activity;sid:84328849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/16395777837.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465752/; classtype:trojan-activity;sid:84328852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/jspdf_autotable_x_position.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465753/; classtype:trojan-activity;sid:84328853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a0b0ee5f-47ab-407d-8f2e-b86a71eb1b80/downloads/cerere_demisie_fara_preaviz.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465739/; classtype:trojan-activity;sid:84328839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0fde6049-38a2-402e-8604-5a56fc977486/downloads/request_letter_for_construction_bond_refund.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465740/; classtype:trojan-activity;sid:84328840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cdd5ea6e-1f6b-4417-9fad-928f6d1c8a68/downloads/50_verbes_irreguliers_en_anglais.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465741/; classtype:trojan-activity;sid:84328841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a69ed85-566a-4d22-8bd3-47a8a314b3bf/downloads/molecular_mass_of_elements_list.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465742/; classtype:trojan-activity;sid:84328842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/69278806631.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465744/; classtype:trojan-activity;sid:84328844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/nonisenokedevesuxumuk.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465735/; classtype:trojan-activity;sid:84328835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/mesoduwegotujowokikurixo.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465729/; classtype:trojan-activity;sid:84328829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2b383d2d-2b5a-4b4f-949f-124c21f71183/downloads/how_to_fill_up_deed_of_sale_of_motor_vehicle.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465731/; classtype:trojan-activity;sid:84328831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/33d2c907-2bf6-4426-875f-30dcfdd2ea6c/downloads/takeshi_amemiya_advanced_econometrics.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465724/; classtype:trojan-activity;sid:84328824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/paxakuvenu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465725/; classtype:trojan-activity;sid:84328825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/51d0d552-51a2-4187-835e-597cbad426c9/downloads/astm_e2500.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465715/; classtype:trojan-activity;sid:84328815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/16407212514.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465716/; classtype:trojan-activity;sid:84328816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2215a6c-0436-4d82-8033-c5d079398259/downloads/mewivisonixapolivifit.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465717/; classtype:trojan-activity;sid:84328817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5778216d-14df-4dd7-ac4c-aefbb7c07c24/downloads/kugaduvekujewotaz.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465718/; classtype:trojan-activity;sid:84328818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tafanavevimewom.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465719/; classtype:trojan-activity;sid:84328819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/lemowegigusazisalelupo.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465721/; classtype:trojan-activity;sid:84328821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5add4dbc-ec7d-4010-9077-0d95eef82ba1/downloads/64293794102.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465722/; classtype:trojan-activity;sid:84328822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a7c970be-6487-407b-ae67-0318aa6bed96/downloads/19932307165.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465723/; classtype:trojan-activity;sid:84328823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/lowasa.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465709/; classtype:trojan-activity;sid:84328809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8014aeaa-17b8-4bcd-a9d7-094ad1ff7644/downloads/19999334835.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465710/; classtype:trojan-activity;sid:84328810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/921a43a6-1495-4d95-bdb1-69b79162b826/downloads/13397059696.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465711/; classtype:trojan-activity;sid:84328811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b3cb2fd2-80cf-4497-9966-46f7699e136d/downloads/kovajive.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465714/; classtype:trojan-activity;sid:84328814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/49bbfdeb-576f-4f20-b756-96ff9c705013/downloads/96422280236.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465707/; classtype:trojan-activity;sid:84328807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/imo_dangerous_goods_declaration_example.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465708/; classtype:trojan-activity;sid:84328808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/88847399269.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465703/; classtype:trojan-activity;sid:84328803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cdb9e382-acbe-48dd-9722-c531572d81a1/downloads/pugalisamelifakebage.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465704/; classtype:trojan-activity;sid:84328804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/89463890604.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465697/; classtype:trojan-activity;sid:84328797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/lotumajufinunixine.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465699/; classtype:trojan-activity;sid:84328799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d9951c46-77aa-4ac5-b843-be02d4be2067/downloads/50826134191.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465701/; classtype:trojan-activity;sid:84328801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kasupobuwomubafujos.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465702/; classtype:trojan-activity;sid:84328802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/jotepebuzixulelomizo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465691/; classtype:trojan-activity;sid:84328791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e51c42a2-48a1-43ea-b124-a034de3679a6/downloads/83320615193.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465692/; classtype:trojan-activity;sid:84328792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/78c14b69-39ed-4d94-8d63-a7b29776e43c/downloads/radix_temperature_controller_x_48_manual.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465693/; classtype:trojan-activity;sid:84328793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/24a9af23-a9c8-45b6-80f8-335651f17510/downloads/96094090900.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465694/; classtype:trojan-activity;sid:84328794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/22a15b49-22b8-4edf-a855-4e76194b4aaf/downloads/97812412729.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465695/; classtype:trojan-activity;sid:84328795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/lizaputasu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465685/; classtype:trojan-activity;sid:84328785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/boxikijefedajexufesibul.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465679/; classtype:trojan-activity;sid:84328779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/11012613986.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465680/; classtype:trojan-activity;sid:84328780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/bucharest_grill_nutrition_information.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465682/; classtype:trojan-activity;sid:84328782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3844a76d-a274-4a3a-ad7f-2943a29e37b3/downloads/lezopidigusaraten.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465683/; classtype:trojan-activity;sid:84328783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e9dc005a-39e6-474d-bf2f-ef67b812a261/downloads/guia_para_ingresar_al_bachillerato_conamat.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465675/; classtype:trojan-activity;sid:84328775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/robaziromumeborumapix.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465678/; classtype:trojan-activity;sid:84328778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/52e9408f-c536-4a35-bd81-6078a5dce549/downloads/5252998215.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465671/; classtype:trojan-activity;sid:84328771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/36758652154.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465672/; classtype:trojan-activity;sid:84328772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/73577237968.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465673/; classtype:trojan-activity;sid:84328773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/louison_et_monsieur_moliere_resume.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465657/; classtype:trojan-activity;sid:84328757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a03fd264-622c-49da-819e-92c49cdd5e2b/downloads/xovifubakuforij.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465660/; classtype:trojan-activity;sid:84328760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/rupesiduvunimekesozo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465663/; classtype:trojan-activity;sid:84328763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/special_forces_knife_techniques.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465664/; classtype:trojan-activity;sid:84328764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/90645579432.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465665/; classtype:trojan-activity;sid:84328765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7eafcf9d-33bd-4fd4-8489-654d240ab2f3/downloads/6130931006.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465666/; classtype:trojan-activity;sid:84328766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0319bbe-78e1-4446-90fc-2b4b4cc85a3e/downloads/camp_green_lake.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465667/; classtype:trojan-activity;sid:84328767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/478a916a-56a8-445d-9eb0-b1a280ba537b/downloads/27628335796.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465668/; classtype:trojan-activity;sid:84328768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/eating_questionnaire-_a_ede-a_scoring.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465655/; classtype:trojan-activity;sid:84328755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/myer_victor_sewing_machine_manual.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465652/; classtype:trojan-activity;sid:84328752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/jorejujavupu.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465647/; classtype:trojan-activity;sid:84328747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41fa09f3-79bd-43c0-909a-d1a20c3cb7f6/downloads/attestation_sur_l_honneur_de_non_ressources.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465648/; classtype:trojan-activity;sid:84328748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/eb7f2f0c-e896-4e47-abeb-a05a47b6dcff/downloads/37569138292.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465649/; classtype:trojan-activity;sid:84328749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/98482064700.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465630/; classtype:trojan-activity;sid:84328730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/83364999300.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465631/; classtype:trojan-activity;sid:84328731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/records_of_declaration_disbursements_division.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465632/; classtype:trojan-activity;sid:84328732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f6084bd9-50ce-4d5f-82c5-bb685cd57a0d/downloads/mdsap_audit_checklist.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465633/; classtype:trojan-activity;sid:84328733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/jaziz.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465635/; classtype:trojan-activity;sid:84328735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a74441e7-424c-4454-9bc5-28c3682f6c16/downloads/jupifevaperoziput.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465636/; classtype:trojan-activity;sid:84328736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f778edfd-e481-47d7-9553-9364d433dcaf/downloads/morningstar_andex_chart_2022.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465637/; classtype:trojan-activity;sid:84328737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cabcb3ce-a861-487f-a172-56f4b47cbc63/downloads/nilefovidigutozezosanuz.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465638/; classtype:trojan-activity;sid:84328738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/39892598323.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465640/; classtype:trojan-activity;sid:84328740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/00810c7d-a901-42bd-b2e3-20945a4ad8cb/downloads/wimorawezabizu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465641/; classtype:trojan-activity;sid:84328741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/viduwe.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465642/; classtype:trojan-activity;sid:84328742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a1b48068-f219-4487-b633-0ea4f25dfa5f/downloads/57025089155.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465643/; classtype:trojan-activity;sid:84328743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/00490ec0-0f24-4e25-91e3-8e5bedec5e60/downloads/woxudinawonetunogidubi.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465625/; classtype:trojan-activity;sid:84328725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2224247e-29ce-4f8d-b838-abfcbdf269c0/downloads/16984198490.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465626/; classtype:trojan-activity;sid:84328726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/33bb6cfc-294d-4317-8afb-5d34ed60ffe6/downloads/20222176664.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465622/; classtype:trojan-activity;sid:84328722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/72454635563.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465618/; classtype:trojan-activity;sid:84328718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pisaxafubavofi.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465621/; classtype:trojan-activity;sid:84328721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/catastrophic_disaster_area_property_inspection_report.pdf"; depth:115; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465613/; classtype:trojan-activity;sid:84328713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/citadel_document_solutions_lawsuit.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465615/; classtype:trojan-activity;sid:84328715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/fumaxogufav.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465607/; classtype:trojan-activity;sid:84328707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/kigepobesewizijipakusafal.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465610/; classtype:trojan-activity;sid:84328710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/tabuas_sumerias_traduzidas.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465600/; classtype:trojan-activity;sid:84328700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/17054728623.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465603/; classtype:trojan-activity;sid:84328703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/678cd2ef-32fa-4621-9c35-e4f34096b4ea/downloads/airbus_cml.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465604/; classtype:trojan-activity;sid:84328704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/3730146334.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465605/; classtype:trojan-activity;sid:84328705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/36770579775.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465606/; classtype:trojan-activity;sid:84328706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a0b0ee5f-47ab-407d-8f2e-b86a71eb1b80/downloads/luxodebapiruwuneragomugef.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465594/; classtype:trojan-activity;sid:84328694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/87554570559.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465598/; classtype:trojan-activity;sid:84328698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fff11fc4-91ee-4c26-ab94-6b71630d2bb1/downloads/resignation_letter_sample_for_bpo_company.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465599/; classtype:trojan-activity;sid:84328699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/84675915071.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465586/; classtype:trojan-activity;sid:84328686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/17a8127f-1a20-4f1c-a234-ba1b1a8873f5/downloads/90572854820.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465588/; classtype:trojan-activity;sid:84328688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/78534035283.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465589/; classtype:trojan-activity;sid:84328689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/wudofe.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465590/; classtype:trojan-activity;sid:84328690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/glassman_high_voltage_series_eq_manual.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465592/; classtype:trojan-activity;sid:84328692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/57653563602.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465593/; classtype:trojan-activity;sid:84328693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/343166b6-b38d-45a3-a768-806295759a1d/downloads/vatemunubiserotogurozem.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465585/; classtype:trojan-activity;sid:84328685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/simamutozudolejezeze.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465582/; classtype:trojan-activity;sid:84328682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a8a7b266-73df-492a-af50-f7d9f90e0e6d/downloads/salesforce_community_developer_guide.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465583/; classtype:trojan-activity;sid:84328683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/zepojekowokevi.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465572/; classtype:trojan-activity;sid:84328672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2cd8ef37-3f02-4d83-b132-5400b0b21173/downloads/can_sins_be_forgiven_in_hinduism.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465573/; classtype:trojan-activity;sid:84328673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9390f2de-e8f5-48e5-8f1b-3aa5affb2913/downloads/ra_to_surface_finish.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465574/; classtype:trojan-activity;sid:84328674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/holman_enterprises_annual_report.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465577/; classtype:trojan-activity;sid:84328677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/chiller_factory_acceptance_test_checklist_template.pdf"; depth:112; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465551/; classtype:trojan-activity;sid:84328651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7913e2d4-0776-44f0-af91-53eb35e22f50/downloads/broken_sous_ta_peau_2_ekladata.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465552/; classtype:trojan-activity;sid:84328652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/lujipipatemajipurozurile.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465553/; classtype:trojan-activity;sid:84328653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/20a6346a-1701-43f8-be7d-6426912a09c2/downloads/sottoindicato_o_sotto_indicato_treccani.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465554/; classtype:trojan-activity;sid:84328654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62fde782-5483-4905-a6da-12e04ab1250b/downloads/38559734752.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465555/; classtype:trojan-activity;sid:84328655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dfa50dfd-b675-4866-b542-d79684ac1045/downloads/28769720040.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465556/; classtype:trojan-activity;sid:84328656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/formato_st-4_imss_para_imprimir.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465557/; classtype:trojan-activity;sid:84328657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/adfd48e6-08dc-41dd-a2a1-45489e329c75/downloads/attestation_de_non_affiliation_cnas.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465558/; classtype:trojan-activity;sid:84328658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tosca_automation_specialist_level_2_certification_questions_.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465559/; classtype:trojan-activity;sid:84328659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/how_to_factory_reset_verifone_mx915.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465560/; classtype:trojan-activity;sid:84328660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5e489076-b026-43ca-95da-8c6fe49f6d00/downloads/frm_part_2_schweser_quicksheet.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465561/; classtype:trojan-activity;sid:84328661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/incucyte_s3_user_guide.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465562/; classtype:trojan-activity;sid:84328662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/lean_visual_management_board_examples.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465563/; classtype:trojan-activity;sid:84328663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/1567746722.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465564/; classtype:trojan-activity;sid:84328664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6875802-d83d-45fa-a01c-dd9f30c53739/downloads/xujudodavudejeb.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465565/; classtype:trojan-activity;sid:84328665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/situation_denonciation_coupe_ou_ancre_exercices_corriges.pdf"; depth:118; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465566/; classtype:trojan-activity;sid:84328666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/wikuzidip.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465567/; classtype:trojan-activity;sid:84328667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d5e97205-d745-471d-94c2-4bc94f943a29/downloads/87185669225.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465568/; classtype:trojan-activity;sid:84328668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/likibixeve.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465569/; classtype:trojan-activity;sid:84328669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/exsilentia_4._0_user_guide.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465570/; classtype:trojan-activity;sid:84328670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/586b3ef6-c9db-4d1a-a9eb-303f942e21fa/downloads/55359157176.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465571/; classtype:trojan-activity;sid:84328671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kjjvh1muhjrkrzbajjlzjfawyi0zvxc1"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_04; reference:url, urlhaus.abuse.ch/url/3465210/; classtype:trojan-activity;sid:84328310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3464706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/wupiao.3987.com.rar"; depth:25; endswith; nocase; http.host; content:"forspeed.onlinedown.net"; depth:23; isdataat:!1,relative; metadata:created_at 2025_03_03; reference:url, urlhaus.abuse.ch/url/3464706/; classtype:trojan-activity;sid:84327806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; endswith; nocase; http.host; content:"blessdayservices.org"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463509/; classtype:trojan-activity;sid:84326609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"admin.gestroom.it"; depth:17; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463480/; classtype:trojan-activity;sid:84326580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"test.peperoncinochepassione.it"; depth:30; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463481/; classtype:trojan-activity;sid:84326581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"first-security-verden.de"; depth:24; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463482/; classtype:trojan-activity;sid:84326582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.first-security-verden.de"; depth:28; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463470/; classtype:trojan-activity;sid:84326570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"zamilgroups.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463472/; classtype:trojan-activity;sid:84326572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.website.mypetapp.co.za"; depth:26; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463459/; classtype:trojan-activity;sid:84326559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.bratusferramentas.grupomoltz.com.br"; depth:39; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463446/; classtype:trojan-activity;sid:84326546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"website.mypetapp.co.za"; depth:22; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463437/; classtype:trojan-activity;sid:84326537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"bmdcompany.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463426/; classtype:trojan-activity;sid:84326526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.zamilgroups.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463430/; classtype:trojan-activity;sid:84326530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.test.peperoncinochepassione.it"; depth:34; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463422/; classtype:trojan-activity;sid:84326522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"82.146.62.232"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463367/; classtype:trojan-activity;sid:84326467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"82.146.62.232"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463364/; classtype:trojan-activity;sid:84326464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3462411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl1001"; depth:7; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3462411/; classtype:trojan-activity;sid:84325511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin2.plg"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461771/; classtype:trojan-activity;sid:84324871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin1.plg"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461769/; classtype:trojan-activity;sid:84324869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin2.dll"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461770/; classtype:trojan-activity;sid:84324870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin3.plg"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461768/; classtype:trojan-activity;sid:84324868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin1.dll"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461767/; classtype:trojan-activity;sid:84324867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin3.dll"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461763/; classtype:trojan-activity;sid:84324863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robertdavidgraham/masscan/zip/refs/heads/master"; depth:48; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461663/; classtype:trojan-activity;sid:84324763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robertdavidgraham/masscan/archive/refs/heads/master.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461661/; classtype:trojan-activity;sid:84324761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3460149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.89.62.19"; depth:11; isdataat:!1,relative; metadata:created_at 2025_02_27; reference:url, urlhaus.abuse.ch/url/3460149/; classtype:trojan-activity;sid:84323249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3460000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uxmu02r04iaslsrsh9quahzfsvq3tozm"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_02_27; reference:url, urlhaus.abuse.ch/url/3460000/; classtype:trojan-activity;sid:84323100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3452200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.62.202.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_25; reference:url, urlhaus.abuse.ch/url/3452200/; classtype:trojan-activity;sid:84315300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3450176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/putty.exe"; depth:15; endswith; nocase; http.host; content:"book.rollingvideogames.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_02_23; reference:url, urlhaus.abuse.ch/url/3450176/; classtype:trojan-activity;sid:84313276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3450147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loveryajenja/lwafmwoafmw11/raw/refs/heads/main/install.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_23; reference:url, urlhaus.abuse.ch/url/3450147/; classtype:trojan-activity;sid:84313247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3449986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.248.26"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_23; reference:url, urlhaus.abuse.ch/url/3449986/; classtype:trojan-activity;sid:84313086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.87.42.154"; depth:12; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447681/; classtype:trojan-activity;sid:84310781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laurenxss/36b18f37163aaa04654bd21e98d1b842/raw/dca82ba88fae8788a48ffb529f9610a0cc209781/x"; depth:90; endswith; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447466/; classtype:trojan-activity;sid:84310566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sena1.png"; depth:10; endswith; nocase; http.host; content:"leindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.com"; depth:58; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447458/; classtype:trojan-activity;sid:84310558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manga1.png"; depth:11; endswith; nocase; http.host; content:"leindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.com"; depth:58; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447456/; classtype:trojan-activity;sid:84310556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/colheita1.png"; depth:14; endswith; nocase; http.host; content:"leindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.com"; depth:58; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447457/; classtype:trojan-activity;sid:84310557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3446661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img001.exe"; depth:11; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3446661/; classtype:trojan-activity;sid:84309761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3446653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3446653/; classtype:trojan-activity;sid:84309753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3446649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3446649/; classtype:trojan-activity;sid:84309749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3446415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"206.214.35.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3446415/; classtype:trojan-activity;sid:84309515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3445854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coracion1.png"; depth:14; endswith; nocase; http.host; content:"vaamsmgfreocmroe-1342087530.cos.sa-saopaulo.myqcloud.com"; depth:56; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3445854/; classtype:trojan-activity;sid:84308954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3445431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/df4a3196-accc-423a-a43b-6768f1aafd3e.pdf"; depth:46; endswith; nocase; http.host; content:"hotelembuguacu.blob.core.windows.net"; depth:36; isdataat:!1,relative; metadata:created_at 2025_02_19; reference:url, urlhaus.abuse.ch/url/3445431/; classtype:trojan-activity;sid:84308531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3445438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/f6416fd0-71f3-45de-8c79-3d0e7281f124.pdf"; depth:46; endswith; nocase; http.host; content:"hotelembuguacu.blob.core.windows.net"; depth:36; isdataat:!1,relative; metadata:created_at 2025_02_19; reference:url, urlhaus.abuse.ch/url/3445438/; classtype:trojan-activity;sid:84308538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3444507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leinchchanceleinch/jik/refs/heads/main/d.msi"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_02_18; reference:url, urlhaus.abuse.ch/url/3444507/; classtype:trojan-activity;sid:84307607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3444267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leinchchanceleinch/jik/raw/refs/heads/main/d.msi"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_18; reference:url, urlhaus.abuse.ch/url/3444267/; classtype:trojan-activity;sid:84307367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"179.248.3.202.ll.sta.mana.pf"; depth:28; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443355/; classtype:trojan-activity;sid:84306455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.248.3.202.ll.sta.mana.pf"; depth:28; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443354/; classtype:trojan-activity;sid:84306454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99-118-215-24.lightspeed.irvnca.sbcglobal.net"; depth:45; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443353/; classtype:trojan-activity;sid:84306453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"host-95-230-215-65.business.telecomitalia.it"; depth:44; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443350/; classtype:trojan-activity;sid:84306450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"172.250.238.27"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443193/; classtype:trojan-activity;sid:84306293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output0/client/cabalmain.exe"; depth:29; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3442712/; classtype:trojan-activity;sid:84305812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output0/client/cabal.exe"; depth:25; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3442701/; classtype:trojan-activity;sid:84305801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output/client/cabalmain.exe"; depth:28; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3442616/; classtype:trojan-activity;sid:84305716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.apk"; depth:10; endswith; nocase; http.host; content:"103.146.202.41"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442233/; classtype:trojan-activity;sid:84305333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxxx"; depth:5; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442198/; classtype:trojan-activity;sid:84305298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ffff"; depth:5; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442196/; classtype:trojan-activity;sid:84305296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdf"; depth:5; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442197/; classtype:trojan-activity;sid:84305297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/libmod_hellocpp_42.so"; depth:22; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442195/; classtype:trojan-activity;sid:84305295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3441890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.122.229"; depth:12; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3441890/; classtype:trojan-activity;sid:84304990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3441868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.200.25.54"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3441868/; classtype:trojan-activity;sid:84304968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3441724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output/client/cabal.exe"; depth:24; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3441724/; classtype:trojan-activity;sid:84304824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.168.9.189"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440185/; classtype:trojan-activity;sid:84303285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3438591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.11.36.4"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_13; reference:url, urlhaus.abuse.ch/url/3438591/; classtype:trojan-activity;sid:84301691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3438594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.11.36.4"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_13; reference:url, urlhaus.abuse.ch/url/3438594/; classtype:trojan-activity;sid:84301694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3438572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.9.25.206"; depth:11; isdataat:!1,relative; metadata:created_at 2025_02_13; reference:url, urlhaus.abuse.ch/url/3438572/; classtype:trojan-activity;sid:84301672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/adonis/pure_adonis"; depth:32; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437118/; classtype:trojan-activity;sid:84300218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/jnd/pure_jnd"; depth:26; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437119/; classtype:trojan-activity;sid:84300219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/adonis/all_adonis"; depth:31; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437116/; classtype:trojan-activity;sid:84300216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/pure_bean"; depth:31; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437117/; classtype:trojan-activity;sid:84300217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/all_bean"; depth:30; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437115/; classtype:trojan-activity;sid:84300215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/jnd/jnd_all"; depth:25; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437114/; classtype:trojan-activity;sid:84300214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3435167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iluxa94/-3-/refs/heads/main/%d0%a4%d0%be%d1%80%d0%bc%d0%b0%203%d0%9e%d0%a8%d0%91%d0%a0.exe"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_02_10; reference:url, urlhaus.abuse.ch/url/3435167/; classtype:trojan-activity;sid:84298267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3435170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neo23x0/signature-base/archive/master.zip"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_10; reference:url, urlhaus.abuse.ch/url/3435170/; classtype:trojan-activity;sid:84298270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3433346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.168.9.189"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_09; reference:url, urlhaus.abuse.ch/url/3433346/; classtype:trojan-activity;sid:84296446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3432127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.145.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3432127/; classtype:trojan-activity;sid:84295227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/all_bean"; depth:30; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431851/; classtype:trojan-activity;sid:84294951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/pure_bean"; depth:31; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431850/; classtype:trojan-activity;sid:84294950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bljysvhw/info.zip"; depth:18; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431687/; classtype:trojan-activity;sid:84294787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bljysvhw/img001.exe"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431686/; classtype:trojan-activity;sid:84294786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.145.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_07; reference:url, urlhaus.abuse.ch/url/3431378/; classtype:trojan-activity;sid:84294478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3429885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/test.jpg"; depth:11; endswith; nocase; http.host; content:"ofice365.github.io"; depth:18; isdataat:!1,relative; metadata:created_at 2025_02_06; reference:url, urlhaus.abuse.ch/url/3429885/; classtype:trojan-activity;sid:84292985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3429793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"d2314eac.solaraweb-alj.pages.dev"; depth:32; isdataat:!1,relative; metadata:created_at 2025_02_06; reference:url, urlhaus.abuse.ch/url/3429793/; classtype:trojan-activity;sid:84292893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3429311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.159.221.33"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_05; reference:url, urlhaus.abuse.ch/url/3429311/; classtype:trojan-activity;sid:84292411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3424485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.147.196.138"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_02; reference:url, urlhaus.abuse.ch/url/3424485/; classtype:trojan-activity;sid:84287585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3423045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.70.63"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_01; reference:url, urlhaus.abuse.ch/url/3423045/; classtype:trojan-activity;sid:84286145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3423046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.70.63"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_01; reference:url, urlhaus.abuse.ch/url/3423046/; classtype:trojan-activity;sid:84286146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3423047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.70.63"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_01; reference:url, urlhaus.abuse.ch/url/3423047/; classtype:trojan-activity;sid:84286147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3423050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.70.63"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_01; reference:url, urlhaus.abuse.ch/url/3423050/; classtype:trojan-activity;sid:84286150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsh/xsh.exe"; depth:12; endswith; nocase; http.host; content:"101.126.11.168"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421183/; classtype:trojan-activity;sid:84284283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sigmaplus/4.exe"; depth:16; endswith; nocase; http.host; content:"ny.lshdw.cc"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421027/; classtype:trojan-activity;sid:84284127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assignment.exe"; depth:15; endswith; nocase; http.host; content:"210.125.101.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421014/; classtype:trojan-activity;sid:84284114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftp/emmetprod.exe"; depth:18; endswith; nocase; http.host; content:"141.147.43.219"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421020/; classtype:trojan-activity;sid:84284120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3420564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.70.63"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3420564/; classtype:trojan-activity;sid:84283664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/raw/refs/heads/main/fast%20download.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419560/; classtype:trojan-activity;sid:84282660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grozniy1/folder/raw/refs/heads/main/444.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419570/; classtype:trojan-activity;sid:84282670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/raw/refs/heads/main/critscript.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419477/; classtype:trojan-activity;sid:84282577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17793058/lg246dre.txt"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419368/; classtype:trojan-activity;sid:84282468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3418042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cab/launcherloader.exe"; depth:23; endswith; nocase; http.host; content:"www.newkey.co.kr"; depth:16; isdataat:!1,relative; metadata:created_at 2025_01_29; reference:url, urlhaus.abuse.ch/url/3418042/; classtype:trojan-activity;sid:84281142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3417858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_28; reference:url, urlhaus.abuse.ch/url/3417858/; classtype:trojan-activity;sid:84280958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3417095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1t9mwfr1azhmksosp19tomch5dyi3hb2n"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_01_28; reference:url, urlhaus.abuse.ch/url/3417095/; classtype:trojan-activity;sid:84280195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3417085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"87.197.160.196"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_28; reference:url, urlhaus.abuse.ch/url/3417085/; classtype:trojan-activity;sid:84280185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3416671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.62"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_27; reference:url, urlhaus.abuse.ch/url/3416671/; classtype:trojan-activity;sid:84279771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3416673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_27; reference:url, urlhaus.abuse.ch/url/3416673/; classtype:trojan-activity;sid:84279773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3415308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.59"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_26; reference:url, urlhaus.abuse.ch/url/3415308/; classtype:trojan-activity;sid:84278408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3415209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginanticheat.dll"; depth:19; endswith; nocase; http.host; content:"43.226.39.44"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_26; reference:url, urlhaus.abuse.ch/url/3415209/; classtype:trojan-activity;sid:84278309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3415207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginanticheat4.dll"; depth:20; endswith; nocase; http.host; content:"43.226.39.44"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_26; reference:url, urlhaus.abuse.ch/url/3415207/; classtype:trojan-activity;sid:84278307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3412921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.58"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_24; reference:url, urlhaus.abuse.ch/url/3412921/; classtype:trojan-activity;sid:84276021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3411900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.102.166.41"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_23; reference:url, urlhaus.abuse.ch/url/3411900/; classtype:trojan-activity;sid:84275000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3411850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.49.65.2"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_23; reference:url, urlhaus.abuse.ch/url/3411850/; classtype:trojan-activity;sid:84274950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3410864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blackhatethicalhacking/fud/blob/master/access.exe|3f|raw=true"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_23; reference:url, urlhaus.abuse.ch/url/3410864/; classtype:trojan-activity;sid:84273964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3410865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blackhatethicalhacking/fud/raw/refs/heads/master/access.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_23; reference:url, urlhaus.abuse.ch/url/3410865/; classtype:trojan-activity;sid:84273965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3410375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.11.36.4"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_22; reference:url, urlhaus.abuse.ch/url/3410375/; classtype:trojan-activity;sid:84273475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3409838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blackhatethicalhacking/fud/refs/heads/master/access.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_22; reference:url, urlhaus.abuse.ch/url/3409838/; classtype:trojan-activity;sid:84272938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3407374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.167.209.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_20; reference:url, urlhaus.abuse.ch/url/3407374/; classtype:trojan-activity;sid:84270474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3406818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%eb%a7%ac%ec%9b%a8%ec%96%b4.hta"; depth:32; endswith; nocase; http.host; content:"hobobot.net"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_20; reference:url, urlhaus.abuse.ch/url/3406818/; classtype:trojan-activity;sid:84269918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3406822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%eb%b9%8c%ec%96%b4%20%eb%a8%b9%ec%9d%84.hta"; depth:44; endswith; nocase; http.host; content:"hobobot.net"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_20; reference:url, urlhaus.abuse.ch/url/3406822/; classtype:trojan-activity;sid:84269922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"182.109.0.22"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405330/; classtype:trojan-activity;sid:84268430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405320/; classtype:trojan-activity;sid:84268420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405323/; classtype:trojan-activity;sid:84268423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405324/; classtype:trojan-activity;sid:84268424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"14.54.96.182"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405329/; classtype:trojan-activity;sid:84268429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405319/; classtype:trojan-activity;sid:84268419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"84.15.147.5"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405134/; classtype:trojan-activity;sid:84268234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.215.129.223"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405140/; classtype:trojan-activity;sid:84268240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.20.19.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405120/; classtype:trojan-activity;sid:84268220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.72.199.204"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405113/; classtype:trojan-activity;sid:84268213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3403380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/refs/heads/main/payload.bin"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_17; reference:url, urlhaus.abuse.ch/url/3403380/; classtype:trojan-activity;sid:84266480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3402741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobepdf-reader/pdf-reader/raw/refs/heads/main/pdf%20reader.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_16; reference:url, urlhaus.abuse.ch/url/3402741/; classtype:trojan-activity;sid:84265841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3402154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.6.203"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_16; reference:url, urlhaus.abuse.ch/url/3402154/; classtype:trojan-activity;sid:84265254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3402115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.181.28.63"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_16; reference:url, urlhaus.abuse.ch/url/3402115/; classtype:trojan-activity;sid:84265215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3401644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/wpr-addons/forms/code1.png"; depth:46; endswith; nocase; http.host; content:"107.180.89.159"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_15; reference:url, urlhaus.abuse.ch/url/3401644/; classtype:trojan-activity;sid:84264744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3401362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fxserver.exe"; depth:13; endswith; nocase; http.host; content:"198.50.242.157"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_15; reference:url, urlhaus.abuse.ch/url/3401362/; classtype:trojan-activity;sid:84264462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3398629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ox2fa/justnow/refs/heads/main/1.sh"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_13; reference:url, urlhaus.abuse.ch/url/3398629/; classtype:trojan-activity;sid:84261729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3398195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.121.239.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_12; reference:url, urlhaus.abuse.ch/url/3398195/; classtype:trojan-activity;sid:84261295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3397531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.168.227.130"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_11; reference:url, urlhaus.abuse.ch/url/3397531/; classtype:trojan-activity;sid:84260631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3395055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arvendrachhonkar/todo/releases/download/macosandwindows/install_setup_v1.2.0.dmg"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_09; reference:url, urlhaus.abuse.ch/url/3395055/; classtype:trojan-activity;sid:84258155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3394507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trismagi/daemon/raw/main/watchdog"; depth:34; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_09; reference:url, urlhaus.abuse.ch/url/3394507/; classtype:trojan-activity;sid:84257607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3394121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.56.225.99"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3394121/; classtype:trojan-activity;sid:84257221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3394115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.56.225.99"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3394115/; classtype:trojan-activity;sid:84257215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roukistl/ud/refs/heads/main/ud.bat"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3393662/; classtype:trojan-activity;sid:84256762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thomson101/xhp/releases/download/release/steanings.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3393596/; classtype:trojan-activity;sid:84256696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thomson101/xhp/releases/download/release/steanings.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_07; reference:url, urlhaus.abuse.ch/url/3393047/; classtype:trojan-activity;sid:84256147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.40.185.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_07; reference:url, urlhaus.abuse.ch/url/3393010/; classtype:trojan-activity;sid:84256110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3392686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/launcher/upload/test.exe"; depth:25; endswith; nocase; http.host; content:"test.aionclassic.pro"; depth:20; isdataat:!1,relative; metadata:created_at 2025_01_07; reference:url, urlhaus.abuse.ch/url/3392686/; classtype:trojan-activity;sid:84255786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3391819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_06; reference:url, urlhaus.abuse.ch/url/3391819/; classtype:trojan-activity;sid:84254919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3391609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.92.24.250"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_06; reference:url, urlhaus.abuse.ch/url/3391609/; classtype:trojan-activity;sid:84254709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3390789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kusaka.php|3f|call=av"; depth:22; endswith; nocase; http.host; content:"cpofficial.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_05; reference:url, urlhaus.abuse.ch/url/3390789/; classtype:trojan-activity;sid:84253889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3389403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngrokc/ctc/raw/main/ctc64.dll"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3389403/; classtype:trojan-activity;sid:84252503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3389404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngrokc/ctc/main/ctc64.dll"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3389404/; classtype:trojan-activity;sid:84252504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3388858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/solara.dir.zip"; depth:37; endswith; nocase; http.host; content:"c0e5b87c.solaraweb-alj.pages.dev"; depth:32; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3388858/; classtype:trojan-activity;sid:84251958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3388859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"c0e5b87c.solaraweb-alj.pages.dev"; depth:32; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3388859/; classtype:trojan-activity;sid:84251959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3387720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/raw/refs/heads/main/prueba.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_03; reference:url, urlhaus.abuse.ch/url/3387720/; classtype:trojan-activity;sid:84250820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file-32bit.elf"; depth:15; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386507/; classtype:trojan-activity;sid:84249607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.elf"; depth:9; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386508/; classtype:trojan-activity;sid:84249608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file-arm.elf"; depth:13; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386509/; classtype:trojan-activity;sid:84249609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file-64bit.elf"; depth:15; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386510/; classtype:trojan-activity;sid:84249610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3385579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.97.36.186"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_01; reference:url, urlhaus.abuse.ch/url/3385579/; classtype:trojan-activity;sid:84248679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3385167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft_hair/ultravnc.ini"; depth:23; endswith; nocase; http.host; content:"support.clz.kr"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_01; reference:url, urlhaus.abuse.ch/url/3385167/; classtype:trojan-activity;sid:84248267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3384528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_31; reference:url, urlhaus.abuse.ch/url/3384528/; classtype:trojan-activity;sid:84247628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3384341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_31; reference:url, urlhaus.abuse.ch/url/3384341/; classtype:trojan-activity;sid:84247441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3378964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.1.110.226"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_28; reference:url, urlhaus.abuse.ch/url/3378964/; classtype:trojan-activity;sid:84242064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3378965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.114.218.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_28; reference:url, urlhaus.abuse.ch/url/3378965/; classtype:trojan-activity;sid:84242065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3378974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.142.63.8"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_28; reference:url, urlhaus.abuse.ch/url/3378974/; classtype:trojan-activity;sid:84242074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.45.15.114"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_23; reference:url, urlhaus.abuse.ch/url/3373486/; classtype:trojan-activity;sid:84236586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.45.15.114"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_23; reference:url, urlhaus.abuse.ch/url/3373487/; classtype:trojan-activity;sid:84236587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.236.135.177"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373057/; classtype:trojan-activity;sid:84236157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.244.113.217"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373067/; classtype:trojan-activity;sid:84236167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.179.160"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373048/; classtype:trojan-activity;sid:84236148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.53.164.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373036/; classtype:trojan-activity;sid:84236136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.20.27.25"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373026/; classtype:trojan-activity;sid:84236126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.89.112.21"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373011/; classtype:trojan-activity;sid:84236111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.64.182.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372976/; classtype:trojan-activity;sid:84236076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.27.224.90"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372992/; classtype:trojan-activity;sid:84236092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.236.133.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372995/; classtype:trojan-activity;sid:84236095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.103.184.142"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372997/; classtype:trojan-activity;sid:84236097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.85.166.12"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372968/; classtype:trojan-activity;sid:84236068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.49.114.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372953/; classtype:trojan-activity;sid:84236053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.110.204.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372954/; classtype:trojan-activity;sid:84236054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.125.133.244"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372944/; classtype:trojan-activity;sid:84236044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.233.125.238"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372946/; classtype:trojan-activity;sid:84236046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.154.209.206"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372931/; classtype:trojan-activity;sid:84236031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"111.74.21.155"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372903/; classtype:trojan-activity;sid:84236003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372902/; classtype:trojan-activity;sid:84236002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372900/; classtype:trojan-activity;sid:84236000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372891/; classtype:trojan-activity;sid:84235991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372892/; classtype:trojan-activity;sid:84235992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372893/; classtype:trojan-activity;sid:84235993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372896/; classtype:trojan-activity;sid:84235996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372898/; classtype:trojan-activity;sid:84235998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372883/; classtype:trojan-activity;sid:84235983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372884/; classtype:trojan-activity;sid:84235984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372885/; classtype:trojan-activity;sid:84235985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372886/; classtype:trojan-activity;sid:84235986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372890/; classtype:trojan-activity;sid:84235990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.101.63"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372876/; classtype:trojan-activity;sid:84235976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372878/; classtype:trojan-activity;sid:84235978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372879/; classtype:trojan-activity;sid:84235979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372880/; classtype:trojan-activity;sid:84235980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372704/; classtype:trojan-activity;sid:84235804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372705/; classtype:trojan-activity;sid:84235805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372684/; classtype:trojan-activity;sid:84235784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.190"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372657/; classtype:trojan-activity;sid:84235757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.216"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372658/; classtype:trojan-activity;sid:84235758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372654/; classtype:trojan-activity;sid:84235754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372651/; classtype:trojan-activity;sid:84235751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.124.72.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372645/; classtype:trojan-activity;sid:84235745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.189"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372625/; classtype:trojan-activity;sid:84235725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.115"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372627/; classtype:trojan-activity;sid:84235727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372639/; classtype:trojan-activity;sid:84235739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.210.109.1"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372621/; classtype:trojan-activity;sid:84235721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372615/; classtype:trojan-activity;sid:84235715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3366263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.87.31.84"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_19; reference:url, urlhaus.abuse.ch/url/3366263/; classtype:trojan-activity;sid:84229363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3366262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.73.75.82"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_19; reference:url, urlhaus.abuse.ch/url/3366262/; classtype:trojan-activity;sid:84229362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3366230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.220.123.125"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_19; reference:url, urlhaus.abuse.ch/url/3366230/; classtype:trojan-activity;sid:84229330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef/ef.bin"; depth:10; endswith; nocase; http.host; content:"www.tdejb.com"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356912/; classtype:trojan-activity;sid:84220012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef/skifterne.sea"; depth:17; endswith; nocase; http.host; content:"www.tdejb.com"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356911/; classtype:trojan-activity;sid:84220011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef/ef.vbs"; depth:10; endswith; nocase; http.host; content:"www.astenterprises.com.pk"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356909/; classtype:trojan-activity;sid:84220009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yn5og-40i6-9gu-9hjf.html"; depth:25; endswith; nocase; http.host; content:"bj5y6-0f-9h4-9fgg4-1324992141.cos.ap-bangkok.myqcloud.com"; depth:57; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356803/; classtype:trojan-activity;sid:84219903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.exe"; depth:10; endswith; nocase; http.host; content:"210.125.101.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356783/; classtype:trojan-activity;sid:84219883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/futon"; depth:6; endswith; nocase; http.host; content:"weco2.oss-me-east-1.aliyuncs.com"; depth:32; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356768/; classtype:trojan-activity;sid:84219868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qq%e5%8d%8e%e5%a4%8f%e6%9b%b4%e6%96%b0%e6%96%87%e4%bb%b6/%e8%87%aa%e5%8a%a8%e6%9b%b4%e6%96%b0%e8%be%85%e5%8a%a9%e7%a8%8b%e5%ba%8f.exe"; depth:134; endswith; nocase; http.host; content:"kuakuawenjian.oss-cn-hangzhou.aliyuncs.com"; depth:42; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356769/; classtype:trojan-activity;sid:84219869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/smiple_4yue"; depth:12; endswith; nocase; http.host; content:"weco2.oss-me-east-1.aliyuncs.com"; depth:32; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356761/; classtype:trojan-activity;sid:84219861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36hg-04ik6-9j4-9h5.html"; depth:24; endswith; nocase; http.host; content:"f3i5-0g49bgn-3h95-1324992141.cos.ap-jakarta.myqcloud.com"; depth:56; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356758/; classtype:trojan-activity;sid:84219858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35-0350gh9v-39yh5g.html"; depth:24; endswith; nocase; http.host; content:"j-0-09g-9bh-h-ggf-1324992141.cos.ap-bangkok.myqcloud.com"; depth:56; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356750/; classtype:trojan-activity;sid:84219850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/refs/heads/main/critscript.exe"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356162/; classtype:trojan-activity;sid:84219262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/refs/heads/main/fast%20download.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356145/; classtype:trojan-activity;sid:84219245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr0xylife/asyncrat/refs/heads/main/asyncrat_09.02.2022.txt"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356134/; classtype:trojan-activity;sid:84219234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grozniy1/folder/refs/heads/main/444.exe"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356133/; classtype:trojan-activity;sid:84219233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deroxs/powerrat-leak/refs/heads/main/powerrat.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356118/; classtype:trojan-activity;sid:84219218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rookievip/xx/main/loader.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353957/; classtype:trojan-activity;sid:84217057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/refs/heads/main/prueba.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353403/; classtype:trojan-activity;sid:84216503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fengjixuchui/cve-2022-26810/refs/heads/main/shellcode.bin"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353372/; classtype:trojan-activity;sid:84216472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deroxs/powerrat-leak/raw/refs/heads/main/powerrat.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353348/; classtype:trojan-activity;sid:84216448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resources/js/info2r.txt/"; depth:25; endswith; nocase; http.host; content:"188.81.134.196"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353349/; classtype:trojan-activity;sid:84216449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr0xylife/asyncrat/raw/refs/heads/main/asyncrat_09.02.2022.txt"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353345/; classtype:trojan-activity;sid:84216445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlc_update.data"; depth:16; endswith; nocase; http.host; content:"8.138.96.41"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353333/; classtype:trojan-activity;sid:84216433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe"; depth:47; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353250/; classtype:trojan-activity;sid:84216350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master.exe"; depth:11; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353251/; classtype:trojan-activity;sid:84216351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe.dom_1.exe"; depth:57; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353242/; classtype:trojan-activity;sid:84216342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimispool.dll"; depth:24; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353243/; classtype:trojan-activity;sid:84216343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe.dom_2.exe"; depth:57; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353244/; classtype:trojan-activity;sid:84216344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//google.exe"; depth:12; endswith; nocase; http.host; content:"85.25.72.70"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353246/; classtype:trojan-activity;sid:84216346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe"; depth:55; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353238/; classtype:trojan-activity;sid:84216338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimikatz.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353234/; classtype:trojan-activity;sid:84216334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilib.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353235/; classtype:trojan-activity;sid:84216335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//chromesetup.exe"; depth:17; endswith; nocase; http.host; content:"85.25.72.70"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353216/; classtype:trojan-activity;sid:84216316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp.ps1"; depth:7; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353204/; classtype:trojan-activity;sid:84216304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.248.194.163"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353208/; classtype:trojan-activity;sid:84216308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilove.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353189/; classtype:trojan-activity;sid:84216289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimidrv.sys"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353190/; classtype:trojan-activity;sid:84216290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimispool.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353192/; classtype:trojan-activity;sid:84216292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cqhack/ddos-script/refs/heads/master/cqhack.pl"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353123/; classtype:trojan-activity;sid:84216223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3352821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaijiorder/cert/2a.hta"; depth:23; endswith; nocase; http.host; content:"182.92.99.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3352821/; classtype:trojan-activity;sid:84215921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=12jgde-soib4liipbdhs55vkz7ek8_ua6"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351932/; classtype:trojan-activity;sid:84215032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ijeuwaesika/nna/raw/refs/heads/main/ifiinms.txt"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351478/; classtype:trojan-activity;sid:84214578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fsabxh/sfdawsdawdaw/raw/refs/heads/main/serials_checker.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351477/; classtype:trojan-activity;sid:84214577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/raw/refs/heads/main/critscript.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351430/; classtype:trojan-activity;sid:84214530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grozniy1/folder/raw/refs/heads/main/444.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351428/; classtype:trojan-activity;sid:84214528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/raw/refs/heads/main/fast%20download.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351377/; classtype:trojan-activity;sid:84214477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/raw/refs/heads/main/prueba.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351320/; classtype:trojan-activity;sid:84214420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-reverse-shell/raw/refs/heads/main/shellcode.bin"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351297/; classtype:trojan-activity;sid:84214397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fengjixuchui/cve-2022-26810/raw/refs/heads/main/shellcode.bin"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351259/; classtype:trojan-activity;sid:84214359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3348000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|id=1ydcoow9tkyo5_qfbdzcaqkd9hzdoug7o"; depth:43; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_13; reference:url, urlhaus.abuse.ch/url/3348000/; classtype:trojan-activity;sid:84211100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3347308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/component/vc2005sp1redist_x86.exe"; depth:34; endswith; nocase; http.host; content:"windriversfiles.imeitools.com"; depth:29; isdataat:!1,relative; metadata:created_at 2024_12_13; reference:url, urlhaus.abuse.ch/url/3347308/; classtype:trojan-activity;sid:84210408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3346530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whoafg/problemonfmech/refs/heads/main/client.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_12; reference:url, urlhaus.abuse.ch/url/3346530/; classtype:trojan-activity;sid:84209630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3346026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaijiorder/cert/41a1111.hta"; depth:28; endswith; nocase; http.host; content:"182.92.99.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_12; reference:url, urlhaus.abuse.ch/url/3346026/; classtype:trojan-activity;sid:84209126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3345089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n00b69/woasetup/releases/download/installers/dxwebsetup.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_11; reference:url, urlhaus.abuse.ch/url/3345089/; classtype:trojan-activity;sid:84208189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3345076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaijiorder/cert/2a.hta"; depth:23; endswith; nocase; http.host; content:"182.92.99.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_11; reference:url, urlhaus.abuse.ch/url/3345076/; classtype:trojan-activity;sid:84208176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.x86"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344216/; classtype:trojan-activity;sid:84207316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm5"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344177/; classtype:trojan-activity;sid:84207277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm7"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344172/; classtype:trojan-activity;sid:84207272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.ppc"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344116/; classtype:trojan-activity;sid:84207216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mpsl"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344054/; classtype:trojan-activity;sid:84207154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.sh4"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344015/; classtype:trojan-activity;sid:84207115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm6"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343939/; classtype:trojan-activity;sid:84207039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343827/; classtype:trojan-activity;sid:84206927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.m68k"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343814/; classtype:trojan-activity;sid:84206914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mips"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343669/; classtype:trojan-activity;sid:84206769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340580/; classtype:trojan-activity;sid:84203680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.spc"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340578/; classtype:trojan-activity;sid:84203678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.m68k"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340577/; classtype:trojan-activity;sid:84203677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm7"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340567/; classtype:trojan-activity;sid:84203667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.x86"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340568/; classtype:trojan-activity;sid:84203668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.mips"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340569/; classtype:trojan-activity;sid:84203669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm5"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340570/; classtype:trojan-activity;sid:84203670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.ppc"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340573/; classtype:trojan-activity;sid:84203673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm6"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340574/; classtype:trojan-activity;sid:84203674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.sh4"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340575/; classtype:trojan-activity;sid:84203675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.mpsl"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340576/; classtype:trojan-activity;sid:84203676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dis3j/wagnerhook/releases/download/release/loader.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340440/; classtype:trojan-activity;sid:84203540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/xbest%20v1.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340399/; classtype:trojan-activity;sid:84203499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/complexo%20v4.exe"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340398/; classtype:trojan-activity;sid:84203498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/box3d.dll"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340395/; classtype:trojan-activity;sid:84203495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/lkwan.dll"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340396/; classtype:trojan-activity;sid:84203496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/flunix9.dll"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340397/; classtype:trojan-activity;sid:84203497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/elzhas%20pannel.dll"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340392/; classtype:trojan-activity;sid:84203492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/morovip.dll"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340393/; classtype:trojan-activity;sid:84203493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/hazaxd.dll"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340394/; classtype:trojan-activity;sid:84203494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/xbest.dll"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340391/; classtype:trojan-activity;sid:84203491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/blue_and_white.dll"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340390/; classtype:trojan-activity;sid:84203490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huuuuggga/aaaaa1/refs/heads/main/srtware.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340363/; classtype:trojan-activity;sid:84203463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.88.242.17"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3339893/; classtype:trojan-activity;sid:84202993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"24.88.242.17"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3339858/; classtype:trojan-activity;sid:84202958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"117.20.27.25"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339219/; classtype:trojan-activity;sid:84202319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.236.133.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339181/; classtype:trojan-activity;sid:84202281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"47.49.114.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339179/; classtype:trojan-activity;sid:84202279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.110.204.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339168/; classtype:trojan-activity;sid:84202268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.220.123.125"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339161/; classtype:trojan-activity;sid:84202261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.233.125.238"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339162/; classtype:trojan-activity;sid:84202262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.53.164.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339156/; classtype:trojan-activity;sid:84202256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"216.155.92.203"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339119/; classtype:trojan-activity;sid:84202219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.236.135.177"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339126/; classtype:trojan-activity;sid:84202226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.179.160"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339116/; classtype:trojan-activity;sid:84202216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.245.78.68"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339114/; classtype:trojan-activity;sid:84202214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"177.103.184.142"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339096/; classtype:trojan-activity;sid:84202196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.72.199.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339098/; classtype:trojan-activity;sid:84202198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.125.133.244"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339100/; classtype:trojan-activity;sid:84202200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.85.166.12"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339084/; classtype:trojan-activity;sid:84202184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.154.209.206"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339082/; classtype:trojan-activity;sid:84202182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hostfile/taptin/game.exe"; depth:25; endswith; nocase; http.host; content:"update.volam2005pk.com"; depth:22; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338712/; classtype:trojan-activity;sid:84201812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hostfile/taptin/autoupdate.exe"; depth:31; endswith; nocase; http.host; content:"update.volam2005pk.com"; depth:22; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338655/; classtype:trojan-activity;sid:84201755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kabot/unix-privilege-escalation-exploits-pack/master/2012/vmsplice-local-root-exploit"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338656/; classtype:trojan-activity;sid:84201756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga13372/jv/main/javaw.exe"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338560/; classtype:trojan-activity;sid:84201660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nicxlau/alfa-shell/master/alfa-obfuscated.php"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338548/; classtype:trojan-activity;sid:84201648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aissardp/payload/main/payload.exe"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338507/; classtype:trojan-activity;sid:84201607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cracker1337uwu/rrr/main/bypass.exe"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338505/; classtype:trojan-activity;sid:84201605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g1vi/cve-2023-2640-cve-2023-32629/main/exploit.sh"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338499/; classtype:trojan-activity;sid:84201599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nguyenmanmkt/repo1/main/exploit-2"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338493/; classtype:trojan-activity;sid:84201593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leetcipher/malware.development/main/self-injection/self-injection.exe"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338492/; classtype:trojan-activity;sid:84201592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyberhunter00/remote_hijack/master/uac_bypass.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338487/; classtype:trojan-activity;sid:84201587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cocomelonc/2022-01-14-malware-injection-13/master/hack.exe"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338475/; classtype:trojan-activity;sid:84201575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fxtazz/injection/main/index.js"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338467/; classtype:trojan-activity;sid:84201567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leetcipher/malware.development/main/process-injection/process-injection.exe"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338471/; classtype:trojan-activity;sid:84201571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sixaknow/uac_bypass_/main/module_377498327498dcxvc32434.dll"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338451/; classtype:trojan-activity;sid:84201551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pistacchietto/win-python-backdoor/master/standalone_payload.exe"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338443/; classtype:trojan-activity;sid:84201543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/f/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337794/; classtype:trojan-activity;sid:84200894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/c/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337795/; classtype:trojan-activity;sid:84200895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/u/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337796/; classtype:trojan-activity;sid:84200896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/i/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337797/; classtype:trojan-activity;sid:84200897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahmoundll/kak/main/glew64.dll"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337035/; classtype:trojan-activity;sid:84200135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkaslq1/ankrnl/refs/heads/main/alphatweaks.exe"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337026/; classtype:trojan-activity;sid:84200126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haa15/driver-shitty/main/kdmapper_release.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337032/; classtype:trojan-activity;sid:84200132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0lt/virtualdub2/releases/download/2.1.3/virtualdub2_v2.1.3.667_win32.7z"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337015/; classtype:trojan-activity;sid:84200115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgmb/update.exe"; depth:16; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337012/; classtype:trojan-activity;sid:84200112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgpro/update.exe"; depth:17; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337010/; classtype:trojan-activity;sid:84200110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibidixelaina/wuselaina/raw/refs/heads/main/build.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337004/; classtype:trojan-activity;sid:84200104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygroup777-ransomware/downloader/refs/heads/main/taskmoder.exe"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336992/; classtype:trojan-activity;sid:84200092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z-beam/movaflag/releases/download/1.0.2/mova.exe"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336993/; classtype:trojan-activity;sid:84200093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygroup777-ransomware/downloader/refs/heads/main/cssgo.exe"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336990/; classtype:trojan-activity;sid:84200090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygroup777-ransomware/downloader/raw/refs/heads/main/black.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336983/; classtype:trojan-activity;sid:84200083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stubgenerator/stub/main/stub.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336095/; classtype:trojan-activity;sid:84199195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nikolaevich23/make-pkg-bat/master/setup.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336077/; classtype:trojan-activity;sid:84199177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirxne/valorant-axeprime/main/axeprime.dll"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336072/; classtype:trojan-activity;sid:84199172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stephenfewer/reflectivedllinjection/refs/heads/master/bin/reflective_dll.dll"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336068/; classtype:trojan-activity;sid:84199168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anessdev/talha/main/talha.dll"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336058/; classtype:trojan-activity;sid:84199158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.dll"; depth:12; endswith; nocase; http.host; content:"210.125.101.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336051/; classtype:trojan-activity;sid:84199151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqrtzeroknowledge/xworm-trojan/zip/refs/heads/main"; depth:51; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336049/; classtype:trojan-activity;sid:84199149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/master/rage.dll"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335208/; classtype:trojan-activity;sid:84198308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infectsocks32_sql_antivirus.vmp.dll"; depth:36; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335175/; classtype:trojan-activity;sid:84198275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shadowforce2008_64_add.vmp.dll"; depth:31; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335174/; classtype:trojan-activity;sid:84198274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infectsocks64_sql_antivirus.vmp.dll"; depth:36; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335173/; classtype:trojan-activity;sid:84198273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upm2008.exe"; depth:12; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335166/; classtype:trojan-activity;sid:84198266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ndisinstaller3.2.32.1.exe"; depth:26; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335156/; classtype:trojan-activity;sid:84198256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/statement/ul397wfyb/"; depth:29; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335154/; classtype:trojan-activity;sid:84198254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iatinfect2008_64.exe"; depth:21; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335147/; classtype:trojan-activity;sid:84198247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winsetaccess64.exe"; depth:19; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335141/; classtype:trojan-activity;sid:84198241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/writedat.exe"; depth:13; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335135/; classtype:trojan-activity;sid:84198235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mport.exe"; depth:10; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335136/; classtype:trojan-activity;sid:84198236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iland.dat"; depth:10; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335134/; classtype:trojan-activity;sid:84198234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/hl8-8w4cs-6325/"; depth:24; endswith; nocase; http.host; content:"reifenquick.de"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335132/; classtype:trojan-activity;sid:84198232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cg70/update.exe"; depth:16; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335118/; classtype:trojan-activity;sid:84198218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/closed_957176_mxqsdoj6a4iz/close_warehouse/ql55hnq09iyn6lm_334stxvw03wyv/"; depth:82; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335096/; classtype:trojan-activity;sid:84198196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_upload/article/files/90/f4/62d98f264ab0abc4a1f14a32607a/089c9dc1-8248-47b5-b35d-310cd70469b4.doc"; depth:98; endswith; nocase; http.host; content:"hhbs.hhu.edu.cn"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335074/; classtype:trojan-activity;sid:84198174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.dbg"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333897/; classtype:trojan-activity;sid:84196997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.sh4"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333896/; classtype:trojan-activity;sid:84196996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.x86_64"; depth:12; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333895/; classtype:trojan-activity;sid:84196995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namblack666/zxqqw/refs/heads/main/main.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333657/; classtype:trojan-activity;sid:84196757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namblack666/zxqqw/refs/heads/main/main1.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333658/; classtype:trojan-activity;sid:84196758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nam-black/moneyandbitch/refs/heads/main/main1.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333656/; classtype:trojan-activity;sid:84196756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nam-black/moneyandbitch/raw/refs/heads/main/main1.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333651/; classtype:trojan-activity;sid:84196751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apk/pthlearning.apk"; depth:20; endswith; nocase; http.host; content:"chinaapper.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333527/; classtype:trojan-activity;sid:84196627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azertyuiopexe/fud-crypter/zip/refs/heads/main"; depth:46; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333522/; classtype:trojan-activity;sid:84196622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joh81/exploi01/main/document.zip"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333521/; classtype:trojan-activity;sid:84196621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.8"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333518/; classtype:trojan-activity;sid:84196618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0xrose/rose-stealer_old/zip/refs/heads/main"; depth:44; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333515/; classtype:trojan-activity;sid:84196615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.10"; depth:50; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333513/; classtype:trojan-activity;sid:84196613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.3"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333514/; classtype:trojan-activity;sid:84196614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hwangyounggul33/windows10/refs/heads/main/privacypolicy.exe"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333511/; classtype:trojan-activity;sid:84196611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caocaocc/yacd/zip/refs/heads/gh-pages"; depth:38; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333509/; classtype:trojan-activity;sid:84196609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.9.2"; depth:51; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333510/; classtype:trojan-activity;sid:84196610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.11"; depth:50; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333508/; classtype:trojan-activity;sid:84196608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/refs/heads/main/agentnov.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333499/; classtype:trojan-activity;sid:84196599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cirosantilli/china-dictatorship/zip/refs/heads/master"; depth:54; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333502/; classtype:trojan-activity;sid:84196602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.zip/refs/tags/0.8.1"; depth:48; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333503/; classtype:trojan-activity;sid:84196603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.5"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333495/; classtype:trojan-activity;sid:84196595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.7"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333496/; classtype:trojan-activity;sid:84196596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d-7uble/invoke-phant0m/zip/refs/heads/master"; depth:45; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333493/; classtype:trojan-activity;sid:84196593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.zip/refs/tags/0.7.1"; depth:48; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333494/; classtype:trojan-activity;sid:84196594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54n4l/mimikatzwindows/zip/refs/heads/master"; depth:44; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333489/; classtype:trojan-activity;sid:84196589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.9"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333485/; classtype:trojan-activity;sid:84196585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.9.1"; depth:51; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333482/; classtype:trojan-activity;sid:84196582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crowly-ai/hello-world/refs/heads/main/zubovlekciya.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333481/; classtype:trojan-activity;sid:84196581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heresfilly09-9/fornova/main/svchost.exe"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333479/; classtype:trojan-activity;sid:84196579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bloodhoundad/bloodhound/master/collectors/sharphound.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333470/; classtype:trojan-activity;sid:84196570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/calendar/setup.exe"; depth:33; endswith; nocase; http.host; content:"ojang.pe.kr"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333458/; classtype:trojan-activity;sid:84196558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/calendar.exe"; depth:27; endswith; nocase; http.host; content:"ojang.pe.kr"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333457/; classtype:trojan-activity;sid:84196557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/jeditor/jeditor.exe"; depth:34; endswith; nocase; http.host; content:"ojang.pe.kr"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333456/; classtype:trojan-activity;sid:84196556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytisf/thezoo/refs/heads/master/malware/binaries/ransomware.wannacry/ransomware.wannacry.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333439/; classtype:trojan-activity;sid:84196539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newlog/exploiting/refs/heads/master/training/windows/practical_malware_analysis/labs/chapter_1l/lab01-02.exe"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333435/; classtype:trojan-activity;sid:84196535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/donut.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333369/; classtype:trojan-activity;sid:84196469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.mpsl"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333359/; classtype:trojan-activity;sid:84196459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.i686"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333355/; classtype:trojan-activity;sid:84196455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.x86"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333357/; classtype:trojan-activity;sid:84196457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/raw/master/donut.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333350/; classtype:trojan-activity;sid:84196450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm7"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333351/; classtype:trojan-activity;sid:84196451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.m68k"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333352/; classtype:trojan-activity;sid:84196452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm4"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333353/; classtype:trojan-activity;sid:84196453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.mips"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333343/; classtype:trojan-activity;sid:84196443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm6"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333322/; classtype:trojan-activity;sid:84196422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17793058/lg246dre.txt"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333321/; classtype:trojan-activity;sid:84196421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm5"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333316/; classtype:trojan-activity;sid:84196416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.ppc"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333317/; classtype:trojan-activity;sid:84196417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jtdamhd5"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333279/; classtype:trojan-activity;sid:84196379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/files/9/%e2%98%85%ec%a0%9c%ed%92%88%ec%82%ac%ec%9a%a9%ec%a0%84%20%ed%95%84%ec%88%98%ec%85%8b%ed%8c%85%e2%98%85.zip"; depth:123; endswith; nocase; http.host; content:"xn--yh4bx88a.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332955/; classtype:trojan-activity;sid:84196055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/files/9/%e2%ab%b8%ec%a0%9c%ed%92%88%ec%82%ac%ec%9a%a9%ec%a0%84%20%ed%95%84%ec%88%98%ec%85%8b%ed%8c%85%e2%ab%b7.zip"; depth:123; endswith; nocase; http.host; content:"xn--yh4bx88a.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332954/; classtype:trojan-activity;sid:84196054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noccenter/noccenter/refs/heads/main/huong%20dan%20xu%20ly%20tai%20khoan%20mail%20noi%20bo.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332792/; classtype:trojan-activity;sid:84195892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noccenter/noccenter/raw/refs/heads/main/huong%20dan%20xu%20ly%20tai%20khoan%20mail%20noi%20bo.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332783/; classtype:trojan-activity;sid:84195883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baksvoronov/testingflrplgpreg/raw/refs/heads/main/connector1.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332780/; classtype:trojan-activity;sid:84195880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/main/critscript.exe"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332771/; classtype:trojan-activity;sid:84195871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mae-luadev/mae-tests/main/system.exe"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332764/; classtype:trojan-activity;sid:84195864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mae-luadev/mae-tests/raw/main/system.exe"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332757/; classtype:trojan-activity;sid:84195857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/opyhjdase.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331919/; classtype:trojan-activity;sid:84195019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/popapoers.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331862/; classtype:trojan-activity;sid:84194962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/ljgksdtihd.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331858/; classtype:trojan-activity;sid:84194958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/pfntjejghjsdkr.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331850/; classtype:trojan-activity;sid:84194950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/vikings.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331828/; classtype:trojan-activity;sid:84194928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/bnkrigkawd.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331826/; classtype:trojan-activity;sid:84194926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frenzy-zwaake/discordrat-2.0/main/client-built.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331699/; classtype:trojan-activity;sid:84194799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fofit-rater/1/refs/heads/main/xclient.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331669/; classtype:trojan-activity;sid:84194769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/efedursun125/xfakeplayers/master/xclient.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331670/; classtype:trojan-activity;sid:84194770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2/long-glade-33dc08/original//rump_img.jpeg"; depth:45; endswith; nocase; http.host; content:"cdn.pixelbin.io"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331664/; classtype:trojan-activity;sid:84194764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abhidadatg/worm/refs/heads/main/xclient.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331665/; classtype:trojan-activity;sid:84194765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zonicleaks/yappadabbadoo/main/xclient.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331653/; classtype:trojan-activity;sid:84194753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jikoos/rrr/main/xclient.exe"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331648/; classtype:trojan-activity;sid:84194748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/debug2.ps1"; depth:30; endswith; nocase; http.host; content:"www.drgenov.com"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331649/; classtype:trojan-activity;sid:84194749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lvlh01am/wrwrwr/main/xclient.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331644/; classtype:trojan-activity;sid:84194744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lvlh01am/adad/main/xclient.exe"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331643/; classtype:trojan-activity;sid:84194743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frenzy-zwaake/discordrat-2.0/deferred-metadata/main/client-built.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331639/; classtype:trojan-activity;sid:84194739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whois-black/qew123/main/xclient.exe"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331640/; classtype:trojan-activity;sid:84194740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paco321312312/cautious-sniffle/main/xclient.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331636/; classtype:trojan-activity;sid:84194736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joeljosephpajeet/testexe/refs/heads/main/xclient.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331633/; classtype:trojan-activity;sid:84194733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/debug4.ps1"; depth:30; endswith; nocase; http.host; content:"www.drgenov.com"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331626/; classtype:trojan-activity;sid:84194726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lvlh01am/fsfsf/main/xclient.exe"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331628/; classtype:trojan-activity;sid:84194728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cheetz/nishang/master/gather/keylogger.ps1"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331630/; classtype:trojan-activity;sid:84194730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cookieskush/pip-package-template/master/client-built.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331588/; classtype:trojan-activity;sid:84194688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/efedursun125/xfakeplayers/refs/heads/master/xclient.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331574/; classtype:trojan-activity;sid:84194674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cidadejunina/js/vendor/debug2.ps1"; depth:34; endswith; nocase; http.host; content:"transparenciacanaa.com.br"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331534/; classtype:trojan-activity;sid:84194634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_-w5me4evtzbdzix_v_ymzdelazhrv5z"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331498/; classtype:trojan-activity;sid:84194598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nskagzrswpttoue3wbrhdqpyzlyve4tg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331500/; classtype:trojan-activity;sid:84194600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1o3zw7sodji4uk954kngkdyshyl37gozq"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331490/; classtype:trojan-activity;sid:84194590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3318580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.39.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_03; reference:url, urlhaus.abuse.ch/url/3318580/; classtype:trojan-activity;sid:84181680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3318498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.39.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_03; reference:url, urlhaus.abuse.ch/url/3318498/; classtype:trojan-activity;sid:84181598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3318309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khangdz1801/raw/refs/heads/main/sound.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_03; reference:url, urlhaus.abuse.ch/url/3318309/; classtype:trojan-activity;sid:84181409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2/plugin2.dll"; depth:15; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317713/; classtype:trojan-activity;sid:84180813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2/plugin1.dll"; depth:15; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317712/; classtype:trojan-activity;sid:84180812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2/plugin3.dll"; depth:15; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317707/; classtype:trojan-activity;sid:84180807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/images/media/thing2"; depth:32; endswith; nocase; http.host; content:"divvanews.com"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317497/; classtype:trojan-activity;sid:84180597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3315253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/purchaseorder.exe"; depth:24; endswith; nocase; http.host; content:"csg-app.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_30; reference:url, urlhaus.abuse.ch/url/3315253/; classtype:trojan-activity;sid:84178353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3315254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/putty.exe"; depth:16; endswith; nocase; http.host; content:"csg-app.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_30; reference:url, urlhaus.abuse.ch/url/3315254/; classtype:trojan-activity;sid:84178354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"61.183.16.127"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308898/; classtype:trojan-activity;sid:84171998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"218.155.74.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308894/; classtype:trojan-activity;sid:84171994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308883/; classtype:trojan-activity;sid:84171983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308875/; classtype:trojan-activity;sid:84171975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"5.26.174.234"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308847/; classtype:trojan-activity;sid:84171947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1idr9p3dgxkblhu7h4jckclzmtlibwsiw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308798/; classtype:trojan-activity;sid:84171898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1c2pnucvma1shu90mnauhef6shildth-s"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308797/; classtype:trojan-activity;sid:84171897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xblkpfz8y0"; depth:11; endswith; nocase; http.host; content:"158.101.35.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308461/; classtype:trojan-activity;sid:84171561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xblkpfz8y3"; depth:11; endswith; nocase; http.host; content:"158.101.35.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308462/; classtype:trojan-activity;sid:84171562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xblkpfz8y4.exe"; depth:15; endswith; nocase; http.host; content:"158.101.35.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308463/; classtype:trojan-activity;sid:84171563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xblkpfz8y2"; depth:11; endswith; nocase; http.host; content:"158.101.35.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308464/; classtype:trojan-activity;sid:84171564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xblkpfz8y1"; depth:11; endswith; nocase; http.host; content:"158.101.35.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308465/; classtype:trojan-activity;sid:84171565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3303817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1jbzzntbk1kuszoofww7hsqfdh066ontf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_25; reference:url, urlhaus.abuse.ch/url/3303817/; classtype:trojan-activity;sid:84166917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3303818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hkvynldkcbdd50_bsw3s9tk5elbduxtg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_25; reference:url, urlhaus.abuse.ch/url/3303818/; classtype:trojan-activity;sid:84166918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3303101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs/lr.sh"; depth:11; endswith; nocase; http.host; content:"183.102.83.247"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_24; reference:url, urlhaus.abuse.ch/url/3303101/; classtype:trojan-activity;sid:84166201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/refs/heads/main/y.png"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300881/; classtype:trojan-activity;sid:84163981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/dcm/refs/heads/main/document.zip"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300394/; classtype:trojan-activity;sid:84163494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/test.xll"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300382/; classtype:trojan-activity;sid:84163482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/refs/heads/main/ud.bat"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300387/; classtype:trojan-activity;sid:84163487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/refs/heads/main/t.png"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300377/; classtype:trojan-activity;sid:84163477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/template.dotm"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300378/; classtype:trojan-activity;sid:84163478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/doadmin.png"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300374/; classtype:trojan-activity;sid:84163474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/steamerx.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300375/; classtype:trojan-activity;sid:84163475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/justpoc.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300376/; classtype:trojan-activity;sid:84163476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/refs/heads/main/u.xls"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300371/; classtype:trojan-activity;sid:84163471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/scriptlet"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300372/; classtype:trojan-activity;sid:84163472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/es.hta"; depth:7; endswith; nocase; http.host; content:"pub-cdd0dd27ae6a4aee9841d397e0496374.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2024_11_22; reference:url, urlhaus.abuse.ch/url/3300068/; classtype:trojan-activity;sid:84163168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saked018/rivada/refs/heads/main/mis_file_9888123_received_xsls.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298233/; classtype:trojan-activity;sid:84161333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saked018/rivada/raw/refs/heads/main/mis_file_9888123_received_xsls.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298219/; classtype:trojan-activity;sid:84161319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/dcm/raw/refs/heads/main/document.zip"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298207/; classtype:trojan-activity;sid:84161307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/ud/raw/refs/heads/main/ud.bat"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298202/; classtype:trojan-activity;sid:84161302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/raw/refs/heads/main/u.xls"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298205/; classtype:trojan-activity;sid:84161305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/raw/refs/heads/main/ud.bat"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298201/; classtype:trojan-activity;sid:84161301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3296209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crm/exe/update.exe"; depth:19; endswith; nocase; http.host; content:"www.zhikey.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_19; reference:url, urlhaus.abuse.ch/url/3296209/; classtype:trojan-activity;sid:84159309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3294913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledshow1.exe"; depth:13; endswith; nocase; http.host; content:"101.200.220.118"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_18; reference:url, urlhaus.abuse.ch/url/3294913/; classtype:trojan-activity;sid:84158013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3294809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configureregistrysettings.ps1"; depth:30; endswith; nocase; http.host; content:"103.247.164.242"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_18; reference:url, urlhaus.abuse.ch/url/3294809/; classtype:trojan-activity;sid:84157909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3294619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noureddine-nt9/rgsdr/raw/refs/heads/main/cheet.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_18; reference:url, urlhaus.abuse.ch/url/3294619/; classtype:trojan-activity;sid:84157719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3293160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"5.181.28.63"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_16; reference:url, urlhaus.abuse.ch/url/3293160/; classtype:trojan-activity;sid:84156260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3292014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n/tui/mininews/mininewsplus/3.0.0.26165/mininewsplus-2.exe"; depth:59; endswith; nocase; http.host; content:"mininews.kpzip.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_11_15; reference:url, urlhaus.abuse.ch/url/3292014/; classtype:trojan-activity;sid:84155114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3291869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/stories/guides/guide2018.exe"; depth:36; endswith; nocase; http.host; content:"dcwblida.dz"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_15; reference:url, urlhaus.abuse.ch/url/3291869/; classtype:trojan-activity;sid:84154969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3290573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.44.144.198"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_14; reference:url, urlhaus.abuse.ch/url/3290573/; classtype:trojan-activity;sid:84153673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3290243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro2.jpg"; depth:9; endswith; nocase; http.host; content:"113.98.201.248"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_14; reference:url, urlhaus.abuse.ch/url/3290243/; classtype:trojan-activity;sid:84153343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3289875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r00ts3c/ddos-rootsec/refs/heads/master/ddos%20scripts/l4/udp/10gbpsudp.py"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_14; reference:url, urlhaus.abuse.ch/url/3289875/; classtype:trojan-activity;sid:84152975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3289466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.255.216.26"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_13; reference:url, urlhaus.abuse.ch/url/3289466/; classtype:trojan-activity;sid:84152566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3289463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.97.36.202"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_13; reference:url, urlhaus.abuse.ch/url/3289463/; classtype:trojan-activity;sid:84152563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3289464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.28.177.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_13; reference:url, urlhaus.abuse.ch/url/3289464/; classtype:trojan-activity;sid:84152564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3288915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.118.75.244"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_13; reference:url, urlhaus.abuse.ch/url/3288915/; classtype:trojan-activity;sid:84152015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3287640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.171.188.254"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_12; reference:url, urlhaus.abuse.ch/url/3287640/; classtype:trojan-activity;sid:84150740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.143.20.60"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286969/; classtype:trojan-activity;sid:84150069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.77.228.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286821/; classtype:trojan-activity;sid:84149921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kzxiaopeng2/kuaizip_setup_-808202126_xiaopeng2_001.exe"; depth:55; endswith; nocase; http.host; content:"d.kpzip.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286518/; classtype:trojan-activity;sid:84149618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haozip.convertimg.exe"; depth:22; endswith; nocase; http.host; content:"download.haozip.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286513/; classtype:trojan-activity;sid:84149613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-reverse-shell/main/shellcode.bin"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286067/; classtype:trojan-activity;sid:84149167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3281714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3cur3th1ssh1t/creds/master/obfuscatedps/dccuac.ps1"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_08; reference:url, urlhaus.abuse.ch/url/3281714/; classtype:trojan-activity;sid:84144814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3281712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/120/vc/seethegoodthingswhicgivenyoubest.hta"; depth:44; endswith; nocase; http.host; content:"104.168.7.52"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_08; reference:url, urlhaus.abuse.ch/url/3281712/; classtype:trojan-activity;sid:84144812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3281085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/raw/master/rage.dll"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_07; reference:url, urlhaus.abuse.ch/url/3281085/; classtype:trojan-activity;sid:84144185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3280990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2d424qwn"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_07; reference:url, urlhaus.abuse.ch/url/3280990/; classtype:trojan-activity;sid:84144090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3280686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/130/uh/seethebestpartentirelifewithmygirlfriendonentirelifethings.hta"; depth:70; endswith; nocase; http.host; content:"104.168.7.52"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_07; reference:url, urlhaus.abuse.ch/url/3280686/; classtype:trojan-activity;sid:84143786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3280680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fiies/stormfn-launcher/raw/refs/heads/main/stormfn-launcher.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_07; reference:url, urlhaus.abuse.ch/url/3280680/; classtype:trojan-activity;sid:84143780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3279353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xavieprowel/crispy-palm-tree/releases/download/1/3e3ev3.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3279353/; classtype:trojan-activity;sid:84142453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/txdown_disk/%e8%bd%af%e4%bb%b6%e4%bd%bf%e7%94%a8/%e7%bc%ba%e5%a4%b1%e4%b8%8b%e8%bd%bd/plugin.dll"; depth:97; endswith; nocase; http.host; content:"disk.accord1key.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278669/; classtype:trojan-activity;sid:84141769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ciphershld/ms-p-1a/master/setup%20ms%20p-1a.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278573/; classtype:trojan-activity;sid:84141673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minecradt/regdelete/readme-edits/hell9o.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278576/; classtype:trojan-activity;sid:84141676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openpeach/dotnetfx_cleanup_tool/refs/heads/master/cleanup_tool.exe"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278567/; classtype:trojan-activity;sid:84141667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1las2cmd3reobg45qhkqhawi90h4_u0kd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278362/; classtype:trojan-activity;sid:84141462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=17hv9-3t2ilikbmcfql2z66ipd72x4mz7"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278361/; classtype:trojan-activity;sid:84141461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3276956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"216.201.80.197"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_05; reference:url, urlhaus.abuse.ch/url/3276956/; classtype:trojan-activity;sid:84140056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3276896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loistupidpet/sfdawsdawdaw/main/serials_checker.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_05; reference:url, urlhaus.abuse.ch/url/3276896/; classtype:trojan-activity;sid:84139996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3276765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35/ew/bestgreetingwithbestthingsevermadewithgreatthigns.hta"; depth:60; endswith; nocase; http.host; content:"104.168.7.52"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_05; reference:url, urlhaus.abuse.ch/url/3276765/; classtype:trojan-activity;sid:84139865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kc4fdseohzqymz2x0ncqswph66uxdb1z"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275669/; classtype:trojan-activity;sid:84138769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1u_rahqbks7vd7qqc6wx3gxnjxtfqrzbp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275667/; classtype:trojan-activity;sid:84138767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1-8qpzgr4-iis53p1-kr2-o6prrjmnksk"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275658/; classtype:trojan-activity;sid:84138758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ubqrhziusgl-cn_nie2_udj4qi6qrqsw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275656/; classtype:trojan-activity;sid:84138756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ikoxnnlvglh6jhnfqkrsihss_p2dqkyp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275240/; classtype:trojan-activity;sid:84138340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1r7oi2jekx0ks1wqpt0ms3_kqvukzy3dv"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275241/; classtype:trojan-activity;sid:84138341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gmzqsemymffka4lve0jkwa06sklk7xhu"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275242/; classtype:trojan-activity;sid:84138342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/borisizdabezt/exitlag-hwid-spoofer/main/drv64.dll"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274064/; classtype:trojan-activity;sid:84137164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realstrings/lydian-spoofer/raw/main/spoofy.sys"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274049/; classtype:trojan-activity;sid:84137149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realstrings/lydian-spoofer/refs/heads/main/spoofy.sys"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274047/; classtype:trojan-activity;sid:84137147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realstrings/lydian-spoofer/raw/refs/heads/main/spoofy.sys"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274048/; classtype:trojan-activity;sid:84137148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3272092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ordogos2/g575/releases/download/download/setup.7.0.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3272092/; classtype:trojan-activity;sid:84135192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/injector.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271922/; classtype:trojan-activity;sid:84135022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/injectorold.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271923/; classtype:trojan-activity;sid:84135023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/driver.sys"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271924/; classtype:trojan-activity;sid:84135024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/loader.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271925/; classtype:trojan-activity;sid:84135025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/ogfn%20updater.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271919/; classtype:trojan-activity;sid:84135019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/pclient.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271920/; classtype:trojan-activity;sid:84135020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/kdmapper_release.exe"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271921/; classtype:trojan-activity;sid:84135021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc17x64.exe"; depth:12; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271692/; classtype:trojan-activity;sid:84134792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pchunter64.exe"; depth:15; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271691/; classtype:trojan-activity;sid:84134791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remotelyanywhere11.exe"; depth:23; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271690/; classtype:trojan-activity;sid:84134790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pm3100.exe"; depth:11; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271689/; classtype:trojan-activity;sid:84134789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwsrv3.3.exe"; depth:13; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271686/; classtype:trojan-activity;sid:84134786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x210.exe"; depth:9; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271681/; classtype:trojan-activity;sid:84134781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydcx.exe"; depth:9; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271683/; classtype:trojan-activity;sid:84134783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/smb.exe"; depth:8; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271684/; classtype:trojan-activity;sid:84134784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kb2808679x64.exe"; depth:17; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271685/; classtype:trojan-activity;sid:84134785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svchost.exe"; depth:12; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271678/; classtype:trojan-activity;sid:84134778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rlpb15.exe"; depth:11; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271679/; classtype:trojan-activity;sid:84134779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autoruns.exe"; depth:13; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271675/; classtype:trojan-activity;sid:84134775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cysoft/winrarx64521sc.exe"; depth:26; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271673/; classtype:trojan-activity;sid:84134773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hdtune.exe"; depth:11; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271672/; classtype:trojan-activity;sid:84134772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steam.txt"; depth:10; endswith; nocase; http.host; content:"ftp.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271666/; classtype:trojan-activity;sid:84134766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svchost.exe"; depth:12; endswith; nocase; http.host; content:"123.ywxww.net"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271663/; classtype:trojan-activity;sid:84134763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/undertalanted/mod/refs/heads/main/svchost.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271634/; classtype:trojan-activity;sid:84134734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sdifru877234/ilu123g5/main/svchost.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271624/; classtype:trojan-activity;sid:84134724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/regolx1/hadb/refs/heads/main/svchost.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271617/; classtype:trojan-activity;sid:84134717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chokopie333/doom/main/svchost.exe"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271614/; classtype:trojan-activity;sid:84134714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artem674118/erterytry/main/svchost.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271612/; classtype:trojan-activity;sid:84134712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/morgantaraum/automatic-octo-barnacle/refs/heads/main/svchost.exe"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271609/; classtype:trojan-activity;sid:84134709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media/furystorage/api/main/svchost.exe"; depth:39; endswith; nocase; http.host; content:"media.githubusercontent.com"; depth:27; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271610/; classtype:trojan-activity;sid:84134710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sdifru877234/ilu123g5/raw/main/svchost.exe"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271605/; classtype:trojan-activity;sid:84134705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artem674118/erterytry/raw/main/svchost.exe"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271594/; classtype:trojan-activity;sid:84134694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heresfilly09-9/fornova/raw/main/svchost.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271596/; classtype:trojan-activity;sid:84134696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chokopie333/doom/raw/main/svchost.exe"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271586/; classtype:trojan-activity;sid:84134686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/morgantaraum/automatic-octo-barnacle/raw/refs/heads/main/svchost.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271587/; classtype:trojan-activity;sid:84134687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zodiac1616/test/raw/refs/heads/main/svchost.exe"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271590/; classtype:trojan-activity;sid:84134690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzrevva1/osu-maple/refs/heads/main/extremeinjector.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271366/; classtype:trojan-activity;sid:84134466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzrevva1/osu-maple/raw/refs/heads/main/extremeinjector.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271369/; classtype:trojan-activity;sid:84134469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novocrm/static/winring0x64.sys"; depth:31; endswith; nocase; http.host; content:"118.189.172.141"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270196/; classtype:trojan-activity;sid:84133296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggassistant/update/2.3.11.29/tool/winring0x64.sys|3f|skq=1701042218"; depth:68; endswith; nocase; http.host; content:"shqdown.ggzuhao.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270195/; classtype:trojan-activity;sid:84133295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miguel-b-p/..../raw/main/winring0x64.sys"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270193/; classtype:trojan-activity;sid:84133293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/silenthashik/winring/raw/main/winring0x64.sys"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270185/; classtype:trojan-activity;sid:84133285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hak333444/xmrig/raw/main/winring0x64.sys"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270186/; classtype:trojan-activity;sid:84133286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/blob/master/bin/winring0/winring0x64.sys|3f|raw=true"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270188/; classtype:trojan-activity;sid:84133288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so251/olaquerida/releases/download/1releasae/winring0x64.sys"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270189/; classtype:trojan-activity;sid:84133289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsjsjsc79/advsd/raw/main/winring0x64.sys"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270191/; classtype:trojan-activity;sid:84133291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stickmengamer/idk/raw/main/winring0x64.sys"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270192/; classtype:trojan-activity;sid:84133292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sopranotech/dimeo/main/winring0x64.sys"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270183/; classtype:trojan-activity;sid:84133283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abrissyy/min/main/winring0x64.sys"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270184/; classtype:trojan-activity;sid:84133284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3269715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqrtzeroknowledge/xworm-trojan/archive/refs/heads/main.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3269715/; classtype:trojan-activity;sid:84132815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3265959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ygqwpvxadhjsxskr3u3tdw2u5dnzv0pp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_30; reference:url, urlhaus.abuse.ch/url/3265959/; classtype:trojan-activity;sid:84129059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3265958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uzjwtbh4hcs9i060hwf08hrnymnodugn"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_30; reference:url, urlhaus.abuse.ch/url/3265958/; classtype:trojan-activity;sid:84129058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3258033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ijeuwaesika/nna/refs/heads/main/ifiinms.txt"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3258033/; classtype:trojan-activity;sid:84121133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networks.ps1"; depth:13; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257486/; classtype:trojan-activity;sid:84120586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/javaw/net/net.xsl"; depth:23; endswith; nocase; http.host; content:"shangmei-test.oss-cn-beijing.aliyuncs.com"; depth:41; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257484/; classtype:trojan-activity;sid:84120584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netstat.ps1"; depth:12; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257470/; classtype:trojan-activity;sid:84120570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/net/net.xsl"; depth:12; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257471/; classtype:trojan-activity;sid:84120571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/net/net.xsl"; depth:19; endswith; nocase; http.host; content:"sec.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257473/; classtype:trojan-activity;sid:84120573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/inst.ps1"; depth:16; endswith; nocase; http.host; content:"sec.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257474/; classtype:trojan-activity;sid:84120574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netstat.xsl"; depth:12; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257475/; classtype:trojan-activity;sid:84120575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/instance.ps1"; depth:20; endswith; nocase; http.host; content:"sec.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257477/; classtype:trojan-activity;sid:84120577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3254228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kdot227/somalifuscator/archive/refs/heads/main.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_26; reference:url, urlhaus.abuse.ch/url/3254228/; classtype:trojan-activity;sid:84117328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3254226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxyonly/www/raw/main/security.exe"; depth:36; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_26; reference:url, urlhaus.abuse.ch/url/3254226/; classtype:trojan-activity;sid:84117326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3254222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robloxdev1223/requirements/raw/main/requirements.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_26; reference:url, urlhaus.abuse.ch/url/3254222/; classtype:trojan-activity;sid:84117322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3252630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17267811/stm.txt"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_25; reference:url, urlhaus.abuse.ch/url/3252630/; classtype:trojan-activity;sid:84115730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_up/shop_pds/nicehana/client.exe"; depth:36; endswith; nocase; http.host; content:"www.xn--on3b15m2lco2u.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249739/; classtype:trojan-activity;sid:84112839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; endswith; nocase; http.host; content:"119.193.158.215"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249735/; classtype:trojan-activity;sid:84112835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quasar/quasar/releases/download/v1.4.1/quasar.v1.4.1.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249675/; classtype:trojan-activity;sid:84112775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/refs/heads/master/rat/njrat.exe"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249662/; classtype:trojan-activity;sid:84112762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3246018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mestalic/site/refs/heads/main/file.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3246018/; classtype:trojan-activity;sid:84109118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"185.152.219.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245733/; classtype:trojan-activity;sid:84108833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vz.txt"; depth:7; endswith; nocase; http.host; content:"51.79.124.111"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245732/; classtype:trojan-activity;sid:84108832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chinese.txt"; depth:12; endswith; nocase; http.host; content:"202.129.16.172"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245730/; classtype:trojan-activity;sid:84108830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hs.exe"; depth:7; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245463/; classtype:trojan-activity;sid:84108563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kg.exe"; depth:7; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245459/; classtype:trojan-activity;sid:84108559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen.exe"; depth:11; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245458/; classtype:trojan-activity;sid:84108558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3243086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/data/update.exe"; depth:23; endswith; nocase; http.host; content:"114.55.106.136"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3243086/; classtype:trojan-activity;sid:84106186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3243082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysupdate/ckbgd/2.3.0624.zip"; depth:29; endswith; nocase; http.host; content:"8.131.63.6"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3243082/; classtype:trojan-activity;sid:84106182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3243077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysupdate/ckbgd/2.3.0703.zip"; depth:29; endswith; nocase; http.host; content:"8.131.63.6"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3243077/; classtype:trojan-activity;sid:84106177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3242983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowseal/zapret-discord-youtube/releases/download/1.1.1/zapret-discord-youtube-1.1.1.rar"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3242983/; classtype:trojan-activity;sid:84106083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3242663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmatrix/data/hack0832.zip"; depth:26; endswith; nocase; http.host; content:"cd.textfiles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3242663/; classtype:trojan-activity;sid:84105763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3242642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rishabhkumardeveloper/malware_analysis_using_ml/main/wildfire-test-pe-file.exe"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3242642/; classtype:trojan-activity;sid:84105742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mori-miyako/discord-token-generator/zip/refs/heads/main"; depth:56; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241764/; classtype:trojan-activity;sid:84104864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scode18/all-tweaker/main/tweaks.7z"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241765/; classtype:trojan-activity;sid:84104865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/intergate0/none/main/main.exe"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241756/; classtype:trojan-activity;sid:84104856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kntjspr/licensebytes/refs/heads/main/licensemalwarebytes.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241752/; classtype:trojan-activity;sid:84104852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baksvoronov/testingflrplgpreg/refs/heads/main/connector1.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241644/; classtype:trojan-activity;sid:84104744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s107000665/c1/master/1223.exe"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241637/; classtype:trojan-activity;sid:84104737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iciamyplant/ctf/master/plantrojan.exe"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241638/; classtype:trojan-activity;sid:84104738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fengjixuchui/cve-2022-26810/main/shellcode.bin"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241639/; classtype:trojan-activity;sid:84104739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/killbillpribil/world-of-tanks/master/world%20of%20tanks.exe"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241640/; classtype:trojan-activity;sid:84104740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mach1el/htb-scripts/master/exploit-fuse/shell.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241641/; classtype:trojan-activity;sid:84104741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khr0x40sh/whitelistevasion/master/installutil/script.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241642/; classtype:trojan-activity;sid:84104742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msf.exe"; depth:8; endswith; nocase; http.host; content:"qiniuyunxz.yxflzs.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241635/; classtype:trojan-activity;sid:84104735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c5hackr/phantom/main/phantom/resources/donut.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241559/; classtype:trojan-activity;sid:84104659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.39.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241404/; classtype:trojan-activity;sid:84104504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.39.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241382/; classtype:trojan-activity;sid:84104482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justincoding3/slumfun/main/obfuscated.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241127/; classtype:trojan-activity;sid:84104227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r00t-3xp10it/redpill/main/utils/compiled.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241126/; classtype:trojan-activity;sid:84104226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secwiki/windows-kernel-exploits/master/ms14-068/ms14-068.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241125/; classtype:trojan-activity;sid:84104225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prowindows365/hailhydra/refs/heads/main/hailhydra.exe"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241123/; classtype:trojan-activity;sid:84104223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neo23x0/signature-base/archive/master.zip"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241055/; classtype:trojan-activity;sid:84104155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ricepudding0xl/discordnitrogenerator/main/discordnitrogenerator.exe"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241005/; classtype:trojan-activity;sid:84104105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ryan2159/stuff/main/discord.exe"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241004/; classtype:trojan-activity;sid:84104104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sad-dust/death/main/stealinfo.exe"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240999/; classtype:trojan-activity;sid:84104099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepdevil51/discordspotifybypass/main/discordspotifybypass.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240998/; classtype:trojan-activity;sid:84104098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepdevil51/discordspotifybypass/raw/main/discordspotifybypass.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240994/; classtype:trojan-activity;sid:84104094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redcanaryco/atomic-red-team/master/atomics/t1204.002/bin/test10.lnk"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240819/; classtype:trojan-activity;sid:84103919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cuckoobox/cuckoo/archive/master.zip"; depth:36; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240817/; classtype:trojan-activity;sid:84103917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haxork8880/files/main/windowssync.txt.zip"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240813/; classtype:trojan-activity;sid:84103913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crjtpp/tpplab_public/main/poc-sample-lnk.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240814/; classtype:trojan-activity;sid:84103914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hackerx237/miner/main/my-files.lnk"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240812/; classtype:trojan-activity;sid:84103912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scode18/all-tweaker/releases/download/beta_v0.6/all.tweaker.beta.v0.6.7z"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240811/; classtype:trojan-activity;sid:84103911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scode18/all-tweaker/raw/main/tweaks.7z"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240810/; classtype:trojan-activity;sid:84103910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dqwr1q23rwdfr/xxx/releases/download/xxx/vital.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240720/; classtype:trojan-activity;sid:84103820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdjulaya09/code-sparrow-crypter-2.0-private-crack-leak/releases/download/%23crypter/codesparrow.crypter.2.0.crack.rar"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240639/; classtype:trojan-activity;sid:84103739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3239707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.x64.bin"; depth:14; endswith; nocase; http.host; content:"8.138.96.41"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_17; reference:url, urlhaus.abuse.ch/url/3239707/; classtype:trojan-activity;sid:84102807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eaklauncher/eaklauncher.exe"; depth:28; endswith; nocase; http.host; content:"147.50.240.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238658/; classtype:trojan-activity;sid:84101758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resources/js/info2r.txt"; depth:24; endswith; nocase; http.host; content:"188.81.134.196"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238111/; classtype:trojan-activity;sid:84101211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/main/fast%20download.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238073/; classtype:trojan-activity;sid:84101173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grozniy1/folder/main/444.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238061/; classtype:trojan-activity;sid:84101161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/blob/master/rat/njrat.exe|3f|raw=true"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237975/; classtype:trojan-activity;sid:84101075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5556.rar"; depth:9; endswith; nocase; http.host; content:"188.212.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237976/; classtype:trojan-activity;sid:84101076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blank-c/umbral-stealer/zip/refs/heads/main"; depth:43; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237956/; classtype:trojan-activity;sid:84101056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blank-c/blank-grabber/zip/refs/heads/main"; depth:42; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237955/; classtype:trojan-activity;sid:84101055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blank-c/blankobf/zip/refs/heads/v2"; depth:35; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237954/; classtype:trojan-activity;sid:84101054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joh81/exploi01/zip/refs/heads/main"; depth:35; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237861/; classtype:trojan-activity;sid:84100961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steve824/a/zip/refs/heads/main"; depth:31; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237810/; classtype:trojan-activity;sid:84100910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thebb5th/123/zip/refs/heads/main"; depth:33; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237737/; classtype:trojan-activity;sid:84100837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_suia0iczdw2reew1f9hgunezxcwv52d"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237465/; classtype:trojan-activity;sid:84100565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_3ozdjl5puad8qn3tipydynn5j7l13el"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237464/; classtype:trojan-activity;sid:84100564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/center.exe"; depth:11; endswith; nocase; http.host; content:"119.193.158.215"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236597/; classtype:trojan-activity;sid:84099697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/kedadecoder.zip"; depth:25; endswith; nocase; http.host; content:"153.37.77.156"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236587/; classtype:trojan-activity;sid:84099687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/kedadecoder.zip"; depth:25; endswith; nocase; http.host; content:"116.136.142.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236559/; classtype:trojan-activity;sid:84099659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3cur3th1ssh1t/creds/master/powershellscripts/invoke-petitpotam.ps1"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236453/; classtype:trojan-activity;sid:84099553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/xwgl/xw_xxgl.exe"; depth:22; endswith; nocase; http.host; content:"data.yhydl.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236324/; classtype:trojan-activity;sid:84099424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/xw_setup.exe"; depth:18; endswith; nocase; http.host; content:"data.yhydl.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236322/; classtype:trojan-activity;sid:84099422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/yhy_setup.exe"; depth:19; endswith; nocase; http.host; content:"data.yhydl.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236323/; classtype:trojan-activity;sid:84099423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/4001/updates/efatura/efatura.exe"; depth:42; endswith; nocase; http.host; content:"elisans.novayonetim.com"; depth:23; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236318/; classtype:trojan-activity;sid:84099418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/services/identification/server/gtptoolsdownloadhandler.ashx|3f|filename=gtp_6_browserplugin_setup.exe"; depth:102; endswith; nocase; http.host; content:"hnjgdl.geps.glodon.com"; depth:22; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236240/; classtype:trojan-activity;sid:84099340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/natgo.exe"; depth:10; endswith; nocase; http.host; content:"dl.natgo.cn"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236237/; classtype:trojan-activity;sid:84099337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/etermproxy.exe"; depth:24; endswith; nocase; http.host; content:"pid.fly160.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236236/; classtype:trojan-activity;sid:84099336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdd_biaoge/soft/down.exe"; depth:25; endswith; nocase; http.host; content:"49.234.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236224/; classtype:trojan-activity;sid:84099324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17267811/stm.txt"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236154/; classtype:trojan-activity;sid:84099254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chainguard-dev/bincapz/archive/refs/tags/v0.5.0.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235523/; classtype:trojan-activity;sid:84098623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/playmcbkuwu/vape/releases/download/stable/vape.v4.10.from.duckysolucky.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235522/; classtype:trojan-activity;sid:84098622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/raw/master/rage.dll"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235514/; classtype:trojan-activity;sid:84098614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meckazin/chromekatz/releases/download/0.4.7/chromekatzbofs.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235513/; classtype:trojan-activity;sid:84098613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsh/update.exe"; depth:15; endswith; nocase; http.host; content:"101.126.11.168"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_14; reference:url, urlhaus.abuse.ch/url/3235094/; classtype:trojan-activity;sid:84098194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3234859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petikvx/lockbit-black-builder/main/lockbit30/builder.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_14; reference:url, urlhaus.abuse.ch/url/3234859/; classtype:trojan-activity;sid:84097959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3234858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tennessene/lockbit/refs/heads/main/builder.exe"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_14; reference:url, urlhaus.abuse.ch/url/3234858/; classtype:trojan-activity;sid:84097958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3232402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"152.32.202.240"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_13; reference:url, urlhaus.abuse.ch/url/3232402/; classtype:trojan-activity;sid:84095502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3231796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16737801/wave.zip|3f|"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_12; reference:url, urlhaus.abuse.ch/url/3231796/; classtype:trojan-activity;sid:84094896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3231794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16419615/solara.zip"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_12; reference:url, urlhaus.abuse.ch/url/3231794/; classtype:trojan-activity;sid:84094894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3229631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kamilniftaliev/cryptoview/zip/refs/heads/main"; depth:46; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_11; reference:url, urlhaus.abuse.ch/url/3229631/; classtype:trojan-activity;sid:84092731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3228667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winassist/login/login.7z"; depth:25; endswith; nocase; http.host; content:"win.down.55kantu.com"; depth:20; isdataat:!1,relative; metadata:created_at 2024_10_10; reference:url, urlhaus.abuse.ch/url/3228667/; classtype:trojan-activity;sid:84091767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3226239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.22.0/xmrig-6.22.0-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_09; reference:url, urlhaus.abuse.ch/url/3226239/; classtype:trojan-activity;sid:84089339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3225932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.70.238.134"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_09; reference:url, urlhaus.abuse.ch/url/3225932/; classtype:trojan-activity;sid:84089032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"109.207.216.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218033/; classtype:trojan-activity;sid:84081133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"86.106.101.159"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218030/; classtype:trojan-activity;sid:84081130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.101.217"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218007/; classtype:trojan-activity;sid:84081107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"109.207.217.114"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218009/; classtype:trojan-activity;sid:84081109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"166.147.146.187"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218011/; classtype:trojan-activity;sid:84081111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"213.96.13.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218001/; classtype:trojan-activity;sid:84081101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217787/; classtype:trojan-activity;sid:84080887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.130.160.219"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217802/; classtype:trojan-activity;sid:84080902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.203.169.39"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217780/; classtype:trojan-activity;sid:84080880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.191.89.122"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217775/; classtype:trojan-activity;sid:84080875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"86.106.155.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217757/; classtype:trojan-activity;sid:84080857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217760/; classtype:trojan-activity;sid:84080860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.28.228.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217750/; classtype:trojan-activity;sid:84080850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217745/; classtype:trojan-activity;sid:84080845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.203.169.41"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217740/; classtype:trojan-activity;sid:84080840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217717/; classtype:trojan-activity;sid:84080817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217729/; classtype:trojan-activity;sid:84080829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"213.96.13.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217689/; classtype:trojan-activity;sid:84080789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.43.16.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217684/; classtype:trojan-activity;sid:84080784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.45.183.125"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217681/; classtype:trojan-activity;sid:84080781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.45.183.125"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217682/; classtype:trojan-activity;sid:84080782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"213.96.13.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217665/; classtype:trojan-activity;sid:84080765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.12.184.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217669/; classtype:trojan-activity;sid:84080769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.191.89.120"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217674/; classtype:trojan-activity;sid:84080774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"14.161.6.225"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217638/; classtype:trojan-activity;sid:84080738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217625/; classtype:trojan-activity;sid:84080725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217621/; classtype:trojan-activity;sid:84080721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217618/; classtype:trojan-activity;sid:84080718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.212.35.175"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217562/; classtype:trojan-activity;sid:84080662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123.ps1"; depth:8; endswith; nocase; http.host; content:"103.247.164.242"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217557/; classtype:trojan-activity;sid:84080657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.118.215.24"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217454/; classtype:trojan-activity;sid:84080554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.212.35.175"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217426/; classtype:trojan-activity;sid:84080526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.209.184.121"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217096/; classtype:trojan-activity;sid:84080196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"83.166.197.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217111/; classtype:trojan-activity;sid:84080211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"190.145.205.178"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217088/; classtype:trojan-activity;sid:84080188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"94.251.5.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217091/; classtype:trojan-activity;sid:84080191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.119.95.176"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217069/; classtype:trojan-activity;sid:84080169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"167.250.193.253"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217046/; classtype:trojan-activity;sid:84080146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.78.201.3"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217062/; classtype:trojan-activity;sid:84080162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"181.49.47.190"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217063/; classtype:trojan-activity;sid:84080163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.194.46.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217064/; classtype:trojan-activity;sid:84080164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217065/; classtype:trojan-activity;sid:84080165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"87.197.160.196"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217037/; classtype:trojan-activity;sid:84080137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"156.155.176.210"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217006/; classtype:trojan-activity;sid:84080106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.145.168.170"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217009/; classtype:trojan-activity;sid:84080109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"181.94.245.254"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217012/; classtype:trojan-activity;sid:84080112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.209.184.118"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217015/; classtype:trojan-activity;sid:84080115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.18.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217020/; classtype:trojan-activity;sid:84080120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"62.162.113.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217023/; classtype:trojan-activity;sid:84080123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"194.183.186.164"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217024/; classtype:trojan-activity;sid:84080124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"92.241.77.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217001/; classtype:trojan-activity;sid:84080101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.5.50.108"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217003/; classtype:trojan-activity;sid:84080103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.92.68.241"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216971/; classtype:trojan-activity;sid:84080071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.250.160.26"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216974/; classtype:trojan-activity;sid:84080074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"195.34.91.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216979/; classtype:trojan-activity;sid:84080079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.57.33.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216983/; classtype:trojan-activity;sid:84080083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.119.151.142"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216987/; classtype:trojan-activity;sid:84080087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.90.207.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216962/; classtype:trojan-activity;sid:84080062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"77.89.245.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216956/; classtype:trojan-activity;sid:84080056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.4.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216950/; classtype:trojan-activity;sid:84080050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"195.64.182.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216951/; classtype:trojan-activity;sid:84080051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216934/; classtype:trojan-activity;sid:84080034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.20.138"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216936/; classtype:trojan-activity;sid:84080036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"181.211.252.34"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216937/; classtype:trojan-activity;sid:84080037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"114.7.160.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216943/; classtype:trojan-activity;sid:84080043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.164.200.170"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216945/; classtype:trojan-activity;sid:84080045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"138.122.43.76"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216889/; classtype:trojan-activity;sid:84079989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.131.244.202"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216894/; classtype:trojan-activity;sid:84079994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216911/; classtype:trojan-activity;sid:84080011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216883/; classtype:trojan-activity;sid:84079983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"14.224.162.164"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216886/; classtype:trojan-activity;sid:84079986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.112.2.247"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216877/; classtype:trojan-activity;sid:84079977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"85.187.82.120"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216860/; classtype:trojan-activity;sid:84079960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"94.52.86.60"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216867/; classtype:trojan-activity;sid:84079967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"76.76.195.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216843/; classtype:trojan-activity;sid:84079943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.215.238"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216846/; classtype:trojan-activity;sid:84079946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.188.30.171"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216813/; classtype:trojan-activity;sid:84079913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"181.143.114.106"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216820/; classtype:trojan-activity;sid:84079920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"109.160.87.2"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216802/; classtype:trojan-activity;sid:84079902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.34.209.216"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216803/; classtype:trojan-activity;sid:84079903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"98.103.171.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216800/; classtype:trojan-activity;sid:84079900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"186.154.93.81"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216794/; classtype:trojan-activity;sid:84079894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.192.22.166"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216796/; classtype:trojan-activity;sid:84079896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216772/; classtype:trojan-activity;sid:84079872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"95.70.238.134"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216775/; classtype:trojan-activity;sid:84079875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"114.7.209.193"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216761/; classtype:trojan-activity;sid:84079861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.16.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216763/; classtype:trojan-activity;sid:84079863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"109.92.143.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216750/; classtype:trojan-activity;sid:84079850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.64.210.218"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216739/; classtype:trojan-activity;sid:84079839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"185.57.69.125"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216722/; classtype:trojan-activity;sid:84079822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.116.62.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216719/; classtype:trojan-activity;sid:84079819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"82.193.120.99"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216715/; classtype:trojan-activity;sid:84079815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.135.26.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216704/; classtype:trojan-activity;sid:84079804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.66.151.7"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216682/; classtype:trojan-activity;sid:84079782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.119.193.17"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216686/; classtype:trojan-activity;sid:84079786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"83.218.189.21"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216688/; classtype:trojan-activity;sid:84079788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"212.85.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216690/; classtype:trojan-activity;sid:84079790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.151.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216694/; classtype:trojan-activity;sid:84079794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"200.61.163.235"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216700/; classtype:trojan-activity;sid:84079800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.18.218"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216649/; classtype:trojan-activity;sid:84079749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.53.164.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216650/; classtype:trojan-activity;sid:84079750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.245.10.51"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216664/; classtype:trojan-activity;sid:84079764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"194.208.56.60"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216606/; classtype:trojan-activity;sid:84079706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.16.247.81"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216607/; classtype:trojan-activity;sid:84079707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"150.129.202.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216610/; classtype:trojan-activity;sid:84079710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"213.6.74.138"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216599/; classtype:trojan-activity;sid:84079699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.233.63.185"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216600/; classtype:trojan-activity;sid:84079700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"31.186.54.111"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216603/; classtype:trojan-activity;sid:84079703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"151.248.56.14"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216572/; classtype:trojan-activity;sid:84079672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.16.247.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216577/; classtype:trojan-activity;sid:84079677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"190.2.237.104"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216581/; classtype:trojan-activity;sid:84079681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"91.244.169.56"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216582/; classtype:trojan-activity;sid:84079682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.77.228.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216583/; classtype:trojan-activity;sid:84079683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"77.46.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216559/; classtype:trojan-activity;sid:84079659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216561/; classtype:trojan-activity;sid:84079661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"176.221.111.222"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216564/; classtype:trojan-activity;sid:84079664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"150.129.202.193"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216569/; classtype:trojan-activity;sid:84079669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"84.242.139.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216537/; classtype:trojan-activity;sid:84079637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.71.46.122"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216520/; classtype:trojan-activity;sid:84079620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.66.139.36"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216529/; classtype:trojan-activity;sid:84079629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.202.49.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216509/; classtype:trojan-activity;sid:84079609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"212.225.186.186"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216510/; classtype:trojan-activity;sid:84079610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"185.21.223.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216501/; classtype:trojan-activity;sid:84079601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"121.43.104.75"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216456/; classtype:trojan-activity;sid:84079556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216437/; classtype:trojan-activity;sid:84079537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"217.92.214.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216421/; classtype:trojan-activity;sid:84079521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.249.6.118"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216418/; classtype:trojan-activity;sid:84079518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"49.232.126.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216406/; classtype:trojan-activity;sid:84079506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"150.158.25.244"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216404/; classtype:trojan-activity;sid:84079504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"121.43.104.75"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216396/; classtype:trojan-activity;sid:84079496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"43.132.12.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216384/; classtype:trojan-activity;sid:84079484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216382/; classtype:trojan-activity;sid:84079482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"36.110.15.211"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216377/; classtype:trojan-activity;sid:84079477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216372/; classtype:trojan-activity;sid:84079472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216365/; classtype:trojan-activity;sid:84079465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"82.67.13.197"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216359/; classtype:trojan-activity;sid:84079459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"123.117.136.97"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216353/; classtype:trojan-activity;sid:84079453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"43.132.13.252"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216334/; classtype:trojan-activity;sid:84079434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"184.185.30.182"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216322/; classtype:trojan-activity;sid:84079422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"85.163.234.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216309/; classtype:trojan-activity;sid:84079409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216306/; classtype:trojan-activity;sid:84079406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.187.151.107"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216302/; classtype:trojan-activity;sid:84079402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.85.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215800/; classtype:trojan-activity;sid:84078900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.151.108.232"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215780/; classtype:trojan-activity;sid:84078880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.233.63.185"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215785/; classtype:trojan-activity;sid:84078885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.186.54.111"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215788/; classtype:trojan-activity;sid:84078888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.70.238.134"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215794/; classtype:trojan-activity;sid:84078894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.221.111.222"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215795/; classtype:trojan-activity;sid:84078895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.197.160.196"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215772/; classtype:trojan-activity;sid:84078872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.135.26.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215476/; classtype:trojan-activity;sid:84078576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.119.151.142"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215468/; classtype:trojan-activity;sid:84078568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.247.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215469/; classtype:trojan-activity;sid:84078569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.160.87.2"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215463/; classtype:trojan-activity;sid:84078563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215454/; classtype:trojan-activity;sid:84078554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.91.236.237"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215434/; classtype:trojan-activity;sid:84078534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"184.185.30.182"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215440/; classtype:trojan-activity;sid:84078540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.186.186"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215420/; classtype:trojan-activity;sid:84078520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.209.193"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215409/; classtype:trojan-activity;sid:84078509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215399/; classtype:trojan-activity;sid:84078499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.116.62.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215380/; classtype:trojan-activity;sid:84078480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.46.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215382/; classtype:trojan-activity;sid:84078482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.112.2.247"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215375/; classtype:trojan-activity;sid:84078475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.218.189.21"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215358/; classtype:trojan-activity;sid:84078458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.166.197.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215359/; classtype:trojan-activity;sid:84078459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.211.135.170"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215356/; classtype:trojan-activity;sid:84078456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.224.162.164"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215357/; classtype:trojan-activity;sid:84078457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3213897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_05; reference:url, urlhaus.abuse.ch/url/3213897/; classtype:trojan-activity;sid:84076997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3206293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ox2fa/justnow/refs/heads/main/2pac.php"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_03; reference:url, urlhaus.abuse.ch/url/3206293/; classtype:trojan-activity;sid:84069393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3204531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/for_down/2013/new/dlls/rse/rsreport.exe"; depth:40; endswith; nocase; http.host; content:"download.suxiazai.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_10_02; reference:url, urlhaus.abuse.ch/url/3204531/; classtype:trojan-activity;sid:84067631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3200548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slinky/slinkycrack.zip"; depth:23; endswith; nocase; http.host; content:"crystalpvp.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_29; reference:url, urlhaus.abuse.ch/url/3200548/; classtype:trojan-activity;sid:84063648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3198753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pinginfoview.exe"; depth:17; endswith; nocase; http.host; content:"139.198.15.223"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3198753/; classtype:trojan-activity;sid:84061853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3198696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cen22.php"; depth:10; endswith; nocase; http.host; content:"39.100.33.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3198696/; classtype:trojan-activity;sid:84061796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3195883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scanport.exe"; depth:13; endswith; nocase; http.host; content:"139.198.15.223"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3195883/; classtype:trojan-activity;sid:84058983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3195736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fx8"; depth:4; endswith; nocase; http.host; content:"123.57.250.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3195736/; classtype:trojan-activity;sid:84058836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3195292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%b8%85%e7%90%86%e5%9e%83%e5%9c%be.exe"; depth:41; endswith; nocase; http.host; content:"39.103.217.92"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3195292/; classtype:trojan-activity;sid:84058392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3193861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massgravel/microsoft-activation-scripts/b1b5299c4725d97349b18b59061647198f7cc59b/mas/all-in-one-version-kl/mas_aio.cmd"; depth:119; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_27; reference:url, urlhaus.abuse.ch/url/3193861/; classtype:trojan-activity;sid:84056961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3193548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bitrix/js/main/core/core.js"; depth:28; endswith; nocase; http.host; content:"evangroup.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2024_09_27; reference:url, urlhaus.abuse.ch/url/3193548/; classtype:trojan-activity;sid:84056648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7"; depth:2; endswith; nocase; http.host; content:"45.153.129.239"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190461/; classtype:trojan-activity;sid:84053561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5"; depth:2; endswith; nocase; http.host; content:"45.153.129.239"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190462/; classtype:trojan-activity;sid:84053562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3"; depth:2; endswith; nocase; http.host; content:"45.153.129.239"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190459/; classtype:trojan-activity;sid:84053559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; endswith; nocase; http.host; content:"45.153.129.239"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190376/; classtype:trojan-activity;sid:84053476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.68.74.69"; depth:12; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190323/; classtype:trojan-activity;sid:84053423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190317/; classtype:trojan-activity;sid:84053417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3189225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknwon1352/qawfdasfaw/main/software.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_24; reference:url, urlhaus.abuse.ch/url/3189225/; classtype:trojan-activity;sid:84052325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3188620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/repository/aa_v3.exe"; depth:21; endswith; nocase; http.host; content:"83.149.17.194"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_24; reference:url, urlhaus.abuse.ch/url/3188620/; classtype:trojan-activity;sid:84051720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3188034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blueskyxn/changesource/master/besttrace"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_23; reference:url, urlhaus.abuse.ch/url/3188034/; classtype:trojan-activity;sid:84051134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3187575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7z.exe"; depth:7; endswith; nocase; http.host; content:"down.mvip8.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_23; reference:url, urlhaus.abuse.ch/url/3187575/; classtype:trojan-activity;sid:84050675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxl_win_tool_v9.6.iso"; depth:22; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186441/; classtype:trojan-activity;sid:84049541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1-%e4%bf%ae%e6%94%b9%e7%ab%af%e5%8f%a3.iso"; depth:43; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186440/; classtype:trojan-activity;sid:84049540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxl_win_tool_v9.4.iso"; depth:22; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186439/; classtype:trojan-activity;sid:84049539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1-%e4%bf%ae%e6%94%b9%e7%ab%af%e5%8f%a3.zip"; depth:43; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186430/; classtype:trojan-activity;sid:84049530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1_dxl_windowsport.zip"; depth:22; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186428/; classtype:trojan-activity;sid:84049528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3181128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inquiry-dubai.js"; depth:17; endswith; nocase; http.host; content:"boydjackson.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_09_19; reference:url, urlhaus.abuse.ch/url/3181128/; classtype:trojan-activity;sid:84044228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3178401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1v9ujqbyj-mlf9mugkyiwow6t3rpui2bu"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_09_17; reference:url, urlhaus.abuse.ch/url/3178401/; classtype:trojan-activity;sid:84041501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scribblercoder/browserthief/main/browserthief.ps1"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174523/; classtype:trojan-activity;sid:84037623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foru.apk"; depth:9; endswith; nocase; http.host; content:"tecunonline.com"; depth:15; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174364/; classtype:trojan-activity;sid:84037464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foru.apk"; depth:9; endswith; nocase; http.host; content:"www.tecunonline.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174340/; classtype:trojan-activity;sid:84037440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen"; depth:7; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174264/; classtype:trojan-activity;sid:84037364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3173868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.exe"; depth:9; endswith; nocase; http.host; content:"85.25.72.70"; depth:11; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3173868/; classtype:trojan-activity;sid:84036968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3172240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techsavvysenior/referralreactjs/archive/refs/heads/main.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_09_14; reference:url, urlhaus.abuse.ch/url/3172240/; classtype:trojan-activity;sid:84035340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3163579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/handler/download|3f|action=download|7c|26|7c|download_id=jgc6slaf|7c|26|7c|private_id=0|7c|26|7c|url=https%253a%252f%252fyoutransfer.net%252fjgc6slaf"; depth:150; endswith; nocase; http.host; content:"youtransfer.net"; depth:15; isdataat:!1,relative; metadata:created_at 2024_09_09; reference:url, urlhaus.abuse.ch/url/3163579/; classtype:trojan-activity;sid:84026679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3154718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hackirby/discord-injection/main/injection.js"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_03; reference:url, urlhaus.abuse.ch/url/3154718/; classtype:trojan-activity;sid:84017818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3137563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"14.224.162.164"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_31; reference:url, urlhaus.abuse.ch/url/3137563/; classtype:trojan-activity;sid:84000663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miners/myxmrig.tgz"; depth:19; endswith; nocase; http.host; content:"do-dear.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135730/; classtype:trojan-activity;sid:83998830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosinchik/asd/main/zoom.py"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135722/; classtype:trojan-activity;sid:83998822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moneroocean/xmrig_setup/master/setup_moneroocean_miner.sh"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135724/; classtype:trojan-activity;sid:83998824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/orgn.txt"; depth:13; endswith; nocase; http.host; content:"epanpano.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135613/; classtype:trojan-activity;sid:83998713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3134371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qqhelper_1540.exe"; depth:18; endswith; nocase; http.host; content:"down.qqfarmer.com.cn"; depth:20; isdataat:!1,relative; metadata:created_at 2024_08_29; reference:url, urlhaus.abuse.ch/url/3134371/; classtype:trojan-activity;sid:83997471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nova_flow/patcher.exe"; depth:22; endswith; nocase; http.host; content:"144.172.71.105"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129654/; classtype:trojan-activity;sid:83992754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/update/css/self/[upg]css.exe"; depth:35; endswith; nocase; http.host; content:"cs.go.kg"; depth:8; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129577/; classtype:trojan-activity;sid:83992677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoldownload/foobar2000_v1.6.7_beta_17@1704_129472.exe"; depth:54; endswith; nocase; http.host; content:"down10d.zol.com.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129478/; classtype:trojan-activity;sid:83992578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asmedises/pxray_cast_sort.exe"; depth:30; endswith; nocase; http.host; content:"www.medises.co.kr"; depth:17; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129417/; classtype:trojan-activity;sid:83992517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media/mod_junewsultra/js/bootstrap/js/bootstrap.min.js"; depth:55; endswith; nocase; http.host; content:"temirtau-adm.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129220/; classtype:trojan-activity;sid:83992320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yuta1111x/selfbot/04ecdf46e8db9fce689d93905d759334b475c825/aquarius.exe"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129042/; classtype:trojan-activity;sid:83992142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"190.104.213.45"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112427/; classtype:trojan-activity;sid:83975527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"200.29.120.130"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112426/; classtype:trojan-activity;sid:83975526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"93.182.76.169"; depth:13; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112419/; classtype:trojan-activity;sid:83975519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"93.182.76.169"; depth:13; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112420/; classtype:trojan-activity;sid:83975520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"89.121.250.206"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112417/; classtype:trojan-activity;sid:83975517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/webcam.dll"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108504/; classtype:trojan-activity;sid:83971604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/token%20grabber.dll"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108505/; classtype:trojan-activity;sid:83971605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/rootkit.dll"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108506/; classtype:trojan-activity;sid:83971606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/unrootkit.dll"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108507/; classtype:trojan-activity;sid:83971607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/passwordstealer.dll"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108503/; classtype:trojan-activity;sid:83971603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openark/version.txt"; depth:20; endswith; nocase; http.host; content:"file.blackint3.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108502/; classtype:trojan-activity;sid:83971602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openark/openark64.exe"; depth:22; endswith; nocase; http.host; content:"file.blackint3.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108492/; classtype:trojan-activity;sid:83971592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openark/openark32.exe"; depth:22; endswith; nocase; http.host; content:"file.blackint3.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108491/; classtype:trojan-activity;sid:83971591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120646if_/http:/154.216.19.139/bins/mirai.armv4l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106560/; classtype:trojan-activity;sid:83969660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122936if_/http:/154.216.19.139/bins/mirai.gnueabihf"; depth:64; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106559/; classtype:trojan-activity;sid:83969659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120223if_/http:/154.216.19.139/bins/mirai.bin"; depth:58; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106558/; classtype:trojan-activity;sid:83969658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121041if_/http:/154.216.19.139/bins/mirai.armv6l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106556/; classtype:trojan-activity;sid:83969656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808123114if_/http:/154.216.19.139/bins/mirai.arc"; depth:58; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106557/; classtype:trojan-activity;sid:83969657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122755if_/http:/154.216.19.139/bins/mirai.x86_64"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106551/; classtype:trojan-activity;sid:83969651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121121if_/http:/154.216.19.139/bins/mirai.armv7l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106552/; classtype:trojan-activity;sid:83969652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120945if_/http:/154.216.19.139/bins/mirai.armv5l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106553/; classtype:trojan-activity;sid:83969653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122159if_/http:/154.216.19.139/bins/mirai.powerpc"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106554/; classtype:trojan-activity;sid:83969654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121832if_/http:/154.216.19.139/bins/mirai.mipsel"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106555/; classtype:trojan-activity;sid:83969655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/test_move.bat"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105147/; classtype:trojan-activity;sid:83968247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/test_virus.bat"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105148/; classtype:trojan-activity;sid:83968248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/keylogger.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105149/; classtype:trojan-activity;sid:83968249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/networks_profile.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105150/; classtype:trojan-activity;sid:83968250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/backdoor.exe"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105145/; classtype:trojan-activity;sid:83968245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/fill_storage_move.bat"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105146/; classtype:trojan-activity;sid:83968246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/fill_storage_virus.bat"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105144/; classtype:trojan-activity;sid:83968244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103488/; classtype:trojan-activity;sid:83966588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103489/; classtype:trojan-activity;sid:83966589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103476/; classtype:trojan-activity;sid:83966576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103467/; classtype:trojan-activity;sid:83966567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3100103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sthealthclient.exe"; depth:19; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3100103/; classtype:trojan-activity;sid:83963203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3100102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggws.exe"; depth:9; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3100102/; classtype:trojan-activity;sid:83963202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3100100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggwsupdate.exe"; depth:15; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3100100/; classtype:trojan-activity;sid:83963200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3100042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joelgmsec/invoke-stealth/main/resources/betterxencrypt/betterxencrypt.ps1"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3100042/; classtype:trojan-activity;sid:83963142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122448if_/http:/154.216.19.139/bins/mirai.sh4"; depth:58; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099961/; classtype:trojan-activity;sid:83963061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121230if_/http:/154.216.19.139/bins/mirai.i586"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099962/; classtype:trojan-activity;sid:83963062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122636if_/http:/154.216.19.139/bins/mirai.sparc"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099963/; classtype:trojan-activity;sid:83963063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121347if_/http:/154.216.19.139/bins/mirai.m68k"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099965/; classtype:trojan-activity;sid:83963065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121419if_/http:/154.216.19.139/bins/mirai.mips"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099966/; classtype:trojan-activity;sid:83963066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121308if_/http:/154.216.19.139/bins/mirai.i686"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099960/; classtype:trojan-activity;sid:83963060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097244/; classtype:trojan-activity;sid:83960344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097239/; classtype:trojan-activity;sid:83960339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097240/; classtype:trojan-activity;sid:83960340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097241/; classtype:trojan-activity;sid:83960341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097242/; classtype:trojan-activity;sid:83960342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097243/; classtype:trojan-activity;sid:83960343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122159if_/http://154.216.19.139/bins/mirai.powerpc"; depth:63; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097229/; classtype:trojan-activity;sid:83960329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097230/; classtype:trojan-activity;sid:83960330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097231/; classtype:trojan-activity;sid:83960331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097232/; classtype:trojan-activity;sid:83960332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097233/; classtype:trojan-activity;sid:83960333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097234/; classtype:trojan-activity;sid:83960334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097236/; classtype:trojan-activity;sid:83960336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf"; depth:65; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097237/; classtype:trojan-activity;sid:83960337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097238/; classtype:trojan-activity;sid:83960338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3093518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/uypthvq0"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_06; reference:url, urlhaus.abuse.ch/url/3093518/; classtype:trojan-activity;sid:83956618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3092809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rme3ibrb"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_06; reference:url, urlhaus.abuse.ch/url/3092809/; classtype:trojan-activity;sid:83955909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3092807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/a9he0f3w"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_06; reference:url, urlhaus.abuse.ch/url/3092807/; classtype:trojan-activity;sid:83955907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3088913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%5bwww.ghxi.com%5d%e7%93%9c%e5%ad%90%e5%bd%b1%e8%a7%86v2_v1.9.1.1.apk"; depth:70; endswith; nocase; http.host; content:"47.109.77.84"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_04; reference:url, urlhaus.abuse.ch/url/3088913/; classtype:trojan-activity;sid:83952013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3088911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%88%91%e7%9a%84%e7%94%b5%e8%a7%86tv-v2.1.8-%e5%85%8d%e8%b4%b9%e7%ba%af%e5%87%80%e7%89%88.apk"; depth:96; endswith; nocase; http.host; content:"47.109.77.84"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_04; reference:url, urlhaus.abuse.ch/url/3088911/; classtype:trojan-activity;sid:83952011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3086390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/%5bwin"; depth:35; endswith; nocase; http.host; content:"8.218.138.77"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_03; reference:url, urlhaus.abuse.ch/url/3086390/; classtype:trojan-activity;sid:83949490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/komasinfo/idcb/main/cbs_applcation_details_072602024_xlsx.rar"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072990/; classtype:trojan-activity;sid:83936090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adrinnno/ptwis/raw/main/file_cbs_app_details_no-0923871691_xlsx.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072974/; classtype:trojan-activity;sid:83936074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reporgu/fakado/raw/main/transaction_file_9812009_end_ids_yesbr5_pdf.rar"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072975/; classtype:trojan-activity;sid:83936075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/komasinfo/idcb/raw/main/cbs_applcation_details_072602024_xlsx.rar"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072978/; classtype:trojan-activity;sid:83936078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deannwas/policah/main/file_cbs_app_details_no-0923871691_xlsx.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072969/; classtype:trojan-activity;sid:83936069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reporgu/fakado/main/transaction_file_9812009_end_ids_yesbr5_pdf.rar"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072972/; classtype:trojan-activity;sid:83936072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grayinv/henidus/raw/main/transaction_end_ids_58788719853478_pdf.rar"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072973/; classtype:trojan-activity;sid:83936073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3058866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cve-2023-36874.zip"; depth:19; endswith; nocase; http.host; content:"51.255.46.245"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_21; reference:url, urlhaus.abuse.ch/url/3058866/; classtype:trojan-activity;sid:83921966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3058862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nc64.exe"; depth:9; endswith; nocase; http.host; content:"51.255.46.245"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_21; reference:url, urlhaus.abuse.ch/url/3058862/; classtype:trojan-activity;sid:83921962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3058863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nc64.zip"; depth:9; endswith; nocase; http.host; content:"51.255.46.245"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_21; reference:url, urlhaus.abuse.ch/url/3058863/; classtype:trojan-activity;sid:83921963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3058864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b64"; depth:4; endswith; nocase; http.host; content:"51.255.46.245"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_21; reference:url, urlhaus.abuse.ch/url/3058864/; classtype:trojan-activity;sid:83921964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"220.248.47.54"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052706/; classtype:trojan-activity;sid:83915806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mimikatz.exe"; depth:17; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052415/; classtype:trojan-activity;sid:83915515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimispool.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052412/; classtype:trojan-activity;sid:83915512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimilib.dll"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052413/; classtype:trojan-activity;sid:83915513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimidrv.sys"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052414/; classtype:trojan-activity;sid:83915514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimidrv.sys"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052395/; classtype:trojan-activity;sid:83915495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimikatz.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052400/; classtype:trojan-activity;sid:83915500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimispool.dll"; depth:24; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052392/; classtype:trojan-activity;sid:83915492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilove.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052393/; classtype:trojan-activity;sid:83915493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilib.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052394/; classtype:trojan-activity;sid:83915494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2968679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/12.apk"; depth:35; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_13; reference:url, urlhaus.abuse.ch/url/2968679/; classtype:trojan-activity;sid:83831779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2968678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/22.apk"; depth:35; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_13; reference:url, urlhaus.abuse.ch/url/2968678/; classtype:trojan-activity;sid:83831778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2949407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tan.jpg"; depth:8; endswith; nocase; http.host; content:"www999999safagqwhg-1327129302.cos.ap-chengdu.myqcloud.com"; depth:57; isdataat:!1,relative; metadata:created_at 2024_07_11; reference:url, urlhaus.abuse.ch/url/2949407/; classtype:trojan-activity;sid:83812507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2949385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1rsqnkyvcaein5m-gskl8coyuh8w5xrbd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_07_11; reference:url, urlhaus.abuse.ch/url/2949385/; classtype:trojan-activity;sid:83812485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2949176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tan.jpg"; depth:8; endswith; nocase; http.host; content:"www999999asgasg-1327129302.cos.ap-chengdu.myqcloud.com"; depth:54; isdataat:!1,relative; metadata:created_at 2024_07_11; reference:url, urlhaus.abuse.ch/url/2949176/; classtype:trojan-activity;sid:83812276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2947794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.248.194.163"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_10; reference:url, urlhaus.abuse.ch/url/2947794/; classtype:trojan-activity;sid:83810894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2945593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/sab/dithioic.csv"; depth:26; endswith; nocase; http.host; content:"new.quranushaiqer.org.sa"; depth:24; isdataat:!1,relative; metadata:created_at 2024_07_09; reference:url, urlhaus.abuse.ch/url/2945593/; classtype:trojan-activity;sid:83808693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2945560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/sab/dithioic.csv"; depth:26; endswith; nocase; http.host; content:"new.quranushaiqer.org.sa"; depth:24; isdataat:!1,relative; metadata:created_at 2024_07_09; reference:url, urlhaus.abuse.ch/url/2945560/; classtype:trojan-activity;sid:83808660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2944285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jijilovedada/jijilovedada/main/tools/cc/adaptorovernight.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_08; reference:url, urlhaus.abuse.ch/url/2944285/; classtype:trojan-activity;sid:83807385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/1.exe"; depth:34; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942727/; classtype:trojan-activity;sid:83805827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download//1.exe"; depth:35; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942725/; classtype:trojan-activity;sid:83805825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/123.exe"; depth:36; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942694/; classtype:trojan-activity;sid:83805794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/win"; depth:32; endswith; nocase; http.host; content:"8.218.138.77"; depth:12; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942567/; classtype:trojan-activity;sid:83805667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/000.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934823/; classtype:trojan-activity;sid:83797923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/trojan.malpack.themida%20(anti%20vm).exe"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934824/; classtype:trojan-activity;sid:83797924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/jigsaw.exe"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934818/; classtype:trojan-activity;sid:83797918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/freeyoutubedownloader.exe"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934819/; classtype:trojan-activity;sid:83797919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/memz.exe"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934820/; classtype:trojan-activity;sid:83797920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/noescape.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934821/; classtype:trojan-activity;sid:83797921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/destover.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934822/; classtype:trojan-activity;sid:83797922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/meredrop.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934816/; classtype:trojan-activity;sid:83797916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/redlinestealer.exe"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934817/; classtype:trojan-activity;sid:83797917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/hive%20ransomware.exe"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934811/; classtype:trojan-activity;sid:83797911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/wannacry.exe"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934812/; classtype:trojan-activity;sid:83797912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/nomoreransom.exe"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934813/; classtype:trojan-activity;sid:83797913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/petya.a.exe"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934808/; classtype:trojan-activity;sid:83797908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/cryptowall.exe"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934809/; classtype:trojan-activity;sid:83797909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/infinitycrypt.exe"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934810/; classtype:trojan-activity;sid:83797910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/coronavirus.exe"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934805/; classtype:trojan-activity;sid:83797905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2932460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/445.jpg"; depth:8; endswith; nocase; http.host; content:"down.ftp21.cc"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_04; reference:url, urlhaus.abuse.ch/url/2932460/; classtype:trojan-activity;sid:83795560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2914055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tq.jpg"; depth:7; endswith; nocase; http.host; content:"down.ftp21.cc"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_30; reference:url, urlhaus.abuse.ch/url/2914055/; classtype:trojan-activity;sid:83777155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2912423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tq.jpg"; depth:7; endswith; nocase; http.host; content:"ssl.ftp21.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2024_06_29; reference:url, urlhaus.abuse.ch/url/2912423/; classtype:trojan-activity;sid:83775523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911219/; classtype:trojan-activity;sid:83774319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911215/; classtype:trojan-activity;sid:83774315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911212/; classtype:trojan-activity;sid:83774312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"195.103.203.106"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911194/; classtype:trojan-activity;sid:83774294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"88.28.218.163"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911191/; classtype:trojan-activity;sid:83774291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"102.53.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911187/; classtype:trojan-activity;sid:83774287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"126.23.203.236"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911184/; classtype:trojan-activity;sid:83774284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"85.22.139.189"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911166/; classtype:trojan-activity;sid:83774266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"95.255.114.11"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911154/; classtype:trojan-activity;sid:83774254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"102.53.15.17"; depth:12; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911133/; classtype:trojan-activity;sid:83774233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"softbank126023203236.bbtec.net"; depth:30; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911113/; classtype:trojan-activity;sid:83774213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"host-195-103-203-106.business.telecomitalia.it"; depth:46; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911108/; classtype:trojan-activity;sid:83774208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"host-95-255-114-11.business.telecomitalia.it"; depth:44; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911105/; classtype:trojan-activity;sid:83774205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2909310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"45.118.79.103"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2909310/; classtype:trojan-activity;sid:83772410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2909291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"89.184.185.198"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2909291/; classtype:trojan-activity;sid:83772391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2909290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"185.224.107.4"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2909290/; classtype:trojan-activity;sid:83772390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"211.192.113.232"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908899/; classtype:trojan-activity;sid:83771999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"190.108.63.242"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908900/; classtype:trojan-activity;sid:83772000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"211.192.113.231"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908901/; classtype:trojan-activity;sid:83772001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"202.57.39.2"; depth:11; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908902/; classtype:trojan-activity;sid:83772002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2901197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwzonepieces/posapsi/master/chatlife.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_22; reference:url, urlhaus.abuse.ch/url/2901197/; classtype:trojan-activity;sid:83764297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2894025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kailash-jakhar/webpack-v5-tutorial/main/quizpokemon.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_17; reference:url, urlhaus.abuse.ch/url/2894025/; classtype:trojan-activity;sid:83757125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2888463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"118.178.133.241"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_14; reference:url, urlhaus.abuse.ch/url/2888463/; classtype:trojan-activity;sid:83751563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2888444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"124.67.254.109"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_14; reference:url, urlhaus.abuse.ch/url/2888444/; classtype:trojan-activity;sid:83751544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2888430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"117.157.17.194"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_14; reference:url, urlhaus.abuse.ch/url/2888430/; classtype:trojan-activity;sid:83751530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2885860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brunovale03/adegaads/main/offeredbuilt.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_13; reference:url, urlhaus.abuse.ch/url/2885860/; classtype:trojan-activity;sid:83748960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2883708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sirvivor32/sirvivor/main/lukejazz.exe"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_11; reference:url, urlhaus.abuse.ch/url/2883708/; classtype:trojan-activity;sid:83746808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2881768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cg100/update.exe"; depth:17; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_06_10; reference:url, urlhaus.abuse.ch/url/2881768/; classtype:trojan-activity;sid:83744868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2879955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unp%20setup.exe"; depth:16; endswith; nocase; http.host; content:"36.138.125.70"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_08; reference:url, urlhaus.abuse.ch/url/2879955/; classtype:trojan-activity;sid:83743055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2879655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sharphound.exe"; depth:15; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_08; reference:url, urlhaus.abuse.ch/url/2879655/; classtype:trojan-activity;sid:83742755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2877890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ustaxes/ustaxes/files/15421286/2022and2023taxdocuments.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_06_07; reference:url, urlhaus.abuse.ch/url/2877890/; classtype:trojan-activity;sid:83740990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2874107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=19nonxskhmwbvfxpr2ccmwd9xrhz1ldco"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_06_04; reference:url, urlhaus.abuse.ch/url/2874107/; classtype:trojan-activity;sid:83737207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2874109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1p_knmkidu8kiejeem_ijrlumbjih3bkv"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_06_04; reference:url, urlhaus.abuse.ch/url/2874109/; classtype:trojan-activity;sid:83737209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2872168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/htwvlcdsfcrahhchdd97.bin"; depth:25; endswith; nocase; http.host; content:"ramirex.ro"; depth:10; isdataat:!1,relative; metadata:created_at 2024_06_02; reference:url, urlhaus.abuse.ch/url/2872168/; classtype:trojan-activity;sid:83735268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2872167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rutschebanes.qxd"; depth:17; endswith; nocase; http.host; content:"ramirex.ro"; depth:10; isdataat:!1,relative; metadata:created_at 2024_06_02; reference:url, urlhaus.abuse.ch/url/2872167/; classtype:trojan-activity;sid:83735267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2870237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cqtygpx9gdoywntprwub0xbckivif6iy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2870237/; classtype:trojan-activity;sid:83733337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2870235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wsqkirdngjlt8uu2lv9mzciks4my12jh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2870235/; classtype:trojan-activity;sid:83733335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2869849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"119.91.25.19"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2869849/; classtype:trojan-activity;sid:83732949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2869844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"119.91.25.19"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2869844/; classtype:trojan-activity;sid:83732944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2869702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sheksweet/sheksweet1/main/rambledmime.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2869702/; classtype:trojan-activity;sid:83732802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2868723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.i_1003h.exe"; depth:14; endswith; nocase; http.host; content:"221.143.49.222"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_30; reference:url, urlhaus.abuse.ch/url/2868723/; classtype:trojan-activity;sid:83731823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2867270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmed45sh/flutter-movie/master/crypted_c360a5b7.exe"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_28; reference:url, urlhaus.abuse.ch/url/2867270/; classtype:trojan-activity;sid:83730370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2867236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmed45sh/apple-replica-starter-files/master/apple-replica/zintask.exe"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_28; reference:url, urlhaus.abuse.ch/url/2867236/; classtype:trojan-activity;sid:83730336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2865442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggws_upload.exe"; depth:16; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_27; reference:url, urlhaus.abuse.ch/url/2865442/; classtype:trojan-activity;sid:83728542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2865272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sthealthbq.exe"; depth:15; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_27; reference:url, urlhaus.abuse.ch/url/2865272/; classtype:trojan-activity;sid:83728372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2865273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sthealthupload.exe"; depth:19; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_27; reference:url, urlhaus.abuse.ch/url/2865273/; classtype:trojan-activity;sid:83728373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2865241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sthealthupdate.exe"; depth:19; endswith; nocase; http.host; content:"47.104.173.216"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_27; reference:url, urlhaus.abuse.ch/url/2865241/; classtype:trojan-activity;sid:83728341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"221.10.233.217"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863372/; classtype:trojan-activity;sid:83726472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.13"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863341/; classtype:trojan-activity;sid:83726441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863345/; classtype:trojan-activity;sid:83726445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.43.19.103"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863346/; classtype:trojan-activity;sid:83726446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863330/; classtype:trojan-activity;sid:83726430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.77.57.16"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863333/; classtype:trojan-activity;sid:83726433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.49.168.84"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863334/; classtype:trojan-activity;sid:83726434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/varteyjw"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862520/; classtype:trojan-activity;sid:83725620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/8gikly"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862050/; classtype:trojan-activity;sid:83725150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/medjl1"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862051/; classtype:trojan-activity;sid:83725151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/dy1f16"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862052/; classtype:trojan-activity;sid:83725152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/kx3wl4"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862053/; classtype:trojan-activity;sid:83725153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/ppxodm"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862054/; classtype:trojan-activity;sid:83725154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/e7opy8"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862055/; classtype:trojan-activity;sid:83725155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/7dhid7"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862056/; classtype:trojan-activity;sid:83725156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/tbfvpd"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862049/; classtype:trojan-activity;sid:83725149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/g2js91"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862047/; classtype:trojan-activity;sid:83725147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/lt00vw"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862044/; classtype:trojan-activity;sid:83725144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/i7tdbr"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862045/; classtype:trojan-activity;sid:83725145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/3a9xj1"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862043/; classtype:trojan-activity;sid:83725143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/wyg3h5"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862042/; classtype:trojan-activity;sid:83725142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.216.105.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862020/; classtype:trojan-activity;sid:83725120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862017/; classtype:trojan-activity;sid:83725117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862004/; classtype:trojan-activity;sid:83725104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862007/; classtype:trojan-activity;sid:83725107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862009/; classtype:trojan-activity;sid:83725109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"166.144.131.188"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862010/; classtype:trojan-activity;sid:83725110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862014/; classtype:trojan-activity;sid:83725114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.147.175.138"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861986/; classtype:trojan-activity;sid:83725086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861987/; classtype:trojan-activity;sid:83725087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.165.122.114"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861978/; classtype:trojan-activity;sid:83725078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861979/; classtype:trojan-activity;sid:83725079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861982/; classtype:trojan-activity;sid:83725082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"132.255.192.122"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861971/; classtype:trojan-activity;sid:83725071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861974/; classtype:trojan-activity;sid:83725074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861957/; classtype:trojan-activity;sid:83725057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861958/; classtype:trojan-activity;sid:83725058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861959/; classtype:trojan-activity;sid:83725059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.47.248.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861950/; classtype:trojan-activity;sid:83725050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861948/; classtype:trojan-activity;sid:83725048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861919/; classtype:trojan-activity;sid:83725019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861923/; classtype:trojan-activity;sid:83725023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.82.83.143"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861927/; classtype:trojan-activity;sid:83725027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.230.215.65"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861929/; classtype:trojan-activity;sid:83725029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"141.134.214.217"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861930/; classtype:trojan-activity;sid:83725030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861931/; classtype:trojan-activity;sid:83725031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861935/; classtype:trojan-activity;sid:83725035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861939/; classtype:trojan-activity;sid:83725039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861940/; classtype:trojan-activity;sid:83725040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861941/; classtype:trojan-activity;sid:83725041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861943/; classtype:trojan-activity;sid:83725043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861945/; classtype:trojan-activity;sid:83725045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/dvbcvt"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861888/; classtype:trojan-activity;sid:83724988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/exw2o1"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861887/; classtype:trojan-activity;sid:83724987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"66.49.95.131"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861842/; classtype:trojan-activity;sid:83724942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861843/; classtype:trojan-activity;sid:83724943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861844/; classtype:trojan-activity;sid:83724944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"178.176.204.250"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861852/; classtype:trojan-activity;sid:83724952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861838/; classtype:trojan-activity;sid:83724938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861839/; classtype:trojan-activity;sid:83724939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"202.3.248.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861834/; classtype:trojan-activity;sid:83724934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"178.176.204.240"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861831/; classtype:trojan-activity;sid:83724931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"141.134.214.217"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861828/; classtype:trojan-activity;sid:83724928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861826/; classtype:trojan-activity;sid:83724926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"68.107.218.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861827/; classtype:trojan-activity;sid:83724927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861822/; classtype:trojan-activity;sid:83724922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861819/; classtype:trojan-activity;sid:83724919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861814/; classtype:trojan-activity;sid:83724914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861808/; classtype:trojan-activity;sid:83724908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861802/; classtype:trojan-activity;sid:83724902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861799/; classtype:trojan-activity;sid:83724899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861800/; classtype:trojan-activity;sid:83724900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"132.255.192.122"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861798/; classtype:trojan-activity;sid:83724898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861794/; classtype:trojan-activity;sid:83724894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861791/; classtype:trojan-activity;sid:83724891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861790/; classtype:trojan-activity;sid:83724890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.231.190.163"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861789/; classtype:trojan-activity;sid:83724889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861785/; classtype:trojan-activity;sid:83724885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861781/; classtype:trojan-activity;sid:83724881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861777/; classtype:trojan-activity;sid:83724877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"77.237.29.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861778/; classtype:trojan-activity;sid:83724878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"102.165.122.114"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861769/; classtype:trojan-activity;sid:83724869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861770/; classtype:trojan-activity;sid:83724870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861773/; classtype:trojan-activity;sid:83724873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861758/; classtype:trojan-activity;sid:83724858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861763/; classtype:trojan-activity;sid:83724863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861755/; classtype:trojan-activity;sid:83724855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861750/; classtype:trojan-activity;sid:83724850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861749/; classtype:trojan-activity;sid:83724849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861745/; classtype:trojan-activity;sid:83724845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861743/; classtype:trojan-activity;sid:83724843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861735/; classtype:trojan-activity;sid:83724835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"31.0.241.65"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861737/; classtype:trojan-activity;sid:83724837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861740/; classtype:trojan-activity;sid:83724840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861729/; classtype:trojan-activity;sid:83724829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"166.144.131.188"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861731/; classtype:trojan-activity;sid:83724831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861733/; classtype:trojan-activity;sid:83724833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861734/; classtype:trojan-activity;sid:83724834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861721/; classtype:trojan-activity;sid:83724821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861725/; classtype:trojan-activity;sid:83724825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"87.251.249.41"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861719/; classtype:trojan-activity;sid:83724819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"188.170.32.148"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861716/; classtype:trojan-activity;sid:83724816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"80.14.38.66"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861710/; classtype:trojan-activity;sid:83724810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"209.162.229.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861707/; classtype:trojan-activity;sid:83724807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"102.216.105.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861695/; classtype:trojan-activity;sid:83724795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"188.147.175.138"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861702/; classtype:trojan-activity;sid:83724802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861685/; classtype:trojan-activity;sid:83724785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861692/; classtype:trojan-activity;sid:83724792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"202.3.248.178"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861693/; classtype:trojan-activity;sid:83724793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861680/; classtype:trojan-activity;sid:83724780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861675/; classtype:trojan-activity;sid:83724775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861670/; classtype:trojan-activity;sid:83724770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861667/; classtype:trojan-activity;sid:83724767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"31.173.70.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861657/; classtype:trojan-activity;sid:83724757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861659/; classtype:trojan-activity;sid:83724759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861643/; classtype:trojan-activity;sid:83724743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861640/; classtype:trojan-activity;sid:83724740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861641/; classtype:trojan-activity;sid:83724741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"77.237.29.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861633/; classtype:trojan-activity;sid:83724733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"95.47.248.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861636/; classtype:trojan-activity;sid:83724736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861629/; classtype:trojan-activity;sid:83724729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861615/; classtype:trojan-activity;sid:83724715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861616/; classtype:trojan-activity;sid:83724716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"66.49.95.131"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861620/; classtype:trojan-activity;sid:83724720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"82.148.194.54"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861595/; classtype:trojan-activity;sid:83724695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"69.75.168.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861597/; classtype:trojan-activity;sid:83724697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861598/; classtype:trojan-activity;sid:83724698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"223.82.83.143"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861600/; classtype:trojan-activity;sid:83724700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861601/; classtype:trojan-activity;sid:83724701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861609/; classtype:trojan-activity;sid:83724709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861610/; classtype:trojan-activity;sid:83724710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861592/; classtype:trojan-activity;sid:83724692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861582/; classtype:trojan-activity;sid:83724682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861568/; classtype:trojan-activity;sid:83724668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"113.160.251.236"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861569/; classtype:trojan-activity;sid:83724669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861573/; classtype:trojan-activity;sid:83724673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"68.226.36.150"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861559/; classtype:trojan-activity;sid:83724659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861562/; classtype:trojan-activity;sid:83724662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"95.230.215.65"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861553/; classtype:trojan-activity;sid:83724653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"88.123.92.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861555/; classtype:trojan-activity;sid:83724655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861549/; classtype:trojan-activity;sid:83724649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861547/; classtype:trojan-activity;sid:83724647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.231.190.163"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861543/; classtype:trojan-activity;sid:83724643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaozznaq.exe"; depth:13; endswith; nocase; http.host; content:"94.16.119.223"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859754/; classtype:trojan-activity;sid:83722854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agambxya.exe"; depth:13; endswith; nocase; http.host; content:"94.16.119.223"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859755/; classtype:trojan-activity;sid:83722855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a0tnubtz.so"; depth:12; endswith; nocase; http.host; content:"94.16.119.223"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859756/; classtype:trojan-activity;sid:83722856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859511/; classtype:trojan-activity;sid:83722611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.148.194.54"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859508/; classtype:trojan-activity;sid:83722608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ustaxes/ustaxes/files/15378217/all.2023.tax.documents.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_05_21; reference:url, urlhaus.abuse.ch/url/2859027/; classtype:trojan-activity;sid:83722127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2858898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.186.186"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_21; reference:url, urlhaus.abuse.ch/url/2858898/; classtype:trojan-activity;sid:83721998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"66.49.95.131"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857904/; classtype:trojan-activity;sid:83721004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"202.3.248.178"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857892/; classtype:trojan-activity;sid:83720992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857875/; classtype:trojan-activity;sid:83720975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857859/; classtype:trojan-activity;sid:83720959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.87.144"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857851/; classtype:trojan-activity;sid:83720951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857849/; classtype:trojan-activity;sid:83720949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.2.229.122"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857844/; classtype:trojan-activity;sid:83720944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857837/; classtype:trojan-activity;sid:83720937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"149.62.200.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857838/; classtype:trojan-activity;sid:83720938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857834/; classtype:trojan-activity;sid:83720934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.176.204.250"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857822/; classtype:trojan-activity;sid:83720922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.176.204.240"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857821/; classtype:trojan-activity;sid:83720921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857813/; classtype:trojan-activity;sid:83720913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857809/; classtype:trojan-activity;sid:83720909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"202.3.248.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857807/; classtype:trojan-activity;sid:83720907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"66.49.95.131"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857804/; classtype:trojan-activity;sid:83720904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857802/; classtype:trojan-activity;sid:83720902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857795/; classtype:trojan-activity;sid:83720895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"68.107.218.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857794/; classtype:trojan-activity;sid:83720894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"68.226.36.150"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857788/; classtype:trojan-activity;sid:83720888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857785/; classtype:trojan-activity;sid:83720885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857778/; classtype:trojan-activity;sid:83720878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"69.75.168.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857772/; classtype:trojan-activity;sid:83720872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857773/; classtype:trojan-activity;sid:83720873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857762/; classtype:trojan-activity;sid:83720862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.123.92.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857754/; classtype:trojan-activity;sid:83720854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857747/; classtype:trojan-activity;sid:83720847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857749/; classtype:trojan-activity;sid:83720849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857730/; classtype:trojan-activity;sid:83720830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857719/; classtype:trojan-activity;sid:83720819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"94.241.90.73"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857696/; classtype:trojan-activity;sid:83720796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"31.173.70.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857692/; classtype:trojan-activity;sid:83720792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"113.160.251.236"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857687/; classtype:trojan-activity;sid:83720787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857672/; classtype:trojan-activity;sid:83720772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857669/; classtype:trojan-activity;sid:83720769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857666/; classtype:trojan-activity;sid:83720766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.251.249.41"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857660/; classtype:trojan-activity;sid:83720760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.87.144"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857653/; classtype:trojan-activity;sid:83720753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857651/; classtype:trojan-activity;sid:83720751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.170.32.148"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857652/; classtype:trojan-activity;sid:83720752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857642/; classtype:trojan-activity;sid:83720742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"31.0.241.65"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857634/; classtype:trojan-activity;sid:83720734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857630/; classtype:trojan-activity;sid:83720730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857624/; classtype:trojan-activity;sid:83720724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857620/; classtype:trojan-activity;sid:83720720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.176.204.250"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857610/; classtype:trojan-activity;sid:83720710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"212.93.103.10"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857601/; classtype:trojan-activity;sid:83720701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857602/; classtype:trojan-activity;sid:83720702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857587/; classtype:trojan-activity;sid:83720687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.13"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857584/; classtype:trojan-activity;sid:83720684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857580/; classtype:trojan-activity;sid:83720680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857582/; classtype:trojan-activity;sid:83720682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.14.38.66"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857573/; classtype:trojan-activity;sid:83720673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"77.237.29.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857570/; classtype:trojan-activity;sid:83720670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857553/; classtype:trojan-activity;sid:83720653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857551/; classtype:trojan-activity;sid:83720651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857545/; classtype:trojan-activity;sid:83720645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"202.139.20.12"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857535/; classtype:trojan-activity;sid:83720635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857526/; classtype:trojan-activity;sid:83720626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857527/; classtype:trojan-activity;sid:83720627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"164.126.129.225"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857521/; classtype:trojan-activity;sid:83720621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857524/; classtype:trojan-activity;sid:83720624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"209.162.229.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857525/; classtype:trojan-activity;sid:83720625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857512/; classtype:trojan-activity;sid:83720612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857502/; classtype:trojan-activity;sid:83720602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857496/; classtype:trojan-activity;sid:83720596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857498/; classtype:trojan-activity;sid:83720598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"77.237.29.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857493/; classtype:trojan-activity;sid:83720593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857483/; classtype:trojan-activity;sid:83720583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857484/; classtype:trojan-activity;sid:83720584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857486/; classtype:trojan-activity;sid:83720586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857475/; classtype:trojan-activity;sid:83720575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"31.222.113.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857468/; classtype:trojan-activity;sid:83720568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857464/; classtype:trojan-activity;sid:83720564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.68.74.45"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857465/; classtype:trojan-activity;sid:83720565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857463/; classtype:trojan-activity;sid:83720563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857447/; classtype:trojan-activity;sid:83720547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"68.226.36.150"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857448/; classtype:trojan-activity;sid:83720548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.65.37.116"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857459/; classtype:trojan-activity;sid:83720559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2852301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1mzon8jro4iemie6erfw5o3w-0tnwxnlz"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_05_16; reference:url, urlhaus.abuse.ch/url/2852301/; classtype:trojan-activity;sid:83715401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2846768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/setup.msi"; depth:21; endswith; nocase; http.host; content:"zenglobalenerji.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_05_11; reference:url, urlhaus.abuse.ch/url/2846768/; classtype:trojan-activity;sid:83709868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2845681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/filesrc/android/apk/2023/zonghengxsandroid_7.5.6.63_zh-zhh5.apk"; depth:68; endswith; nocase; http.host; content:"static.zongheng.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_05_10; reference:url, urlhaus.abuse.ch/url/2845681/; classtype:trojan-activity;sid:83708781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2843557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/is2kceh3"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2843557/; classtype:trojan-activity;sid:83706657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2843064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipc.sh"; depth:7; endswith; nocase; http.host; content:"185.172.128.16"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2843064/; classtype:trojan-activity;sid:83706164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842725/; classtype:trojan-activity;sid:83705825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.119.193.17"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842724/; classtype:trojan-activity;sid:83705824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.116.62.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842722/; classtype:trojan-activity;sid:83705822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.119.151.142"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842723/; classtype:trojan-activity;sid:83705823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.205.81.56"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842081/; classtype:trojan-activity;sid:83705181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.245.220.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842036/; classtype:trojan-activity;sid:83705136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.145.205.178"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842010/; classtype:trojan-activity;sid:83705110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.66.151.7"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842015/; classtype:trojan-activity;sid:83705115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.107.232.167"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842007/; classtype:trojan-activity;sid:83705107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.148.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841988/; classtype:trojan-activity;sid:83705088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"80.65.80.230"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841975/; classtype:trojan-activity;sid:83705075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.209.184.121"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841954/; classtype:trojan-activity;sid:83705054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptography_module_windows.exe"; depth:32; endswith; nocase; http.host; content:"122.170.110.131"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841807/; classtype:trojan-activity;sid:83704907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.148.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841714/; classtype:trojan-activity;sid:83704814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.253.115.156"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841712/; classtype:trojan-activity;sid:83704812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.253.115.155"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841631/; classtype:trojan-activity;sid:83704731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.66.151.7"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841621/; classtype:trojan-activity;sid:83704721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.209.184.118"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841624/; classtype:trojan-activity;sid:83704724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.245.220.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841613/; classtype:trojan-activity;sid:83704713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.192.22.166"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841604/; classtype:trojan-activity;sid:83704704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.209.184.121"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841608/; classtype:trojan-activity;sid:83704708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.58.51.90"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841602/; classtype:trojan-activity;sid:83704702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2836854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.s.apk"; depth:12; endswith; nocase; http.host; content:"103.146.202.41"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_03; reference:url, urlhaus.abuse.ch/url/2836854/; classtype:trojan-activity;sid:83699954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.249.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834467/; classtype:trojan-activity;sid:83697567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cron"; depth:5; endswith; nocase; http.host; content:"45.76.122.186"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834459/; classtype:trojan-activity;sid:83697559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.67"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834442/; classtype:trojan-activity;sid:83697542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.68"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834400/; classtype:trojan-activity;sid:83697500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.70"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834387/; classtype:trojan-activity;sid:83697487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.69"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834372/; classtype:trojan-activity;sid:83697472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2833916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frexoff/efefwefwwf/main/cock.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2833916/; classtype:trojan-activity;sid:83697016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2833904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frexoff/efefwefwwf/raw/main/cock.exe"; depth:37; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2833904/; classtype:trojan-activity;sid:83697004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2830963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kampfkarren/roblox/files/15001743/roexec.zip"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_29; reference:url, urlhaus.abuse.ch/url/2830963/; classtype:trojan-activity;sid:83694063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2830955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/delta-io/delta/files/15016110/delta.zip"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_29; reference:url, urlhaus.abuse.ch/url/2830955/; classtype:trojan-activity;sid:83694055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2827181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; endswith; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; metadata:created_at 2024_04_25; reference:url, urlhaus.abuse.ch/url/2827181/; classtype:trojan-activity;sid:83690281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2824078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mazacoin/maza/releases/download/v0.16.3/maza-0.16.3-win64-setup-unsigned.exe"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_23; reference:url, urlhaus.abuse.ch/url/2824078/; classtype:trojan-activity;sid:83687178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2824079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mazacoin/maza/releases/download/v0.16.3/maza-0.16.3-osx-unsigned.dmg"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_23; reference:url, urlhaus.abuse.ch/url/2824079/; classtype:trojan-activity;sid:83687179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2824077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mazacoin/maza/releases/download/v0.16.3/maza-0.16.3-win32-setup-unsigned.exe"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_23; reference:url, urlhaus.abuse.ch/url/2824077/; classtype:trojan-activity;sid:83687177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2823150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y-steamworks.exe"; depth:17; endswith; nocase; http.host; content:"117.50.194.20"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2823150/; classtype:trojan-activity;sid:83686250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"89.28.58.81"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822891/; classtype:trojan-activity;sid:83685991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.136.240.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822894/; classtype:trojan-activity;sid:83685994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.154.131.153"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822881/; classtype:trojan-activity;sid:83685981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"185.13.221.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822877/; classtype:trojan-activity;sid:83685977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.148.20.138"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822873/; classtype:trojan-activity;sid:83685973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"92.126.230.58"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822853/; classtype:trojan-activity;sid:83685953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"93.123.169.160"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822856/; classtype:trojan-activity;sid:83685956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.128.195.138"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822862/; classtype:trojan-activity;sid:83685962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.242.139.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822847/; classtype:trojan-activity;sid:83685947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.210.217.24"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822821/; classtype:trojan-activity;sid:83685921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.88.180.115"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822823/; classtype:trojan-activity;sid:83685923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.94.245.254"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822825/; classtype:trojan-activity;sid:83685925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"167.250.193.253"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822830/; classtype:trojan-activity;sid:83685930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.72.6.218"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822794/; classtype:trojan-activity;sid:83685894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.78.201.3"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822792/; classtype:trojan-activity;sid:83685892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.5.61.33"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822774/; classtype:trojan-activity;sid:83685874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.42.201.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822751/; classtype:trojan-activity;sid:83685851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"185.21.223.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822735/; classtype:trojan-activity;sid:83685835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"179.51.168.26"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822732/; classtype:trojan-activity;sid:83685832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"102.216.69.112"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822719/; classtype:trojan-activity;sid:83685819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"82.193.120.99"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822721/; classtype:trojan-activity;sid:83685821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"193.228.135.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822695/; classtype:trojan-activity;sid:83685795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"98.103.171.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822698/; classtype:trojan-activity;sid:83685798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.52.164.170"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822705/; classtype:trojan-activity;sid:83685805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.154.93.81"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822619/; classtype:trojan-activity;sid:83685719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"150.129.202.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822620/; classtype:trojan-activity;sid:83685720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"125.20.254.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822615/; classtype:trojan-activity;sid:83685715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.245.10.51"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822583/; classtype:trojan-activity;sid:83685683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.89.199.242"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822585/; classtype:trojan-activity;sid:83685685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.5.19.220"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822570/; classtype:trojan-activity;sid:83685670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.71.46.122"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822555/; classtype:trojan-activity;sid:83685655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.92.82.180"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822548/; classtype:trojan-activity;sid:83685648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.254.255.246"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822549/; classtype:trojan-activity;sid:83685649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.53.164.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822544/; classtype:trojan-activity;sid:83685644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.170.119.100"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822543/; classtype:trojan-activity;sid:83685643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.140.32.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822522/; classtype:trojan-activity;sid:83685622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.91.144.195"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822468/; classtype:trojan-activity;sid:83685568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.2.237.104"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822471/; classtype:trojan-activity;sid:83685571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.5.50.108"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822477/; classtype:trojan-activity;sid:83685577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.69.79.44"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822460/; classtype:trojan-activity;sid:83685560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.61.163.235"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822462/; classtype:trojan-activity;sid:83685562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.214.241.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822451/; classtype:trojan-activity;sid:83685551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.7.203.130"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822438/; classtype:trojan-activity;sid:83685538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822443/; classtype:trojan-activity;sid:83685543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.6.74.138"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822416/; classtype:trojan-activity;sid:83685516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"149.255.10.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822410/; classtype:trojan-activity;sid:83685510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"193.106.58.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822407/; classtype:trojan-activity;sid:83685507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.157.212.138"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822405/; classtype:trojan-activity;sid:83685505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.148.18.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822386/; classtype:trojan-activity;sid:83685486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.252.69.92"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822388/; classtype:trojan-activity;sid:83685488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.113.124.155"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822384/; classtype:trojan-activity;sid:83685484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"82.114.200.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822385/; classtype:trojan-activity;sid:83685485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"139.255.67.189"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822357/; classtype:trojan-activity;sid:83685457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822353/; classtype:trojan-activity;sid:83685453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.148.18.218"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822328/; classtype:trojan-activity;sid:83685428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.193.62.225"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822325/; classtype:trojan-activity;sid:83685425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"79.175.42.206"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822321/; classtype:trojan-activity;sid:83685421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.73.242.146"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822316/; classtype:trojan-activity;sid:83685416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"146.66.164.51"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822303/; classtype:trojan-activity;sid:83685403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.28.11.111"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822304/; classtype:trojan-activity;sid:83685404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.64.210.218"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822280/; classtype:trojan-activity;sid:83685380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.202.63.7"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822281/; classtype:trojan-activity;sid:83685381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.228.64.59"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822263/; classtype:trojan-activity;sid:83685363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.7.160.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822244/; classtype:trojan-activity;sid:83685344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.5.52.110"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822210/; classtype:trojan-activity;sid:83685310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.217.148.227"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822214/; classtype:trojan-activity;sid:83685314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.244.169.56"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822207/; classtype:trojan-activity;sid:83685307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"194.183.186.164"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822208/; classtype:trojan-activity;sid:83685308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.66.168.49"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822186/; classtype:trojan-activity;sid:83685286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"58.145.168.170"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822189/; classtype:trojan-activity;sid:83685289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"62.162.113.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822190/; classtype:trojan-activity;sid:83685290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822173/; classtype:trojan-activity;sid:83685273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"180.250.160.26"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822163/; classtype:trojan-activity;sid:83685263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.173.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822167/; classtype:trojan-activity;sid:83685267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.34.91.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822169/; classtype:trojan-activity;sid:83685269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.52.86.60"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822153/; classtype:trojan-activity;sid:83685253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.44.110.215"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822142/; classtype:trojan-activity;sid:83685242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"150.107.205.29"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822129/; classtype:trojan-activity;sid:83685229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"150.129.202.193"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822132/; classtype:trojan-activity;sid:83685232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.154.84.37"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822133/; classtype:trojan-activity;sid:83685233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.247.81"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822121/; classtype:trojan-activity;sid:83685221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.92.143.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822123/; classtype:trojan-activity;sid:83685223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"176.65.35.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822101/; classtype:trojan-activity;sid:83685201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"92.241.77.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822107/; classtype:trojan-activity;sid:83685207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"89.28.58.131"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822096/; classtype:trojan-activity;sid:83685196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"176.62.179.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822091/; classtype:trojan-activity;sid:83685191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.7.203.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822078/; classtype:trojan-activity;sid:83685178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822044/; classtype:trojan-activity;sid:83685144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.119.95.176"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822014/; classtype:trojan-activity;sid:83685114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.251.5.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822004/; classtype:trojan-activity;sid:83685104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.89.245.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822006/; classtype:trojan-activity;sid:83685106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.188.30.171"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821976/; classtype:trojan-activity;sid:83685076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.92.68.241"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821977/; classtype:trojan-activity;sid:83685077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.204.154.197"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821963/; classtype:trojan-activity;sid:83685063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"76.76.195.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821942/; classtype:trojan-activity;sid:83685042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.34.177.42"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821944/; classtype:trojan-activity;sid:83685044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.53.164.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821934/; classtype:trojan-activity;sid:83685034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.148.18.218"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821860/; classtype:trojan-activity;sid:83684960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.69.219.25"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821841/; classtype:trojan-activity;sid:83684941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821836/; classtype:trojan-activity;sid:83684936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.193.62.225"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821801/; classtype:trojan-activity;sid:83684901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.72.6.218"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821760/; classtype:trojan-activity;sid:83684860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.129.202.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821754/; classtype:trojan-activity;sid:83684854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.211.252.34"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821755/; classtype:trojan-activity;sid:83684855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.188.30.171"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821737/; classtype:trojan-activity;sid:83684837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.53.164.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821729/; classtype:trojan-activity;sid:83684829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.5.19.220"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821722/; classtype:trojan-activity;sid:83684822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.255.10.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821718/; classtype:trojan-activity;sid:83684818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821706/; classtype:trojan-activity;sid:83684806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.173.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821711/; classtype:trojan-activity;sid:83684811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.5.50.108"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821693/; classtype:trojan-activity;sid:83684793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.78.201.3"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821657/; classtype:trojan-activity;sid:83684757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.109.201.77"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821659/; classtype:trojan-activity;sid:83684759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.20.254.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821650/; classtype:trojan-activity;sid:83684750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.193.59.78"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821639/; classtype:trojan-activity;sid:83684739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.94.245.254"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821633/; classtype:trojan-activity;sid:83684733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.65.35.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821634/; classtype:trojan-activity;sid:83684734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.61.163.235"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821619/; classtype:trojan-activity;sid:83684719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"167.250.193.253"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821627/; classtype:trojan-activity;sid:83684727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.2.237.104"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821616/; classtype:trojan-activity;sid:83684716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"194.208.56.60"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821617/; classtype:trojan-activity;sid:83684717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2820656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.5.52.110"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_21; reference:url, urlhaus.abuse.ch/url/2820656/; classtype:trojan-activity;sid:83683756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2820657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.5.52.110"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_21; reference:url, urlhaus.abuse.ch/url/2820657/; classtype:trojan-activity;sid:83683757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2820623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/esa0xclp"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_21; reference:url, urlhaus.abuse.ch/url/2820623/; classtype:trojan-activity;sid:83683723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.52.86.60"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818988/; classtype:trojan-activity;sid:83682088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.140.32.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818975/; classtype:trojan-activity;sid:83682075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.200.170"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818963/; classtype:trojan-activity;sid:83682063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.114.191.82"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818966/; classtype:trojan-activity;sid:83682066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.252.69.92"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818946/; classtype:trojan-activity;sid:83682046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.241.77.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818931/; classtype:trojan-activity;sid:83682031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.203.130"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818921/; classtype:trojan-activity;sid:83682021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.203.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818904/; classtype:trojan-activity;sid:83682004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.202.49.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818899/; classtype:trojan-activity;sid:83681999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.119.95.176"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818881/; classtype:trojan-activity;sid:83681981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.215.23.222"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818865/; classtype:trojan-activity;sid:83681965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.194.46.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818833/; classtype:trojan-activity;sid:83681933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.122.43.76"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818838/; classtype:trojan-activity;sid:83681938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"76.76.195.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818843/; classtype:trojan-activity;sid:83681943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"102.216.69.112"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818820/; classtype:trojan-activity;sid:83681920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.26.180.129"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818781/; classtype:trojan-activity;sid:83681881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.136.240.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818773/; classtype:trojan-activity;sid:83681873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"130.204.154.237"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818775/; classtype:trojan-activity;sid:83681875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.114.200.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818778/; classtype:trojan-activity;sid:83681878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2817357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1w6j0xeptoliyrblijhnxbm_qnnoptzfw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_04_18; reference:url, urlhaus.abuse.ch/url/2817357/; classtype:trojan-activity;sid:83680457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2817239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pbhhdf/12/raw/main/keepvid-pro_full2578.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_18; reference:url, urlhaus.abuse.ch/url/2817239/; classtype:trojan-activity;sid:83680339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.21.223.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814127/; classtype:trojan-activity;sid:83677227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.250.160.26"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814128/; classtype:trojan-activity;sid:83677228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.71.46.122"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814117/; classtype:trojan-activity;sid:83677217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814108/; classtype:trojan-activity;sid:83677208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.126.230.58"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814099/; classtype:trojan-activity;sid:83677199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.34.91.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814082/; classtype:trojan-activity;sid:83677182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.67.227.98"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2813787/; classtype:trojan-activity;sid:83676887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.247.81"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813151/; classtype:trojan-activity;sid:83676251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.210.217.24"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813146/; classtype:trojan-activity;sid:83676246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.89.245.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813137/; classtype:trojan-activity;sid:83676237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.91.144.195"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813133/; classtype:trojan-activity;sid:83676233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.198.242.56"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813129/; classtype:trojan-activity;sid:83676229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813111/; classtype:trojan-activity;sid:83676211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"139.255.67.189"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813092/; classtype:trojan-activity;sid:83676192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813100/; classtype:trojan-activity;sid:83676200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.22.136.158"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813068/; classtype:trojan-activity;sid:83676168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.204.154.197"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813069/; classtype:trojan-activity;sid:83676169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.187.151.107"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813072/; classtype:trojan-activity;sid:83676172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.228.64.59"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813057/; classtype:trojan-activity;sid:83676157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.92.68.241"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813039/; classtype:trojan-activity;sid:83676139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.69.79.44"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809237/; classtype:trojan-activity;sid:83672337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.211.197.30"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809228/; classtype:trojan-activity;sid:83672328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.244.169.56"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809226/; classtype:trojan-activity;sid:83672326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.4.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809202/; classtype:trojan-activity;sid:83672302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.202.63.7"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809199/; classtype:trojan-activity;sid:83672299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.42.201.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809158/; classtype:trojan-activity;sid:83672258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.53.164.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809140/; classtype:trojan-activity;sid:83672240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.49.47.190"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809130/; classtype:trojan-activity;sid:83672230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.180.115"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809132/; classtype:trojan-activity;sid:83672232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.254.255.246"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809123/; classtype:trojan-activity;sid:83672223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.193.120.99"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809117/; classtype:trojan-activity;sid:83672217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.251.5.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809089/; classtype:trojan-activity;sid:83672189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"151.248.56.14"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809077/; classtype:trojan-activity;sid:83672177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.28.11.111"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808985/; classtype:trojan-activity;sid:83672085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.228.135.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808986/; classtype:trojan-activity;sid:83672086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.61.246.225"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808980/; classtype:trojan-activity;sid:83672080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.154.131.153"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808981/; classtype:trojan-activity;sid:83672081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.57.33.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808967/; classtype:trojan-activity;sid:83672067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.157.212.138"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808957/; classtype:trojan-activity;sid:83672057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.210.218"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808948/; classtype:trojan-activity;sid:83672048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.66.139.36"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808947/; classtype:trojan-activity;sid:83672047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.160.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808944/; classtype:trojan-activity;sid:83672044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"62.162.113.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808924/; classtype:trojan-activity;sid:83672024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.6.101.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808886/; classtype:trojan-activity;sid:83671986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.5.61.33"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808876/; classtype:trojan-activity;sid:83671976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.34.177.42"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808869/; classtype:trojan-activity;sid:83671969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.44.110.215"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808854/; classtype:trojan-activity;sid:83671954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.245.10.51"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808823/; classtype:trojan-activity;sid:83671923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.154.93.81"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808814/; classtype:trojan-activity;sid:83671914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808792/; classtype:trojan-activity;sid:83671892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.107.205.29"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808795/; classtype:trojan-activity;sid:83671895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.217.148.227"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808798/; classtype:trojan-activity;sid:83671898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.170.48.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808787/; classtype:trojan-activity;sid:83671887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.175.42.206"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808746/; classtype:trojan-activity;sid:83671846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.51.168.26"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808741/; classtype:trojan-activity;sid:83671841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.214.241.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808734/; classtype:trojan-activity;sid:83671834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.13.221.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808731/; classtype:trojan-activity;sid:83671831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.113.124.155"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808710/; classtype:trojan-activity;sid:83671810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.62.179.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808715/; classtype:trojan-activity;sid:83671815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.123.169.160"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808699/; classtype:trojan-activity;sid:83671799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.131.244.202"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808644/; classtype:trojan-activity;sid:83671744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"146.66.164.51"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808625/; classtype:trojan-activity;sid:83671725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.6.74.138"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808610/; classtype:trojan-activity;sid:83671710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.92.82.180"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808599/; classtype:trojan-activity;sid:83671699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.73.242.146"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808563/; classtype:trojan-activity;sid:83671663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.28.58.131"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808535/; classtype:trojan-activity;sid:83671635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.34.209.216"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808520/; classtype:trojan-activity;sid:83671620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.28.58.81"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808518/; classtype:trojan-activity;sid:83671618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.187.82.120"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808504/; classtype:trojan-activity;sid:83671604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.90.207.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808492/; classtype:trojan-activity;sid:83671592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.242.139.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808467/; classtype:trojan-activity;sid:83671567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.154.84.37"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808459/; classtype:trojan-activity;sid:83671559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.92.143.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808448/; classtype:trojan-activity;sid:83671548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.89.199.242"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808424/; classtype:trojan-activity;sid:83671524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.170.119.100"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808416/; classtype:trojan-activity;sid:83671516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.66.168.49"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808417/; classtype:trojan-activity;sid:83671517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.50.169.82"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808390/; classtype:trojan-activity;sid:83671490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808373/; classtype:trojan-activity;sid:83671473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"98.103.171.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808374/; classtype:trojan-activity;sid:83671474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm6"; depth:10; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808291/; classtype:trojan-activity;sid:83671391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808242/; classtype:trojan-activity;sid:83671342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808248/; classtype:trojan-activity;sid:83671348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808187/; classtype:trojan-activity;sid:83671287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808183/; classtype:trojan-activity;sid:83671283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2807492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ping"; depth:5; endswith; nocase; http.host; content:"2.57.122.121"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_10; reference:url, urlhaus.abuse.ch/url/2807492/; classtype:trojan-activity;sid:83670592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2799350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1dkj56fnkcbsf3inlqszzm7vpvq3dmdl5"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_04_02; reference:url, urlhaus.abuse.ch/url/2799350/; classtype:trojan-activity;sid:83662450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2798325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"75.119.134.80"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_01; reference:url, urlhaus.abuse.ch/url/2798325/; classtype:trojan-activity;sid:83661425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2798324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"75.119.134.80"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_01; reference:url, urlhaus.abuse.ch/url/2798324/; classtype:trojan-activity;sid:83661424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2795045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"metrics.gocloudmaps.com"; depth:23; isdataat:!1,relative; metadata:created_at 2024_03_28; reference:url, urlhaus.abuse.ch/url/2795045/; classtype:trojan-activity;sid:83658145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2793603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1qxwff0k49bjdhwzotirkvqlqhebzgphg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_27; reference:url, urlhaus.abuse.ch/url/2793603/; classtype:trojan-activity;sid:83656703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2790578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.index/scan.tar"; depth:16; endswith; nocase; http.host; content:"58.216.207.82"; depth:13; isdataat:!1,relative; metadata:created_at 2024_03_23; reference:url, urlhaus.abuse.ch/url/2790578/; classtype:trojan-activity;sid:83653678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2789249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1aygcpsnow8esde5bkkuaj0bygkowvttd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_21; reference:url, urlhaus.abuse.ch/url/2789249/; classtype:trojan-activity;sid:83652349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ykwsyyt/help/hddrive1095_xinanplug3030_20230619_inno.exe"; depth:57; endswith; nocase; http.host; content:"60.22.23.50"; depth:11; isdataat:!1,relative; metadata:created_at 2024_03_20; reference:url, urlhaus.abuse.ch/url/2787791/; classtype:trojan-activity;sid:83650891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1stvkjdfiwxw79oezmc62wzmjjaeftyze"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_20; reference:url, urlhaus.abuse.ch/url/2787399/; classtype:trojan-activity;sid:83650499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hditwve1kadzeycbldxttxi4mmhddgyp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_20; reference:url, urlhaus.abuse.ch/url/2787397/; classtype:trojan-activity;sid:83650497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bash"; depth:5; endswith; nocase; http.host; content:"65.49.44.84"; depth:11; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2787024/; classtype:trojan-activity;sid:83650124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"212.113.35.236"; depth:14; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2787023/; classtype:trojan-activity;sid:83650123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2786829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1re9cqjrafya6wcb5e0zcolwdorvsf9pi"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2786829/; classtype:trojan-activity;sid:83649929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2786663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/washywashy14/7zip-bin/master/win/er5thygfd.zip"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2786663/; classtype:trojan-activity;sid:83649763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2786661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/washywashy14/7zip-bin/master/win/uemlxaw.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2786661/; classtype:trojan-activity;sid:83649761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2785768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zev3n/ubuntu-gnome-privilege-escalation/main/cve-2020-1612%5b6_7%5d_exploit.sh"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_18; reference:url, urlhaus.abuse.ch/url/2785768/; classtype:trojan-activity;sid:83648868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2785466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/licensing/deployment/yellow%20pages%20scraper.exe"; depth:50; endswith; nocase; http.host; content:"www.blackhattoolz.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_03_18; reference:url, urlhaus.abuse.ch/url/2785466/; classtype:trojan-activity;sid:83648566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2785447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/licensing/updates/tinder%20bot.exe"; depth:35; endswith; nocase; http.host; content:"www.blackhattoolz.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_03_18; reference:url, urlhaus.abuse.ch/url/2785447/; classtype:trojan-activity;sid:83648547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2782882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/driveapplet.exe"; depth:16; endswith; nocase; http.host; content:"noithaticon.vn"; depth:14; isdataat:!1,relative; metadata:created_at 2024_03_14; reference:url, urlhaus.abuse.ch/url/2782882/; classtype:trojan-activity;sid:83645982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2782434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/17c4755d1d45ed1bb454/8703634058188758823"; depth:41; endswith; nocase; http.host; content:"f24-zfcloud.zdn.vn"; depth:18; isdataat:!1,relative; metadata:created_at 2024_03_13; reference:url, urlhaus.abuse.ch/url/2782434/; classtype:trojan-activity;sid:83645534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2780273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ge6chcvywbep4kgx_odpxtvfi3vj-zwy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_11; reference:url, urlhaus.abuse.ch/url/2780273/; classtype:trojan-activity;sid:83643373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2776130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//pcs/click|3f|adurl=//bamautzky.de/red.php"; depth:43; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_05; reference:url, urlhaus.abuse.ch/url/2776130/; classtype:trojan-activity;sid:83639230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2772697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs/x.rar"; depth:11; endswith; nocase; http.host; content:"106.254.250.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_02_29; reference:url, urlhaus.abuse.ch/url/2772697/; classtype:trojan-activity;sid:83635797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2772689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs/met111.sh"; depth:15; endswith; nocase; http.host; content:"106.254.250.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_02_29; reference:url, urlhaus.abuse.ch/url/2772689/; classtype:trojan-activity;sid:83635789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2769015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/jeditor/jeditor.exe"; depth:34; endswith; nocase; http.host; content:"www.ojang.pe.kr"; depth:15; isdataat:!1,relative; metadata:created_at 2024_02_24; reference:url, urlhaus.abuse.ch/url/2769015/; classtype:trojan-activity;sid:83632115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2024/e_r1.bmp"; depth:33; endswith; nocase; http.host; content:"catbaparadisehotel.com.vn"; depth:25; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765933/; classtype:trojan-activity;sid:83629033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hitmanpro.zip"; depth:14; endswith; nocase; http.host; content:"hitman-pro.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765626/; classtype:trojan-activity;sid:83628726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c8bab23717e7ca18363ef595bbe57e9a/invoke.js"; depth:43; endswith; nocase; http.host; content:"contentmentfairnesspesky.com"; depth:28; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765623/; classtype:trojan-activity;sid:83628723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6bf6fb9def8a33f5a58067f1e72ea62e/invoke.js"; depth:43; endswith; nocase; http.host; content:"contentmentfairnesspesky.com"; depth:28; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765624/; classtype:trojan-activity;sid:83628724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54/66/ea/5466ea04d7d3b8b726b1288f75403510.js"; depth:45; endswith; nocase; http.host; content:"contentmentfairnesspesky.com"; depth:28; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765625/; classtype:trojan-activity;sid:83628725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f||7c|26|7c|adurl=https://patricstoremegans2.com/"; depth:61; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765602/; classtype:trojan-activity;sid:83628702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2024/e_default.bmp"; depth:38; endswith; nocase; http.host; content:"catbaparadisehotel.com.vn"; depth:25; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765586/; classtype:trojan-activity;sid:83628686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86_64"; depth:17; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764512/; classtype:trojan-activity;sid:83627612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.i686"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764507/; classtype:trojan-activity;sid:83627607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.mips"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764508/; classtype:trojan-activity;sid:83627608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764509/; classtype:trojan-activity;sid:83627609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.arm"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764510/; classtype:trojan-activity;sid:83627610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.spc"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764511/; classtype:trojan-activity;sid:83627611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2761815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dt9.txt"; depth:8; endswith; nocase; http.host; content:"delp-heizungsbau.de"; depth:19; isdataat:!1,relative; metadata:created_at 2024_02_15; reference:url, urlhaus.abuse.ch/url/2761815/; classtype:trojan-activity;sid:83624915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.i686"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754788/; classtype:trojan-activity;sid:83617888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.spc"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754787/; classtype:trojan-activity;sid:83617887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.mips"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754786/; classtype:trojan-activity;sid:83617886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754784/; classtype:trojan-activity;sid:83617884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.arm"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754785/; classtype:trojan-activity;sid:83617885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86_64"; depth:17; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754783/; classtype:trojan-activity;sid:83617883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wuy2y3vbxibdfqcs6-kx96nocarzixfd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_31; reference:url, urlhaus.abuse.ch/url/2754299/; classtype:trojan-activity;sid:83617399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2753677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//projetodegente.com"; depth:40; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_30; reference:url, urlhaus.abuse.ch/url/2753677/; classtype:trojan-activity;sid:83616777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//higreens.co.in"; depth:36; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_25; reference:url, urlhaus.abuse.ch/url/2751573/; classtype:trojan-activity;sid:83614673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//kavyasourcing.com/"; depth:40; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_25; reference:url, urlhaus.abuse.ch/url/2751543/; classtype:trojan-activity;sid:83614643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://cliffg.me"; depth:37; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_24; reference:url, urlhaus.abuse.ch/url/2751237/; classtype:trojan-activity;sid:83614337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://streammobs.com/"; depth:43; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_24; reference:url, urlhaus.abuse.ch/url/2751171/; classtype:trojan-activity;sid:83614271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://redeamazoniaazul.org/"; depth:49; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_18; reference:url, urlhaus.abuse.ch/url/2749355/; classtype:trojan-activity;sid:83612455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//www.jd-forever.com/"; depth:41; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_18; reference:url, urlhaus.abuse.ch/url/2749356/; classtype:trojan-activity;sid:83612456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//old.umcl.us/"; depth:34; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_18; reference:url, urlhaus.abuse.ch/url/2749357/; classtype:trojan-activity;sid:83612457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://wegrowcoaching.com/"; depth:47; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_17; reference:url, urlhaus.abuse.ch/url/2749182/; classtype:trojan-activity;sid:83612282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://dongyu.us/"; depth:38; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_17; reference:url, urlhaus.abuse.ch/url/2749177/; classtype:trojan-activity;sid:83612277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lrviuk1wka4di3qh7ach-b7m1ics2hbp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_16; reference:url, urlhaus.abuse.ch/url/2749054/; classtype:trojan-activity;sid:83612154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssslllap1/asdasd/raw/main/crypted.exe"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_01_13; reference:url, urlhaus.abuse.ch/url/2748605/; classtype:trojan-activity;sid:83611705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ifvzub1blhmwsirshbe2wu5b1tus3ls-"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748365/; classtype:trojan-activity;sid:83611465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1yydiodtw09banou13ro8ielf9rcmljxy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748363/; classtype:trojan-activity;sid:83611463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=11cbyky_wegqjut6afr8jannw7vub-xxf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748360/; classtype:trojan-activity;sid:83611460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gv5qahzp_toxgct3ezfvvy4q3a5vvh6s"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748349/; classtype:trojan-activity;sid:83611449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//vaibhavtripathi.in"; depth:40; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_10; reference:url, urlhaus.abuse.ch/url/2747896/; classtype:trojan-activity;sid:83610996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//procuratio.nu/"; depth:36; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_10; reference:url, urlhaus.abuse.ch/url/2747890/; classtype:trojan-activity;sid:83610990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1u-vaalebjnomuhbyimsdjqctjqfyiwna"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_10; reference:url, urlhaus.abuse.ch/url/2747826/; classtype:trojan-activity;sid:83610926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/zpmmtvzq"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_08; reference:url, urlhaus.abuse.ch/url/2747433/; classtype:trojan-activity;sid:83610533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2746751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/avmezmcr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_05; reference:url, urlhaus.abuse.ch/url/2746751/; classtype:trojan-activity;sid:83609851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2746285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/v7jxrycp"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_04; reference:url, urlhaus.abuse.ch/url/2746285/; classtype:trojan-activity;sid:83609385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2743461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=12rmvuwgpj0dzbb3haoaww2lviavhvb4r"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_22; reference:url, urlhaus.abuse.ch/url/2743461/; classtype:trojan-activity;sid:83606561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2743460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1rfsmrzeanvap2tnmtwrptlepwarwlkge"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_22; reference:url, urlhaus.abuse.ch/url/2743460/; classtype:trojan-activity;sid:83606560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://synergyconsulting.us"; depth:48; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_12_20; reference:url, urlhaus.abuse.ch/url/2742817/; classtype:trojan-activity;sid:83605917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//www.deltabehavioralhealth.org/"; depth:52; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_12_19; reference:url, urlhaus.abuse.ch/url/2742524/; classtype:trojan-activity;sid:83605624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1k0bqhrtnu4v1yexoni5p1utyjuohmfzm"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_19; reference:url, urlhaus.abuse.ch/url/2742518/; classtype:trojan-activity;sid:83605618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1fhqpevblkipshqumjmsbzeetdzhzxv-j"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_19; reference:url, urlhaus.abuse.ch/url/2742516/; classtype:trojan-activity;sid:83605616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2740202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//balkarsoftware.cubistech.com"; depth:50; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_12_13; reference:url, urlhaus.abuse.ch/url/2740202/; classtype:trojan-activity;sid:83603302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2735488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attivita/index.php"; depth:19; endswith; nocase; http.host; content:"heyleny2.dothome.co.kr"; depth:22; isdataat:!1,relative; metadata:created_at 2023_11_27; reference:url, urlhaus.abuse.ch/url/2735488/; classtype:trojan-activity;sid:83598588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2734979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/404"; depth:4; endswith; nocase; http.host; content:"31.184.194.114"; depth:14; isdataat:!1,relative; metadata:created_at 2023_11_24; reference:url, urlhaus.abuse.ch/url/2734979/; classtype:trojan-activity;sid:83598079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2733212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//churchinmanila.org/"; depth:41; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_20; reference:url, urlhaus.abuse.ch/url/2733212/; classtype:trojan-activity;sid:83596312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2730213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sjm5t0ktlepibtv3kgaousspnw3zonom"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_13; reference:url, urlhaus.abuse.ch/url/2730213/; classtype:trojan-activity;sid:83593313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2730069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cronusxd/update/releases/download/programa/universal.cheat.all.games.rar"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2023_11_12; reference:url, urlhaus.abuse.ch/url/2730069/; classtype:trojan-activity;sid:83593169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2729736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://posicionamientonatural.es/"; depth:54; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_10; reference:url, urlhaus.abuse.ch/url/2729736/; classtype:trojan-activity;sid:83592836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2729405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://namaacont.com/"; depth:42; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_09; reference:url, urlhaus.abuse.ch/url/2729405/; classtype:trojan-activity;sid:83592505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2728799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/wfwtp8qn"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_11_07; reference:url, urlhaus.abuse.ch/url/2728799/; classtype:trojan-activity;sid:83591899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2727395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frankcastle2/0/main/0j"; depth:23; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_03; reference:url, urlhaus.abuse.ch/url/2727395/; classtype:trojan-activity;sid:83590495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lhnnwoydntgqibsykxwgd32s5xftxvfh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726994/; classtype:trojan-activity;sid:83590094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1oxpqeutyreby186exx4zeofyz0rjocsp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726921/; classtype:trojan-activity;sid:83590021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1e2y5yppu_zjj4o3wmuo-2j8n9lbthkzc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726920/; classtype:trojan-activity;sid:83590020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1heka7sgmbcessdhxtvmfwxownz7sipbb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726917/; classtype:trojan-activity;sid:83590017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_ldguopt2cg7fblntw3ltxgtxqtmlflc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726906/; classtype:trojan-activity;sid:83590006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=10lygpyju_dlg3x6r9oslzgblshakstl-"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726907/; classtype:trojan-activity;sid:83590007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sqvm1xsoranfnvqst_kkdmn8yhgulm4k"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_31; reference:url, urlhaus.abuse.ch/url/2726777/; classtype:trojan-activity;sid:83589877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cz1lqyxis4wvr7nlc71ukekxyhj5xu-l"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_31; reference:url, urlhaus.abuse.ch/url/2726774/; classtype:trojan-activity;sid:83589874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1zqzivoxid6wgvjstzd0lg2vxnpnc-puf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_30; reference:url, urlhaus.abuse.ch/url/2726592/; classtype:trojan-activity;sid:83589692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drakeo03/rbxfpsunlocker-x64-hotfix1/zip/refs/heads/main"; depth:56; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2023_10_28; reference:url, urlhaus.abuse.ch/url/2726432/; classtype:trojan-activity;sid:83589532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gfn3lqd1rvybut4ha-ldl92wt8ysrzfc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_26; reference:url, urlhaus.abuse.ch/url/2726089/; classtype:trojan-activity;sid:83589189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2722703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image.png"; depth:10; endswith; nocase; http.host; content:"ircftp.net"; depth:10; isdataat:!1,relative; metadata:created_at 2023_10_20; reference:url, urlhaus.abuse.ch/url/2722703/; classtype:trojan-activity;sid:83585803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2719389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1satmexzn3qpvqzfxnc-5dtnnn8lihdxh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_12; reference:url, urlhaus.abuse.ch/url/2719389/; classtype:trojan-activity;sid:83582489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2719113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"130.204.154.237"; depth:15; isdataat:!1,relative; metadata:created_at 2023_10_10; reference:url, urlhaus.abuse.ch/url/2719113/; classtype:trojan-activity;sid:83582213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2715548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|confirm=no_antivirus|7c|26|7c|id=1-5tfbyc52tepabxjdszg1dcqgaizf0m6"; depth:98; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_01; reference:url, urlhaus.abuse.ch/url/2715548/; classtype:trojan-activity;sid:83578648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2713056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rter/"; depth:6; endswith; nocase; http.host; content:"tanscarattorneys.co.tz"; depth:22; isdataat:!1,relative; metadata:created_at 2023_09_21; reference:url, urlhaus.abuse.ch/url/2713056/; classtype:trojan-activity;sid:83576156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2711451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"220.82.158.221"; depth:14; isdataat:!1,relative; metadata:created_at 2023_09_13; reference:url, urlhaus.abuse.ch/url/2711451/; classtype:trojan-activity;sid:83574551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2711386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"183.97.32.167"; depth:13; isdataat:!1,relative; metadata:created_at 2023_09_13; reference:url, urlhaus.abuse.ch/url/2711386/; classtype:trojan-activity;sid:83574486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2708874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/readme.txt"; depth:11; endswith; nocase; http.host; content:"svirtual.sanviatorperu.edu.pe"; depth:29; isdataat:!1,relative; metadata:created_at 2023_09_01; reference:url, urlhaus.abuse.ch/url/2708874/; classtype:trojan-activity;sid:83571974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2707934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/files/chi/1.hta"; depth:19; endswith; nocase; http.host; content:"isometricsindia.co.in"; depth:21; isdataat:!1,relative; metadata:created_at 2023_08_28; reference:url, urlhaus.abuse.ch/url/2707934/; classtype:trojan-activity;sid:83571034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2702776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/scler.ttf"; depth:19; endswith; nocase; http.host; content:"scainseto.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2023_08_08; reference:url, urlhaus.abuse.ch/url/2702776/; classtype:trojan-activity;sid:83565876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2701777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/tm63vbgu"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_08_07; reference:url, urlhaus.abuse.ch/url/2701777/; classtype:trojan-activity;sid:83564877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2694556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2/plain-sunset-8e5d78/original/js.jpeg"; depth:40; endswith; nocase; http.host; content:"cdn.pixelbin.io"; depth:15; isdataat:!1,relative; metadata:created_at 2023_08_01; reference:url, urlhaus.abuse.ch/url/2694556/; classtype:trojan-activity;sid:83557656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2693150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/housenetshare.exe"; depth:18; endswith; nocase; http.host; content:"stdown.dinju.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_07_31; reference:url, urlhaus.abuse.ch/url/2693150/; classtype:trojan-activity;sid:83556250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2692699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2/long-glade-33dc08/original/rump_img.jpeg"; depth:44; endswith; nocase; http.host; content:"cdn.pixelbin.io"; depth:15; isdataat:!1,relative; metadata:created_at 2023_07_30; reference:url, urlhaus.abuse.ch/url/2692699/; classtype:trojan-activity;sid:83555799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2690396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"5.198.242.56"; depth:12; isdataat:!1,relative; metadata:created_at 2023_07_26; reference:url, urlhaus.abuse.ch/url/2690396/; classtype:trojan-activity;sid:83553496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2686558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jc80ycae"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_07_20; reference:url, urlhaus.abuse.ch/url/2686558/; classtype:trojan-activity;sid:83549658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2682035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.7.131.145"; depth:12; isdataat:!1,relative; metadata:created_at 2023_07_13; reference:url, urlhaus.abuse.ch/url/2682035/; classtype:trojan-activity;sid:83545135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2677884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/a.exe"; depth:15; endswith; nocase; http.host; content:"api.baimless.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_07_07; reference:url, urlhaus.abuse.ch/url/2677884/; classtype:trojan-activity;sid:83540984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2676029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rr3hywgc"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_07_03; reference:url, urlhaus.abuse.ch/url/2676029/; classtype:trojan-activity;sid:83539129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2663536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eay/obi6ua"; depth:11; endswith; nocase; http.host; content:"193.235.147.246"; depth:15; isdataat:!1,relative; metadata:created_at 2023_06_16; reference:url, urlhaus.abuse.ch/url/2663536/; classtype:trojan-activity;sid:83526636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2648640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"61.84.192.85"; depth:12; isdataat:!1,relative; metadata:created_at 2023_06_01; reference:url, urlhaus.abuse.ch/url/2648640/; classtype:trojan-activity;sid:83511740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2629977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|confirm=t|7c|26|7c|id=145b1fbjtyee3w1rjsazo7hzcoiiaxzum|7c|26|7c|uuid=eb581596-9566-4a21-b3b6-e6909eb42ff6|7c|26|7c|at=akkf8vzrltviqrn7wljfjcwisgcc:1683793107077"; depth:193; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_05_11; reference:url, urlhaus.abuse.ch/url/2629977/; classtype:trojan-activity;sid:83493077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2622777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/1a5fq2ek"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_05_02; reference:url, urlhaus.abuse.ch/url/2622777/; classtype:trojan-activity;sid:83485877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/nss3.dll"; depth:42; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617048/; classtype:trojan-activity;sid:83480148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/msvcp140.dll"; depth:46; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617044/; classtype:trojan-activity;sid:83480144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/mozglue.dll"; depth:45; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617045/; classtype:trojan-activity;sid:83480145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/freebl3.dll"; depth:45; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617046/; classtype:trojan-activity;sid:83480146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617047/; classtype:trojan-activity;sid:83480147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/softokn3.dll"; depth:46; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617042/; classtype:trojan-activity;sid:83480142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2617043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/vcruntime140.dll"; depth:50; endswith; nocase; http.host; content:"91.235.234.235"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_24; reference:url, urlhaus.abuse.ch/url/2617043/; classtype:trojan-activity;sid:83480143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2615314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"194.208.56.60"; depth:13; isdataat:!1,relative; metadata:created_at 2023_04_21; reference:url, urlhaus.abuse.ch/url/2615314/; classtype:trojan-activity;sid:83478414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2615287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.49.47.190"; depth:13; isdataat:!1,relative; metadata:created_at 2023_04_21; reference:url, urlhaus.abuse.ch/url/2615287/; classtype:trojan-activity;sid:83478387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2615265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.124.228.98"; depth:14; isdataat:!1,relative; metadata:created_at 2023_04_21; reference:url, urlhaus.abuse.ch/url/2615265/; classtype:trojan-activity;sid:83478365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2614132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wicd/sister.zip"; depth:16; endswith; nocase; http.host; content:"gossipband.ie"; depth:13; isdataat:!1,relative; metadata:created_at 2023_04_19; reference:url, urlhaus.abuse.ch/url/2614132/; classtype:trojan-activity;sid:83477232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2602547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/mdpqv8gx"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_04_08; reference:url, urlhaus.abuse.ch/url/2602547/; classtype:trojan-activity;sid:83465647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2587598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jtx57kpr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_27; reference:url, urlhaus.abuse.ch/url/2587598/; classtype:trojan-activity;sid:83450698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2581182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dqvoakrc/hh9/"; depth:14; endswith; nocase; http.host; content:"ardena.pro"; depth:10; isdataat:!1,relative; metadata:created_at 2023_03_22; reference:url, urlhaus.abuse.ch/url/2581182/; classtype:trojan-activity;sid:83444282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2581006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salatikochen/salatapps/archive/refs/heads/main.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2023_03_22; reference:url, urlhaus.abuse.ch/url/2581006/; classtype:trojan-activity;sid:83444106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2579753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/fu3d5tvi"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_21; reference:url, urlhaus.abuse.ch/url/2579753/; classtype:trojan-activity;sid:83442853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2573934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/4jusqzvd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_16; reference:url, urlhaus.abuse.ch/url/2573934/; classtype:trojan-activity;sid:83437034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2573741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rid/rid.js"; depth:11; endswith; nocase; http.host; content:"jawaratekno.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_16; reference:url, urlhaus.abuse.ch/url/2573741/; classtype:trojan-activity;sid:83436841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2573714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/taui/taui.js"; depth:13; endswith; nocase; http.host; content:"londonairportstransfer.co.uk"; depth:28; isdataat:!1,relative; metadata:created_at 2023_03_16; reference:url, urlhaus.abuse.ch/url/2573714/; classtype:trojan-activity;sid:83436814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2572711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soid/soid.js"; depth:13; endswith; nocase; http.host; content:"ritee.in"; depth:8; isdataat:!1,relative; metadata:created_at 2023_03_15; reference:url, urlhaus.abuse.ch/url/2572711/; classtype:trojan-activity;sid:83435811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2572493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nti/nti.js"; depth:11; endswith; nocase; http.host; content:"shaderm.com"; depth:11; isdataat:!1,relative; metadata:created_at 2023_03_15; reference:url, urlhaus.abuse.ch/url/2572493/; classtype:trojan-activity;sid:83435593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"riderspin.com"; depth:13; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571476/; classtype:trojan-activity;sid:83434576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"estudio.ythan.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571457/; classtype:trojan-activity;sid:83434557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"admin.byte.in.ua"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571417/; classtype:trojan-activity;sid:83434517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"riderspin.com"; depth:13; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571410/; classtype:trojan-activity;sid:83434510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"records.dennisign.se"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571398/; classtype:trojan-activity;sid:83434498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"donkeytourscroatia.com"; depth:22; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571387/; classtype:trojan-activity;sid:83434487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"estudio.ythan.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571356/; classtype:trojan-activity;sid:83434456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"admin.byte.in.ua"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571162/; classtype:trojan-activity;sid:83434262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"records.dennisign.se"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571158/; classtype:trojan-activity;sid:83434258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"cfu.twr.mybluehost.me"; depth:21; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571152/; classtype:trojan-activity;sid:83434252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"donkeytourscroatia.com"; depth:22; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571135/; classtype:trojan-activity;sid:83434235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"donkeytourscroatia.com"; depth:22; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571043/; classtype:trojan-activity;sid:83434143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"estudio.ythan.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571034/; classtype:trojan-activity;sid:83434134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"derekludlow.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570844/; classtype:trojan-activity;sid:83433944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"bracell.latitude.net.br"; depth:23; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570812/; classtype:trojan-activity;sid:83433912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"cfu.twr.mybluehost.me"; depth:21; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570732/; classtype:trojan-activity;sid:83433832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"admin.byte.in.ua"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570642/; classtype:trojan-activity;sid:83433742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"embedone.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570563/; classtype:trojan-activity;sid:83433663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"derekludlow.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570545/; classtype:trojan-activity;sid:83433645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"records.dennisign.se"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570501/; classtype:trojan-activity;sid:83433601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"cfu.twr.mybluehost.me"; depth:21; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570474/; classtype:trojan-activity;sid:83433574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"derekludlow.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570386/; classtype:trojan-activity;sid:83433486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tii/tii.js"; depth:11; endswith; nocase; http.host; content:"sudan-daily.net"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570135/; classtype:trojan-activity;sid:83433235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2568823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gcn/gcn.js"; depth:11; endswith; nocase; http.host; content:"spoar.org.in"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_13; reference:url, urlhaus.abuse.ch/url/2568823/; classtype:trojan-activity;sid:83431923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2555339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rn8tlx2e"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_02; reference:url, urlhaus.abuse.ch/url/2555339/; classtype:trojan-activity;sid:83418439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2545788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tedburke/commandcam/archive/refs/heads/master.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2023_02_20; reference:url, urlhaus.abuse.ch/url/2545788/; classtype:trojan-activity;sid:83408888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2540034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unlockteame/unlimited/zip/refs/heads/main"; depth:42; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2023_02_14; reference:url, urlhaus.abuse.ch/url/2540034/; classtype:trojan-activity;sid:83403134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2533240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/bztvxkzb"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_02_07; reference:url, urlhaus.abuse.ch/url/2533240/; classtype:trojan-activity;sid:83396340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2510643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/bn6ktvyl"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_01_17; reference:url, urlhaus.abuse.ch/url/2510643/; classtype:trojan-activity;sid:83373743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2502405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/tgp9td9z"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_01_09; reference:url, urlhaus.abuse.ch/url/2502405/; classtype:trojan-activity;sid:83365505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2440082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/raw/master/discord%20rat/resources/token%20grabber.dll"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_11_30; reference:url, urlhaus.abuse.ch/url/2440082/; classtype:trojan-activity;sid:83303182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2440081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/raw/master/discord%20rat/resources/passwordstealer.dll"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_11_30; reference:url, urlhaus.abuse.ch/url/2440081/; classtype:trojan-activity;sid:83303181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2425972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|confirm=no_antivirus|7c|26|7c|id=1cpaqimeblbmxrxoli6d3cczgkrbzpy8_"; depth:98; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2022_11_18; reference:url, urlhaus.abuse.ch/url/2425972/; classtype:trojan-activity;sid:83289072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2408069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/zy5ntk/"; depth:18; endswith; nocase; http.host; content:"fromthetrenchesworldreport.com"; depth:30; isdataat:!1,relative; metadata:created_at 2022_11_11; reference:url, urlhaus.abuse.ch/url/2408069/; classtype:trojan-activity;sid:83271169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2406761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/wpoxoxqe2in4fju/doc7november00065.js"; depth:42; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2022_11_10; reference:url, urlhaus.abuse.ch/url/2406761/; classtype:trojan-activity;sid:83269861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2403614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/uuja3km9"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_11_07; reference:url, urlhaus.abuse.ch/url/2403614/; classtype:trojan-activity;sid:83266714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2399181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nrhtc20u"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_11_03; reference:url, urlhaus.abuse.ch/url/2399181/; classtype:trojan-activity;sid:83262281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2388056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/j5nyvlbz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_10_27; reference:url, urlhaus.abuse.ch/url/2388056/; classtype:trojan-activity;sid:83251156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2376908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/hf1kfswr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_10_18; reference:url, urlhaus.abuse.ch/url/2376908/; classtype:trojan-activity;sid:83240008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2314671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/8v775ivv"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_09_26; reference:url, urlhaus.abuse.ch/url/2314671/; classtype:trojan-activity;sid:83177771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2302899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/janchuk/voidrat/raw/master/voidrat.exe"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_09_14; reference:url, urlhaus.abuse.ch/url/2302899/; classtype:trojan-activity;sid:83165999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2301795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding.exe"; depth:11; endswith; nocase; http.host; content:"47.98.224.91"; depth:12; isdataat:!1,relative; metadata:created_at 2022_09_13; reference:url, urlhaus.abuse.ch/url/2301795/; classtype:trojan-activity;sid:83164895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2300014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/gxkzk3ds"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_09_12; reference:url, urlhaus.abuse.ch/url/2300014/; classtype:trojan-activity;sid:83163114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2276646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ujztrvsh"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_08_24; reference:url, urlhaus.abuse.ch/url/2276646/; classtype:trojan-activity;sid:83139746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2276438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/t53jemit"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_08_24; reference:url, urlhaus.abuse.ch/url/2276438/; classtype:trojan-activity;sid:83139538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2276221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jstt4bu3"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_08_23; reference:url, urlhaus.abuse.ch/url/2276221/; classtype:trojan-activity;sid:83139321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2263529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"222.117.7.182"; depth:13; isdataat:!1,relative; metadata:created_at 2022_08_01; reference:url, urlhaus.abuse.ch/url/2263529/; classtype:trojan-activity;sid:83126629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2258131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/e8kjpbmd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_07_17; reference:url, urlhaus.abuse.ch/url/2258131/; classtype:trojan-activity;sid:83121231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2255098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.173.39.201"; depth:14; isdataat:!1,relative; metadata:created_at 2022_07_07; reference:url, urlhaus.abuse.ch/url/2255098/; classtype:trojan-activity;sid:83118198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2253550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ib64cptx"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_07_03; reference:url, urlhaus.abuse.ch/url/2253550/; classtype:trojan-activity;sid:83116650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2253210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rwrja2sz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_07_02; reference:url, urlhaus.abuse.ch/url/2253210/; classtype:trojan-activity;sid:83116310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2252574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates1/up.exe"; depth:16; endswith; nocase; http.host; content:"1717.1000uc.com"; depth:15; isdataat:!1,relative; metadata:created_at 2022_06_30; reference:url, urlhaus.abuse.ch/url/2252574/; classtype:trojan-activity;sid:83115674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2250908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ema_kvcebm137.bin"; depth:18; endswith; nocase; http.host; content:"mersped.mycpanel.rs"; depth:19; isdataat:!1,relative; metadata:created_at 2022_06_27; reference:url, urlhaus.abuse.ch/url/2250908/; classtype:trojan-activity;sid:83114008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2246139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.219.38.228"; depth:14; isdataat:!1,relative; metadata:created_at 2022_06_20; reference:url, urlhaus.abuse.ch/url/2246139/; classtype:trojan-activity;sid:83109239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2241008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ty045yct"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_06_16; reference:url, urlhaus.abuse.ch/url/2241008/; classtype:trojan-activity;sid:83104108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2237175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cg100/cg100.exe"; depth:16; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_06_14; reference:url, urlhaus.abuse.ch/url/2237175/; classtype:trojan-activity;sid:83100275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2237174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgmb/benzmonster.exe"; depth:21; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_06_14; reference:url, urlhaus.abuse.ch/url/2237174/; classtype:trojan-activity;sid:83100274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2230406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/newsales/adm_atu.exe"; depth:26; endswith; nocase; http.host; content:"palharesinformatica.com.br"; depth:26; isdataat:!1,relative; metadata:created_at 2022_06_08; reference:url, urlhaus.abuse.ch/url/2230406/; classtype:trojan-activity;sid:83093506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2192744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crt/xe"; depth:7; endswith; nocase; http.host; content:"pns.org.pk"; depth:10; isdataat:!1,relative; metadata:created_at 2022_05_13; reference:url, urlhaus.abuse.ch/url/2192744/; classtype:trojan-activity;sid:83055844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2171312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/ozrw36a2y1ch2cluzy/"; depth:44; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_04_29; reference:url, urlhaus.abuse.ch/url/2171312/; classtype:trojan-activity;sid:83034412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2164668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/uadjw/"; depth:31; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_04_26; reference:url, urlhaus.abuse.ch/url/2164668/; classtype:trojan-activity;sid:83027768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2148323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/5nnq0rbw"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_04_14; reference:url, urlhaus.abuse.ch/url/2148323/; classtype:trojan-activity;sid:83011423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2135884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/herrldgm"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_04_07; reference:url, urlhaus.abuse.ch/url/2135884/; classtype:trojan-activity;sid:82998984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2124302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_03_31; reference:url, urlhaus.abuse.ch/url/2124302/; classtype:trojan-activity;sid:82987402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2119354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/3cxmq4uaxy/"; depth:36; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_03_29; reference:url, urlhaus.abuse.ch/url/2119354/; classtype:trojan-activity;sid:82982454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2119353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/3cxmq4uaxy/|3f|i=1"; depth:43; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_03_29; reference:url, urlhaus.abuse.ch/url/2119353/; classtype:trojan-activity;sid:82982453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2114263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/yjmqxmidki/a/hyehwggs.ps1"; depth:45; endswith; nocase; http.host; content:"trtmyanmar.com"; depth:14; isdataat:!1,relative; metadata:created_at 2022_03_24; reference:url, urlhaus.abuse.ch/url/2114263/; classtype:trojan-activity;sid:82977363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2098517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/znbskzzj"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_03_15; reference:url, urlhaus.abuse.ch/url/2098517/; classtype:trojan-activity;sid:82961617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2086235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gvnzexvvs3vpv0-ihflwnmzmhij3qqly"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2022_03_09; reference:url, urlhaus.abuse.ch/url/2086235/; classtype:trojan-activity;sid:82949335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2053942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zp-user/protected%20client.js"; depth:30; endswith; nocase; http.host; content:"dreamwatchevent.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_02_22; reference:url, urlhaus.abuse.ch/url/2053942/; classtype:trojan-activity;sid:82917042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2048755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.34.209.216"; depth:13; isdataat:!1,relative; metadata:created_at 2022_02_19; reference:url, urlhaus.abuse.ch/url/2048755/; classtype:trojan-activity;sid:82911855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2044850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/3k52mzsw"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_02_16; reference:url, urlhaus.abuse.ch/url/2044850/; classtype:trojan-activity;sid:82907950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hksweep/vendor/font-awesome/svgs/brands/subtraction.php"; depth:56; endswith; nocase; http.host; content:"rxquickpay.com"; depth:14; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021785/; classtype:trojan-activity;sid:82884885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src/js/scripts/gallery/photo-swipe/retraction.php"; depth:50; endswith; nocase; http.host; content:"acms.saleseos.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021799/; classtype:trojan-activity;sid:82884899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src/js/scripts/gallery/photo-swipe/highlight.php"; depth:49; endswith; nocase; http.host; content:"acms.saleseos.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021757/; classtype:trojan-activity;sid:82884857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src/js/scripts/gallery/photo-swipe/zany.php"; depth:44; endswith; nocase; http.host; content:"acms.saleseos.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021704/; classtype:trojan-activity;sid:82884804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2019377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/userbackend/plugins/dropzone/min/assents.php"; depth:52; endswith; nocase; http.host; content:"theholidayroads.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_01_31; reference:url, urlhaus.abuse.ch/url/2019377/; classtype:trojan-activity;sid:82882477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2019378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/userbackend/plugins/dropzone/min/tautly.php"; depth:51; endswith; nocase; http.host; content:"theholidayroads.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_01_31; reference:url, urlhaus.abuse.ch/url/2019378/; classtype:trojan-activity;sid:82882478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2019365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/userbackend/plugins/dropzone/min/knave.php"; depth:50; endswith; nocase; http.host; content:"theholidayroads.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_01_31; reference:url, urlhaus.abuse.ch/url/2019365/; classtype:trojan-activity;sid:82882465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2019358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/userbackend/plugins/dropzone/min/stare.php"; depth:50; endswith; nocase; http.host; content:"theholidayroads.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_01_31; reference:url, urlhaus.abuse.ch/url/2019358/; classtype:trojan-activity;sid:82882458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2008178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/comply.php"; depth:11; endswith; nocase; http.host; content:"www.crazywickedaddiction.com"; depth:28; isdataat:!1,relative; metadata:created_at 2022_01_27; reference:url, urlhaus.abuse.ch/url/2008178/; classtype:trojan-activity;sid:82871278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2008138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/squalid.php"; depth:12; endswith; nocase; http.host; content:"continentalgroup.net.in"; depth:23; isdataat:!1,relative; metadata:created_at 2022_01_27; reference:url, urlhaus.abuse.ch/url/2008138/; classtype:trojan-activity;sid:82871238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2008130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/development/public/uploads/images/categories/beirut.php"; depth:56; endswith; nocase; http.host; content:"www.crazywickedaddiction.com"; depth:28; isdataat:!1,relative; metadata:created_at 2022_01_27; reference:url, urlhaus.abuse.ch/url/2008130/; classtype:trojan-activity;sid:82871230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2008131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/belt.php"; depth:9; endswith; nocase; http.host; content:"forms.saurashtrauniversity.edu"; depth:30; isdataat:!1,relative; metadata:created_at 2022_01_27; reference:url, urlhaus.abuse.ch/url/2008131/; classtype:trojan-activity;sid:82871231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2007403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/tu/"; depth:6; endswith; nocase; http.host; content:"izogard.com"; depth:11; isdataat:!1,relative; metadata:created_at 2022_01_26; reference:url, urlhaus.abuse.ch/url/2007403/; classtype:trojan-activity;sid:82870503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2007115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nashi-klienty/b5sc/"; depth:20; endswith; nocase; http.host; content:"izocab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_01_26; reference:url, urlhaus.abuse.ch/url/2007115/; classtype:trojan-activity;sid:82870215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1978480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.22.136.158"; depth:13; isdataat:!1,relative; metadata:created_at 2022_01_15; reference:url, urlhaus.abuse.ch/url/1978480/; classtype:trojan-activity;sid:82841580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/honduras.php"; depth:13; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891112/; classtype:trojan-activity;sid:82754212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets2/theme/css/gluttonous.php"; depth:33; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891095/; classtype:trojan-activity;sid:82754195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets2/theme/css/linearization.php"; depth:36; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891070/; classtype:trojan-activity;sid:82754170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrongdoer.php"; depth:14; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891071/; classtype:trojan-activity;sid:82754171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1890257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/crypta.js"; depth:14; endswith; nocase; http.host; content:"reauthenticator.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1890257/; classtype:trojan-activity;sid:82753357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/actionably.php"; depth:15; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888166/; classtype:trojan-activity;sid:82751266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roughness.php"; depth:14; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888149/; classtype:trojan-activity;sid:82751249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/intermission.php"; depth:17; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888139/; classtype:trojan-activity;sid:82751239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redesign.php"; depth:13; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888114/; classtype:trojan-activity;sid:82751214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antienuretic.php"; depth:17; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888115/; classtype:trojan-activity;sid:82751215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fizz.php"; depth:9; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888106/; classtype:trojan-activity;sid:82751206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/designer.php"; depth:13; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888086/; classtype:trojan-activity;sid:82751186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frustrating.php"; depth:16; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888092/; classtype:trojan-activity;sid:82751192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/conditioner.php"; depth:16; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888081/; classtype:trojan-activity;sid:82751181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unthinkably.php"; depth:16; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888082/; classtype:trojan-activity;sid:82751182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unexplainable.php"; depth:18; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888084/; classtype:trojan-activity;sid:82751184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whiz.php"; depth:9; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888085/; classtype:trojan-activity;sid:82751185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1861154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2021_12_07; reference:url, urlhaus.abuse.ch/url/1861154/; classtype:trojan-activity;sid:82724254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1840623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/t7scuzy/"; depth:21; endswith; nocase; http.host; content:"apple-service93.ru"; depth:18; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1840623/; classtype:trojan-activity;sid:82703723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shopped.php"; depth:12; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839258/; classtype:trojan-activity;sid:82702358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accumulation.php"; depth:17; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839238/; classtype:trojan-activity;sid:82702338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scuffler.php"; depth:13; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839240/; classtype:trojan-activity;sid:82702340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sublimely.php"; depth:14; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839228/; classtype:trojan-activity;sid:82702328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ticketing.php"; depth:14; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838316/; classtype:trojan-activity;sid:82701416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complicate.php"; depth:15; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838317/; classtype:trojan-activity;sid:82701417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blend.php"; depth:10; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838306/; classtype:trojan-activity;sid:82701406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gastric.php"; depth:12; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838289/; classtype:trojan-activity;sid:82701389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flyer.php"; depth:10; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838275/; classtype:trojan-activity;sid:82701375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acclimated.php"; depth:15; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838263/; classtype:trojan-activity;sid:82701363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/warmhearted.php"; depth:16; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838242/; classtype:trojan-activity;sid:82701342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daydream.php"; depth:13; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838244/; classtype:trojan-activity;sid:82701344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1837873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/investigative.php"; depth:18; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1837873/; classtype:trojan-activity;sid:82700973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1809781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/libraries/vendor/joomla/registry/src/format/pinafore.php"; depth:57; endswith; nocase; http.host; content:"ukguk71.ru"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_23; reference:url, urlhaus.abuse.ch/url/1809781/; classtype:trojan-activity;sid:82672881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1778573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/c91fwnb0"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_11_12; reference:url, urlhaus.abuse.ch/url/1778573/; classtype:trojan-activity;sid:82641673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1773622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/semitrailer.php"; depth:16; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_10; reference:url, urlhaus.abuse.ch/url/1773622/; classtype:trojan-activity;sid:82636722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1773603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/donkey.php"; depth:11; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_10; reference:url, urlhaus.abuse.ch/url/1773603/; classtype:trojan-activity;sid:82636703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1761107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svr_netchecker/server.asp|3f|v_command=3002|7c|26|7c|v_progname=sjptmanagerlauncher.exe"; depth:88; endswith; nocase; http.host; content:"server.toeicswt.co.kr"; depth:21; isdataat:!1,relative; metadata:created_at 2021_11_07; reference:url, urlhaus.abuse.ch/url/1761107/; classtype:trojan-activity;sid:82624207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1751625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ywjkrwem"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_11_04; reference:url, urlhaus.abuse.ch/url/1751625/; classtype:trojan-activity;sid:82614725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1744285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chimney.php"; depth:12; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1744285/; classtype:trojan-activity;sid:82607385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoologies.php"; depth:14; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743733/; classtype:trojan-activity;sid:82606833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whacked.php"; depth:12; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743713/; classtype:trojan-activity;sid:82606813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toggle.php"; depth:11; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743650/; classtype:trojan-activity;sid:82606750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unplug.php"; depth:11; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743660/; classtype:trojan-activity;sid:82606760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1728024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/egenyqrk"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_29; reference:url, urlhaus.abuse.ch/url/1728024/; classtype:trojan-activity;sid:82591124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1727038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nwj3nqw2"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_29; reference:url, urlhaus.abuse.ch/url/1727038/; classtype:trojan-activity;sid:82590138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1720728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/medialibrary/012/fucking.php"; depth:36; endswith; nocase; http.host; content:"shop.mediasova.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_27; reference:url, urlhaus.abuse.ch/url/1720728/; classtype:trojan-activity;sid:82583828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1720508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/medialibrary/012/chaperon.php"; depth:37; endswith; nocase; http.host; content:"shop.mediasova.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_27; reference:url, urlhaus.abuse.ch/url/1720508/; classtype:trojan-activity;sid:82583608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1704978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=04a3894062e7d373|7c|26|7c|resid=4a3894062e7d373%21192|7c|26|7c|authkey=ab7i1w77n6tsb3m"; depth:103; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_21; reference:url, urlhaus.abuse.ch/url/1704978/; classtype:trojan-activity;sid:82568078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1698617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=75ea534baf13442d|7c|26|7c|resid=75ea534baf13442d%21128|7c|26|7c|authkey=akd4vmzywc14zgq|7c|26|7c|em=2"; depth:118; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_20; reference:url, urlhaus.abuse.ch/url/1698617/; classtype:trojan-activity;sid:82561717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1695302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=07e7986a5bf9243c|7c|26|7c|resid=7e7986a5bf9243c%21490|7c|26|7c|authkey=abhawhbvtpoyc2a"; depth:103; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_19; reference:url, urlhaus.abuse.ch/url/1695302/; classtype:trojan-activity;sid:82558402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1681096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/htylx0l1"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_15; reference:url, urlhaus.abuse.ch/url/1681096/; classtype:trojan-activity;sid:82544196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1678523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/vltktanthutn.exe"; depth:24; endswith; nocase; http.host; content:"kimyen.net"; depth:10; isdataat:!1,relative; metadata:created_at 2021_10_14; reference:url, urlhaus.abuse.ch/url/1678523/; classtype:trojan-activity;sid:82541623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1668138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2a3tx7hd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_11; reference:url, urlhaus.abuse.ch/url/1668138/; classtype:trojan-activity;sid:82531238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1658131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=539bd593e9568c65|7c|26|7c|resid=539bd593e9568c65%21136|7c|26|7c|authkey=aepr2tr-q36tt8u|7c|26|7c|em=2"; depth:118; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_06; reference:url, urlhaus.abuse.ch/url/1658131/; classtype:trojan-activity;sid:82521231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1657096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/ana/update.exe"; depth:22; endswith; nocase; http.host; content:"www.teknoarge.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_06; reference:url, urlhaus.abuse.ch/url/1657096/; classtype:trojan-activity;sid:82520196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1647561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=12ma_yvbmprts6e_vkfnmwikrnwsarqbw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_29; reference:url, urlhaus.abuse.ch/url/1647561/; classtype:trojan-activity;sid:82510661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1641492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2021/01/spell.php"; depth:37; endswith; nocase; http.host; content:"easybrand.vn"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_23; reference:url, urlhaus.abuse.ch/url/1641492/; classtype:trojan-activity;sid:82504592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1641460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2021/01/stored.php"; depth:38; endswith; nocase; http.host; content:"easybrand.vn"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_23; reference:url, urlhaus.abuse.ch/url/1641460/; classtype:trojan-activity;sid:82504560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1640507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=2cc133e5e8e9b372|7c|26|7c|resid=2cc133e5e8e9b372%21113|7c|26|7c|authkey=agftuffxlpqkaz8|7c|26|7c|em=2"; depth:118; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_09_23; reference:url, urlhaus.abuse.ch/url/1640507/; classtype:trojan-activity;sid:82503607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1638740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xpmlg1s0"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_21; reference:url, urlhaus.abuse.ch/url/1638740/; classtype:trojan-activity;sid:82501840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1638721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/3pqfze3c"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_21; reference:url, urlhaus.abuse.ch/url/1638721/; classtype:trojan-activity;sid:82501821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1624890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1o9jg3oqyewncoptigwscdbtfmvtfqygj"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_16; reference:url, urlhaus.abuse.ch/url/1624890/; classtype:trojan-activity;sid:82487990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1619497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/decapitate.php"; depth:15; endswith; nocase; http.host; content:"tiacreation.club"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_14; reference:url, urlhaus.abuse.ch/url/1619497/; classtype:trojan-activity;sid:82482597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1609238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/mjzm2uub"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_10; reference:url, urlhaus.abuse.ch/url/1609238/; classtype:trojan-activity;sid:82472338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1609225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/fhxehwzr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_10; reference:url, urlhaus.abuse.ch/url/1609225/; classtype:trojan-activity;sid:82472325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1604292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promethium.php"; depth:15; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_09; reference:url, urlhaus.abuse.ch/url/1604292/; classtype:trojan-activity;sid:82467392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1602881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photon.php"; depth:11; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_08; reference:url, urlhaus.abuse.ch/url/1602881/; classtype:trojan-activity;sid:82465981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1602867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/philanthropic.php"; depth:18; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_08; reference:url, urlhaus.abuse.ch/url/1602867/; classtype:trojan-activity;sid:82465967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1602778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wash.php"; depth:9; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_08; reference:url, urlhaus.abuse.ch/url/1602778/; classtype:trojan-activity;sid:82465878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1582138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coon.php"; depth:9; endswith; nocase; http.host; content:"allendostmen.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_01; reference:url, urlhaus.abuse.ch/url/1582138/; classtype:trojan-activity;sid:82445238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1582118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manly.php"; depth:10; endswith; nocase; http.host; content:"allendostmen.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_01; reference:url, urlhaus.abuse.ch/url/1582118/; classtype:trojan-activity;sid:82445218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1582106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lecher.php"; depth:11; endswith; nocase; http.host; content:"allendostmen.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_01; reference:url, urlhaus.abuse.ch/url/1582106/; classtype:trojan-activity;sid:82445206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1582015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/strobing.php"; depth:13; endswith; nocase; http.host; content:"allendostmen.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_01; reference:url, urlhaus.abuse.ch/url/1582015/; classtype:trojan-activity;sid:82445115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1569937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2fvyxcn8"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_08_27; reference:url, urlhaus.abuse.ch/url/1569937/; classtype:trojan-activity;sid:82433037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1562140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poised.php"; depth:11; endswith; nocase; http.host; content:"mygrocerbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_08_25; reference:url, urlhaus.abuse.ch/url/1562140/; classtype:trojan-activity;sid:82425240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1560761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/safmanager/safman_setup.exe"; depth:38; endswith; nocase; http.host; content:"www.saf-oil.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2021_08_24; reference:url, urlhaus.abuse.ch/url/1560761/; classtype:trojan-activity;sid:82423861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teachable.php"; depth:14; endswith; nocase; http.host; content:"chat-server.maverickpreviews.com"; depth:32; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503427/; classtype:trojan-activity;sid:82366527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aggressive.php"; depth:15; endswith; nocase; http.host; content:"chat-server.maverickpreviews.com"; depth:32; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503410/; classtype:trojan-activity;sid:82366510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/belt.php"; depth:9; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503377/; classtype:trojan-activity;sid:82366477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anarchical.php"; depth:15; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503368/; classtype:trojan-activity;sid:82366468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newborn.php"; depth:12; endswith; nocase; http.host; content:"chat-server.maverickpreviews.com"; depth:32; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503361/; classtype:trojan-activity;sid:82366461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruckus.php"; depth:11; endswith; nocase; http.host; content:"www.cutting-edge.in"; depth:19; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503351/; classtype:trojan-activity;sid:82366451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unanswerable.php"; depth:17; endswith; nocase; http.host; content:"chat-server.maverickpreviews.com"; depth:32; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503338/; classtype:trojan-activity;sid:82366438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harass.php"; depth:11; endswith; nocase; http.host; content:"www.cutting-edge.in"; depth:19; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503341/; classtype:trojan-activity;sid:82366441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1497688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.164.200.170"; depth:15; isdataat:!1,relative; metadata:created_at 2021_08_01; reference:url, urlhaus.abuse.ch/url/1497688/; classtype:trojan-activity;sid:82360788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1473823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sweat.php"; depth:10; endswith; nocase; http.host; content:"www.cutting-edge.in"; depth:19; isdataat:!1,relative; metadata:created_at 2021_07_22; reference:url, urlhaus.abuse.ch/url/1473823/; classtype:trojan-activity;sid:82336923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1470181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/power.txt"; depth:10; endswith; nocase; http.host; content:"103.106.250.161"; depth:15; isdataat:!1,relative; metadata:created_at 2021_07_21; reference:url, urlhaus.abuse.ch/url/1470181/; classtype:trojan-activity;sid:82333281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1431282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/zn9ibvfw"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_07_06; reference:url, urlhaus.abuse.ch/url/1431282/; classtype:trojan-activity;sid:82294382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1422022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1n8_s6gijerearczwh74blkygodig64eo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_07_03; reference:url, urlhaus.abuse.ch/url/1422022/; classtype:trojan-activity;sid:82285122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1422010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1yfqtugahqhqrulwugdekeavffktsl8ci"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_07_03; reference:url, urlhaus.abuse.ch/url/1422010/; classtype:trojan-activity;sid:82285110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1391235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sbd1rnw8luztjmsh6gdlzupvyupbopa0|7c|26|7c|revid=0b3yyjts_woklr2vnyxvqohlidxbxn1l2wwjntxfnwvi5v0h3pq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_23; reference:url, urlhaus.abuse.ch/url/1391235/; classtype:trojan-activity;sid:82254335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1378480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ctmywlj5wouiug1wgizy3ke7yj1u0yor|7c|26|7c|revid=0b_t0-zked1mgagxwmxcwywq5q0q1uk1uoxcwaup6l2ovmtdjpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_19; reference:url, urlhaus.abuse.ch/url/1378480/; classtype:trojan-activity;sid:82241580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1372338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1alq8r5tnr6wwiftqa3l6d9fymv7y0g9m"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_17; reference:url, urlhaus.abuse.ch/url/1372338/; classtype:trojan-activity;sid:82235438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1371786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watercress.php"; depth:15; endswith; nocase; http.host; content:"www.playtown.co.za"; depth:18; isdataat:!1,relative; metadata:created_at 2021_06_16; reference:url, urlhaus.abuse.ch/url/1371786/; classtype:trojan-activity;sid:82234886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1371739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lining.php"; depth:11; endswith; nocase; http.host; content:"www.playtown.co.za"; depth:18; isdataat:!1,relative; metadata:created_at 2021_06_16; reference:url, urlhaus.abuse.ch/url/1371739/; classtype:trojan-activity;sid:82234839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1371719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scroungy.php"; depth:13; endswith; nocase; http.host; content:"www.playtown.co.za"; depth:18; isdataat:!1,relative; metadata:created_at 2021_06_16; reference:url, urlhaus.abuse.ch/url/1371719/; classtype:trojan-activity;sid:82234819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1369570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pinout.php"; depth:11; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_15; reference:url, urlhaus.abuse.ch/url/1369570/; classtype:trojan-activity;sid:82232670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1369536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steeplechases.php"; depth:18; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_15; reference:url, urlhaus.abuse.ch/url/1369536/; classtype:trojan-activity;sid:82232636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1369533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/familial.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_15; reference:url, urlhaus.abuse.ch/url/1369533/; classtype:trojan-activity;sid:82232633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1364815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update_vbase/voklight.exe"; depth:26; endswith; nocase; http.host; content:"visam.info"; depth:10; isdataat:!1,relative; metadata:created_at 2021_06_14; reference:url, urlhaus.abuse.ch/url/1364815/; classtype:trojan-activity;sid:82227915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1364597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update_vbase/voklightd.exe"; depth:27; endswith; nocase; http.host; content:"visam.info"; depth:10; isdataat:!1,relative; metadata:created_at 2021_06_14; reference:url, urlhaus.abuse.ch/url/1364597/; classtype:trojan-activity;sid:82227697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1352974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2021_06_11; reference:url, urlhaus.abuse.ch/url/1352974/; classtype:trojan-activity;sid:82216074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1350653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/habitual.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1350653/; classtype:trojan-activity;sid:82213753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1350619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruleless.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1350619/; classtype:trojan-activity;sid:82213719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1350517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1tilqozot07vylvdmmsfs7ia452jwhktj|7c|26|7c|revid=0b7gsmqzks4xkcdjcwhuvatj2qvlvchnmnnovu2ldzstek2jzpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1350517/; classtype:trojan-activity;sid:82213617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1348672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1etpmpb2shvuny5dxj5awfpxklxqpbzgx"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1348672/; classtype:trojan-activity;sid:82211772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toothy.php"; depth:11; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346907/; classtype:trojan-activity;sid:82210007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unpunished.php"; depth:15; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346883/; classtype:trojan-activity;sid:82209983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jordan.php"; depth:11; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346885/; classtype:trojan-activity;sid:82209985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/defended.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346871/; classtype:trojan-activity;sid:82209971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1343323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoopoe.php"; depth:11; endswith; nocase; http.host; content:"thementordirectory.com"; depth:22; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1343323/; classtype:trojan-activity;sid:82206423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1343313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hare.php"; depth:9; endswith; nocase; http.host; content:"thementordirectory.com"; depth:22; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1343313/; classtype:trojan-activity;sid:82206413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1343296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/donate.php"; depth:11; endswith; nocase; http.host; content:"thementordirectory.com"; depth:22; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1343296/; classtype:trojan-activity;sid:82206396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1331376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1b6t1mjnjcvndcy-mdqq0neqrbocqyju4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_06; reference:url, urlhaus.abuse.ch/url/1331376/; classtype:trojan-activity;sid:82194476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1327898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inst77player/inst77player_1.0.0.1.exe"; depth:38; endswith; nocase; http.host; content:"softdl.360tpcdn.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_06_05; reference:url, urlhaus.abuse.ch/url/1327898/; classtype:trojan-activity;sid:82190998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1319551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nw1gmzg6lwtuhs0tte969xcfpp9_dc5q"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_03; reference:url, urlhaus.abuse.ch/url/1319551/; classtype:trojan-activity;sid:82182651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqofspqgo4lhe7xt4ky-gkjbc9rgwzgw9rksc_azpw2gotdlnhx9oxc_rgk1zz9mgxxwqoixey0eajp/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314584/; classtype:trojan-activity;sid:82177684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vszvhw0lywviz_dpqozkdip0orjsf7411ucirwqegcgfxwqqb3nqpbn3d7orqqxnatypulra_ssggie/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314578/; classtype:trojan-activity;sid:82177678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vr-asdhfa85lnhp1g6rll18x2htnflvy5zggxzrfveecvbhjiwaes9o9w3dn49od7lplixl3u59icjr/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314581/; classtype:trojan-activity;sid:82177681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqb__8qdiraoo-s_qrzkk8o_8brsuwaeje3ivcd5efhddlux4gw5otilj5ezfenwjzaha-zojj_7srj/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314569/; classtype:trojan-activity;sid:82177669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqha4kutkvbpn1c9r1jolub-v1dyh36itza-2zhojxuluskoxk6iogpy8b8iscqqjskaf3wduc6oykt/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314562/; classtype:trojan-activity;sid:82177662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqm_l1o1djktv6pcfwixdz1gjaqrg26rpb3n3uqpk0jqvif91b_irdew7mo34hhhoffbjohoztlmdtp/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314563/; classtype:trojan-activity;sid:82177663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vrxkt9v4qcom-0wjceb6bexufgpr_vdebkc-kra8h7gutbblset1veguumqxs3npiv4qw-7_1kiy3jm/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314556/; classtype:trojan-activity;sid:82177656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vspnrqtfaftwpvbd8o61fbvozlhc3z0x8jy4glnji-v80xrxnlemgt89l5imnr_7kxst0gn9ydkjj0q/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314548/; classtype:trojan-activity;sid:82177648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vsftpbjz498ict3ab9-tehopymacl8ygytkgufxpnwlfphfxyyh5jmfj_2llrrddsiu8vypu1ksvp5p/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314549/; classtype:trojan-activity;sid:82177649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vs1h7txewarzqve-jwxnwcgzibofoz58qrk8kerhmfz8mpippgfjeoijthgmm-tw7lwcipr8acup_ft/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314543/; classtype:trojan-activity;sid:82177643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vr92cz6z4uh71ogqyzgn6vtdc54xoa0iovizmkmogvekyix648nysfipvt4qto6uvtrp9jsatoeuhk3/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314544/; classtype:trojan-activity;sid:82177644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtuc-a7s7ylxnfwqp8oxz6no5uwdmabudx-6glkwrnzjwqwgdtcpdvwp0x0l03qdarzrzonj_adevlw/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314545/; classtype:trojan-activity;sid:82177645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqe1vc-nlfenfgigyaugmmg1dq4l0-haikp9qxkacc32ig0xtg6go8lejdoogo0vfeoie4tcyy4_bn4/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314534/; classtype:trojan-activity;sid:82177634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vsrvkllojuhzbqokettk0u2b1whglldp35-o1zgt_jlem2z2odwedj0z9sgtukvikdowcuan-0fj5wn/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314535/; classtype:trojan-activity;sid:82177635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqvbpr6y2jjnkxfpcwt9uv7pqycg6vdoowr-xnakhtl9ns4tk44rpa91em8usoc992uqyrpn6ucy5ep/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314537/; classtype:trojan-activity;sid:82177637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vq8kqm4rsobvbpga8ncnzs-1xulwuezfri9x1ktowpiijctqe1uq0iged6iq7sa5zuhnh56egsebkoj/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314526/; classtype:trojan-activity;sid:82177626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtecbrofm9hcrdmzz8g7ktneypnrpr1s7bvyoit3r8jd7rjanmysk9yyuhvzmdp3dmkd-xss7kpyffa/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287391/; classtype:trojan-activity;sid:82150491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vt544w_wvxhvfskbx2zio7pht-jzhb1nvr7y1qhtxccjopcfxzhm1mottjhjsdudpgs9lfrjcqzoi8n/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287387/; classtype:trojan-activity;sid:82150487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtcfdv_0srlqbmtfzi6hivmikknsfqd5bubuem-s-mzpzfsva62zyncoy-phkzysuhuddl0yhlyajye/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287378/; classtype:trojan-activity;sid:82150478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vrtnhy8ipm82egefg7zhukj5qwbit31-jlhdsxovff8rcefw2uhpndpuclv_ffrqqdjhxyxympj3ame/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287373/; classtype:trojan-activity;sid:82150473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vt4iy9nlwuov8hsmpykbfkn1fh1ydp7ms8dudg2ldfjgxf8rumdtzgiw7ukoifo3ap-pb7ybzlcdfqi/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287333/; classtype:trojan-activity;sid:82150433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtyg409rjv4omi3oujyjsc6ajzflluuz37ofzbpjjihmrewoh2ehp2pwbfllgyy_yzqdrldwcaejvd5/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278913/; classtype:trojan-activity;sid:82142013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vr1e4kzyqneoh2tjc5rh_unlfwjdo31gedrveg0wdyrprmm3yfdxjqxdvyy535adzu5p9m4mrvdau9v/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278910/; classtype:trojan-activity;sid:82142010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vrvmutaxfc2ewkvy_l_cewfjwv4md_uadqlv4onmlyc0frnp7jod3ru93sm6y-tmoj0nrvbfylt739z/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278905/; classtype:trojan-activity;sid:82142005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtpholmraa4dir0lg8z5yhqljwbzp0qkypc3jax6d3l0hs6n23kpm2iqgccjvbvug5th443jjbzs2uv/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278895/; classtype:trojan-activity;sid:82141995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vq6nr-yg49vldzzxliqvpupbajoss2nfxsnsk3khaixmvqydl20mxhttp-qa7mojkwa4osepa76nnbl/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278896/; classtype:trojan-activity;sid:82141996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqyowyoxata2couqa6uc3gwi59sq5maualr7yfmq6luzvtefqopogncbli8hx6vubkt2b65qerqhzy8/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278899/; classtype:trojan-activity;sid:82141999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/j5fxvrf3"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278586/; classtype:trojan-activity;sid:82141686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1252888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/v1jcezvd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_18; reference:url, urlhaus.abuse.ch/url/1252888/; classtype:trojan-activity;sid:82115988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1252886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/gz3wxtar"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_18; reference:url, urlhaus.abuse.ch/url/1252886/; classtype:trojan-activity;sid:82115986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1237690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1m8jszvq-ztfrul7vgsb6q-n3ftgnkbdj|7c|26|7c|revid=0bxrhybf9__wnmgjlnmxmunzznlu0v204azc4edmzcep6a0hzpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_15; reference:url, urlhaus.abuse.ch/url/1237690/; classtype:trojan-activity;sid:82100790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1233306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gv_nk9llqw4fxudo-khja7nuuj1kevvw|7c|26|7c|revid=0b7zefp-g6n7vm0zhowo4be9pvus4mmh0ymxvd3r6zlu3ylznpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_14; reference:url, urlhaus.abuse.ch/url/1233306/; classtype:trojan-activity;sid:82096406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1230008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jnljbghz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_13; reference:url, urlhaus.abuse.ch/url/1230008/; classtype:trojan-activity;sid:82093108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1228819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=140vkyfrfhbqkukc2hnw-gsvi5wjw6iyi"; depth:68; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_13; reference:url, urlhaus.abuse.ch/url/1228819/; classtype:trojan-activity;sid:82091919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1223625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/reqfy21x"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_12; reference:url, urlhaus.abuse.ch/url/1223625/; classtype:trojan-activity;sid:82086725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1220349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1h_dyp_d5lst4akyf2qezxl7j1scvbtvs|7c|26|7c|revid=0b5thckui5i0mdk5moelbnm9vuhnydvjnvwpyq01vrg5xvwhrpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_11; reference:url, urlhaus.abuse.ch/url/1220349/; classtype:trojan-activity;sid:82083449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1199812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uygnpwzzyzn2rodsrimg0-sloxy_letg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_05_06; reference:url, urlhaus.abuse.ch/url/1199812/; classtype:trojan-activity;sid:82062912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1198558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/59bmj3vj18vh2/drive/storage/a/files/download|3f|id=625899581658508733"; depth:75; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_05_06; reference:url, urlhaus.abuse.ch/url/1198558/; classtype:trojan-activity;sid:82061658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1184754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ygn4gkmy9musdp_lgnpyjjh6rskt39vp|7c|26|7c|revid=0b8rbgp2bpeofmk5ta3n3mgjtefbzdevwtk5wwhpjd3yruejjpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_30; reference:url, urlhaus.abuse.ch/url/1184754/; classtype:trojan-activity;sid:82047854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1182816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1zxejnkdwqezrbgani5vjk2y2nhmpkg0z|7c|26|7c|revid=0b-bo0wgwxcblsui1mehkbhrlu01rwxnyrxzxanbdendmbndnpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1182816/; classtype:trojan-activity;sid:82045916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=mep5euraznm5lmjsb2cuzgf1bs5uzxq6l0lnqudflzavns5legu=|7c|26|7c|filename=%ec%9d%b8%ed%84%b0%eb%84%b7_%ec%a2%85%eb%9f%89%ec%a0%9c_%ed%85%8c%ec%8a%a4%ed%8a%b8.exe"; depth:199; endswith; nocase; http.host; content:"cfs9.blog.daum.net"; depth:18; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181763/; classtype:trojan-activity;sid:82044863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=ymxvzze5mtk5nubmczezlnrpc3rvcnkuy29toi9hdhrhy2gvmc8xnzawmdawmdawmdauzxhl|7c|26|7c|filename=oleaut32.dll%bf%c0%b7%f9%c7%d8%b0%e1%c7%cf%b1%e2.exe"; depth:184; endswith; nocase; http.host; content:"cfs13.tistory.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181758/; classtype:trojan-activity;sid:82044858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=mdczafhaznmxmc5ibg9nlmrhdw0ubmv0oi9jtufhrs8wlzkwlmv4zq==|7c|26|7c|filename=xp_sp3_%ed%85%8c%eb%a7%88%ed%8c%a8%ec%b9%98.exe"; depth:163; endswith; nocase; http.host; content:"cfs10.blog.daum.net"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181756/; classtype:trojan-activity;sid:82044856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=ymxvzze5mtk5nubmczezlnrpc3rvcnkuy29toi9hdhrhy2gvmc8xnzawmdawmdawmdauzxhl|7c|26|7c|filename=oleaut32.dll%ef%bf%bd%ef%bf%bd%ef%bf%bd%ef%bf%bd%ef%bf%bd%d8%b0%ef%bf%bd%ef%bf%bd%cf%b1%ef%bf%bd.exe"; depth:232; endswith; nocase; http.host; content:"cfs13.tistory.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181754/; classtype:trojan-activity;sid:82044854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=metnwe5aznm3lmjsb2cuzgf1bs5uzxq6l0lnqudflzavmc5legu=|7c|26|7c|filename=%ec%9d%b8%ed%84%b0%eb%84%b7_%ec%a2%85%eb%9f%89%ec%a0%9c_%ed%85%8c%ec%8a%a4%ed%8a%b8-cksal16.exe/%ec%9d%b8%ed%84%b0%eb%84%b7_%ec%a2%85%eb%9f%89%ec%a0%9c_%ed%85%8c%ec%8a%a4%ed%8a%b8-cksal16.exe"; depth:303; endswith; nocase; http.host; content:"cfs7.blog.daum.net"; depth:18; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181755/; classtype:trojan-activity;sid:82044855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1152444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1jpl-uouydm5hypqm67uokyddrblbpxvw|7c|26|7c|revid=0b7zpiprmoc5ubhpwclq0cxdyte5vwtrbymnidznhtgm3bzvrpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_22; reference:url, urlhaus.abuse.ch/url/1152444/; classtype:trojan-activity;sid:82015544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1098623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"111.185.171.111"; depth:15; isdataat:!1,relative; metadata:created_at 2021_03_29; reference:url, urlhaus.abuse.ch/url/1098623/; classtype:trojan-activity;sid:81961723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1010244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/bew39lta"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_02_14; reference:url, urlhaus.abuse.ch/url/1010244/; classtype:trojan-activity;sid:81873344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (984502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/g7vaue54"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_01_30; reference:url, urlhaus.abuse.ch/url/984502/; classtype:trojan-activity;sid:81847602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (961009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/00aujclx"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_01_14; reference:url, urlhaus.abuse.ch/url/961009/; classtype:trojan-activity;sid:81824109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (957784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamewd/yhdl.exe"; depth:16; endswith; nocase; http.host; content:"download.caihong.com"; depth:20; isdataat:!1,relative; metadata:created_at 2021_01_13; reference:url, urlhaus.abuse.ch/url/957784/; classtype:trojan-activity;sid:81820884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (936427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/bxjesdj7w3meuh7iatiurbsgh/"; depth:36; endswith; nocase; http.host; content:"cdaonline.com.ar"; depth:16; isdataat:!1,relative; metadata:created_at 2020_12_21; reference:url, urlhaus.abuse.ch/url/936427/; classtype:trojan-activity;sid:81799527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (765703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/lm/7cfvaaa9jo/"; depth:27; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_29; reference:url, urlhaus.abuse.ch/url/765703/; classtype:trojan-activity;sid:81628803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (763354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/hkhchyzdynzpebzcre0lq3l2ddjizwk4f7/"; depth:45; endswith; nocase; http.host; content:"xuezha.net"; depth:10; isdataat:!1,relative; metadata:created_at 2020_10_29; reference:url, urlhaus.abuse.ch/url/763354/; classtype:trojan-activity;sid:81626454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (756747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/rrrv7ilgm2dzpohaklkhewb8rkju15bmqeewccglap/"; depth:56; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_27; reference:url, urlhaus.abuse.ch/url/756747/; classtype:trojan-activity;sid:81619847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (756736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/4ld2g8w3rrmhtgvvvpeq2orlcqm71yyxveriw5rzitvii3/"; depth:60; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_27; reference:url, urlhaus.abuse.ch/url/756736/; classtype:trojan-activity;sid:81619836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (734911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/esp/"; depth:14; endswith; nocase; http.host; content:"www.steamrub.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_10_22; reference:url, urlhaus.abuse.ch/url/734911/; classtype:trojan-activity;sid:81598011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (733798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/oct/w9hmkanqe5py4r/"; depth:32; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_22; reference:url, urlhaus.abuse.ch/url/733798/; classtype:trojan-activity;sid:81596898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (723755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/sites/ci6p05scnuonqslqmehm/"; depth:37; endswith; nocase; http.host; content:"cdaonline.com.ar"; depth:16; isdataat:!1,relative; metadata:created_at 2020_10_20; reference:url, urlhaus.abuse.ch/url/723755/; classtype:trojan-activity;sid:81586855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (637433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paetools.exe"; depth:13; endswith; nocase; http.host; content:"soft.110route.com"; depth:17; isdataat:!1,relative; metadata:created_at 2020_10_01; reference:url, urlhaus.abuse.ch/url/637433/; classtype:trojan-activity;sid:81500533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (613088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikf/gallery-dl/releases/download/v1.15.0/gallery-dl.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2020_09_26; reference:url, urlhaus.abuse.ch/url/613088/; classtype:trojan-activity;sid:81476188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (490516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmatrix/data/hack1226.exe"; depth:26; endswith; nocase; http.host; content:"cd.textfiles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_14; reference:url, urlhaus.abuse.ch/url/490516/; classtype:trojan-activity;sid:81353616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (453216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enteihacking/mt/master/asycivic.jpg"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2020_09_04; reference:url, urlhaus.abuse.ch/url/453216/; classtype:trojan-activity;sid:81316316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (453035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1g_x0a_gnyxai5glsipkq1b2mqknanuw8"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_04; reference:url, urlhaus.abuse.ch/url/453035/; classtype:trojan-activity;sid:81316135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (452177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=14muad9cmj6mxsd9lrccuo1egxyf5f-ty"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_03; reference:url, urlhaus.abuse.ch/url/452177/; classtype:trojan-activity;sid:81315277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (451466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1yrmkzxf4rmy9utrikbh6rgvsokehbmeo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_02; reference:url, urlhaus.abuse.ch/url/451466/; classtype:trojan-activity;sid:81314566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (447394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sm7b9902i8v4yitepf6gzomqc84ltloi"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_31; reference:url, urlhaus.abuse.ch/url/447394/; classtype:trojan-activity;sid:81310494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (446803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gavcby-nhlq22ohbgm530exffsrg1aub"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_30; reference:url, urlhaus.abuse.ch/url/446803/; classtype:trojan-activity;sid:81309903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (439389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/statement/ul397wfyb/"; depth:29; endswith; nocase; http.host; content:"reifenquick.de"; depth:14; isdataat:!1,relative; metadata:created_at 2020_08_24; reference:url, urlhaus.abuse.ch/url/439389/; classtype:trojan-activity;sid:81302489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (438705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/file/21mnqlvi/oz88535657v7rbazasyth9x8i/"; depth:49; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_21; reference:url, urlhaus.abuse.ch/url/438705/; classtype:trojan-activity;sid:81301805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (436727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/statement/ul397wfyb/"; depth:29; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_19; reference:url, urlhaus.abuse.ch/url/436727/; classtype:trojan-activity;sid:81299827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (434592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/closed_957176_mxqsdoj6a4iz/close_warehouse/ql55hnq09iyn6lm_334stxvw03wyv/"; depth:82; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_17; reference:url, urlhaus.abuse.ch/url/434592/; classtype:trojan-activity;sid:81297692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (434320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/hl8-8w4cs-6325/"; depth:24; endswith; nocase; http.host; content:"reifenquick.de"; depth:14; isdataat:!1,relative; metadata:created_at 2020_08_17; reference:url, urlhaus.abuse.ch/url/434320/; classtype:trojan-activity;sid:81297420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (434311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/xofsl/"; depth:12; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_17; reference:url, urlhaus.abuse.ch/url/434311/; classtype:trojan-activity;sid:81297411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (432722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/xofsl/"; depth:12; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_14; reference:url, urlhaus.abuse.ch/url/432722/; classtype:trojan-activity;sid:81295822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (432117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/hl8-8w4cs-6325/"; depth:24; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_13; reference:url, urlhaus.abuse.ch/url/432117/; classtype:trojan-activity;sid:81295217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (429290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/overview/sw94b26/"; depth:23; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_11; reference:url, urlhaus.abuse.ch/url/429290/; classtype:trojan-activity;sid:81292390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (427444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/invoice/ujn3me8cye/"; depth:25; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_07; reference:url, urlhaus.abuse.ch/url/427444/; classtype:trojan-activity;sid:81290544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (426390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/open-0627720493640-azq24pffjrm/guarded-space/gxkx9t42ra6yf-6x7uyx330389w/"; depth:82; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_06; reference:url, urlhaus.abuse.ch/url/426390/; classtype:trojan-activity;sid:81289490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (426310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/covid19/statement/"; depth:19; endswith; nocase; http.host; content:"schenckel.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_06; reference:url, urlhaus.abuse.ch/url/426310/; classtype:trojan-activity;sid:81289410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (424629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/kdgxnbhp"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2020_08_05; reference:url, urlhaus.abuse.ch/url/424629/; classtype:trojan-activity;sid:81287729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (422458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invoice/aog-3515110/"; depth:21; endswith; nocase; http.host; content:"lindnerelektroanlagen.de"; depth:24; isdataat:!1,relative; metadata:created_at 2020_07_30; reference:url, urlhaus.abuse.ch/url/422458/; classtype:trojan-activity;sid:81285558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (420521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/parts_service/ly944myw/"; depth:28; endswith; nocase; http.host; content:"hitstation.nl"; depth:13; isdataat:!1,relative; metadata:created_at 2020_07_28; reference:url, urlhaus.abuse.ch/url/420521/; classtype:trojan-activity;sid:81283621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (419868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paradiselost/statement/s7nr8p8ut/"; depth:34; endswith; nocase; http.host; content:"damiancollier.com"; depth:17; isdataat:!1,relative; metadata:created_at 2020_07_27; reference:url, urlhaus.abuse.ch/url/419868/; classtype:trojan-activity;sid:81282968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (417815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/znhs8f1m"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2020_07_22; reference:url, urlhaus.abuse.ch/url/417815/; classtype:trojan-activity;sid:81280915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (417814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/6xgqcgx8"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2020_07_22; reference:url, urlhaus.abuse.ch/url/417814/; classtype:trojan-activity;sid:81280914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (410755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d35ha/processhide/master/bins/processhide32.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2020_07_10; reference:url, urlhaus.abuse.ch/url/410755/; classtype:trojan-activity;sid:81273855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (390013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1am1ztjjhswzwdbvue5tke5mbkwjud0w5"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_06_15; reference:url, urlhaus.abuse.ch/url/390013/; classtype:trojan-activity;sid:81253113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (390009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hd7ffgig6btbzuy2_2kds_t4u637qxjn"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_06_15; reference:url, urlhaus.abuse.ch/url/390009/; classtype:trojan-activity;sid:81253109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (374230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmjbbs/673484/nqad_673484_01062020.zip"; depth:39; endswith; nocase; http.host; content:"xn--b1afiqif6c.xn--p1ai"; depth:23; isdataat:!1,relative; metadata:created_at 2020_06_02; reference:url, urlhaus.abuse.ch/url/374230/; classtype:trojan-activity;sid:81237330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/pdf.exe"; depth:22; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368318/; classtype:trojan-activity;sid:81231418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/doc/774d0427cd607b1c09131cc277a68c9edd7cf01499d356bcb1ef4a08e6fc322a.doc"; depth:83; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368317/; classtype:trojan-activity;sid:81231417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/xerox01_pdf.exe"; depth:30; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368315/; classtype:trojan-activity;sid:81231415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/doc/46cad0e0ca3b2d6d9d3ce691ca2887b18abc80acf0e81799fbb290cce104c8eb.doc"; depth:83; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368312/; classtype:trojan-activity;sid:81231412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/njrat.exe"; depth:24; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368311/; classtype:trojan-activity;sid:81231411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/order_pdf.exe"; depth:28; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368309/; classtype:trojan-activity;sid:81231409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/640.exe"; depth:22; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368303/; classtype:trojan-activity;sid:81231403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (366549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1pyl4hq8sbp5qatm1zz9vmsze1cuy2uzw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_05_22; reference:url, urlhaus.abuse.ch/url/366549/; classtype:trojan-activity;sid:81229649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (359838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"82.166.57.2"; depth:11; isdataat:!1,relative; metadata:created_at 2020_05_08; reference:url, urlhaus.abuse.ch/url/359838/; classtype:trojan-activity;sid:81222938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (355363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/0/uc|3f|id=1osjrfvjdy1vblk4fya98jp5jlnk7rutv|7c|26|7c|export=download"; depth:72; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_05_01; reference:url, urlhaus.abuse.ch/url/355363/; classtype:trojan-activity;sid:81218463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (351490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nndvq_2_7doyyuqvcvwmory_4lyrplb7"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_04_26; reference:url, urlhaus.abuse.ch/url/351490/; classtype:trojan-activity;sid:81214590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (326350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/builds/offers/12.exe"; depth:21; endswith; nocase; http.host; content:"softcatalog.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2020_03_18; reference:url, urlhaus.abuse.ch/url/326350/; classtype:trojan-activity;sid:81189450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (322758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=ymxvzzcxmzyyqgzzns50axn0b3j5lmnvbtovyxr0ywnolzavmtqwmdawmdawmdawlmv4zq%3d%3d|7c|26|7c|filename=crack-pro20.exe"; depth:151; endswith; nocase; http.host; content:"cfs5.tistory.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_03_08; reference:url, urlhaus.abuse.ch/url/322758/; classtype:trojan-activity;sid:81185858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (318948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuzzbunch/fuzzbunch/master/payloads/doublepulsar-1.3.1.exe"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2020_02_26; reference:url, urlhaus.abuse.ch/url/318948/; classtype:trojan-activity;sid:81182048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (318947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bero1985/berotinypascal/e34bd4164f4b7c27e7cf667dffd9274d33d6dfbe/bin/btpc.exe"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2020_02_26; reference:url, urlhaus.abuse.ch/url/318947/; classtype:trojan-activity;sid:81182047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (314465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fta.exe"; depth:8; endswith; nocase; http.host; content:"vincentdemiero.com"; depth:18; isdataat:!1,relative; metadata:created_at 2020_02_14; reference:url, urlhaus.abuse.ch/url/314465/; classtype:trojan-activity;sid:81177565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (314464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documeynt9897.zip"; depth:18; endswith; nocase; http.host; content:"vincentdemiero.com"; depth:18; isdataat:!1,relative; metadata:created_at 2020_02_14; reference:url, urlhaus.abuse.ch/url/314464/; classtype:trojan-activity;sid:81177564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (314463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvs.zip"; depth:8; endswith; nocase; http.host; content:"vincentdemiero.com"; depth:18; isdataat:!1,relative; metadata:created_at 2020_02_14; reference:url, urlhaus.abuse.ch/url/314463/; classtype:trojan-activity;sid:81177563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (308942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-lm9-32/"; depth:21; endswith; nocase; http.host; content:"www.chenwangqiao.com"; depth:20; isdataat:!1,relative; metadata:created_at 2020_02_05; reference:url, urlhaus.abuse.ch/url/308942/; classtype:trojan-activity;sid:81172042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (304070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/file/"; depth:16; endswith; nocase; http.host; content:"www.chenwangqiao.com"; depth:20; isdataat:!1,relative; metadata:created_at 2020_01_31; reference:url, urlhaus.abuse.ch/url/304070/; classtype:trojan-activity;sid:81167170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (303582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/com1/files/severstal_map.exe"; depth:29; endswith; nocase; http.host; content:"111101111.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2020_01_31; reference:url, urlhaus.abuse.ch/url/303582/; classtype:trojan-activity;sid:81166682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (288508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omlakdj17fkcjfsd/common_module/security_lkveb9o0tx_wd3lhz42yf1slt/tlcs2lwhd3vo_38wyy7/"; depth:87; endswith; nocase; http.host; content:"owlcity.ru"; depth:10; isdataat:!1,relative; metadata:created_at 2020_01_14; reference:url, urlhaus.abuse.ch/url/288508/; classtype:trojan-activity;sid:81151608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (272221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/about/lm/5oj0ss1de/"; depth:20; endswith; nocase; http.host; content:"dezcom.com"; depth:10; isdataat:!1,relative; metadata:created_at 2019_12_19; reference:url, urlhaus.abuse.ch/url/272221/; classtype:trojan-activity;sid:81135321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (267913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index_soubory/common_sector/external_area/61551354147_t4d0ky73jjywffgy/"; depth:72; endswith; nocase; http.host; content:"oknoplastik.sk"; depth:14; isdataat:!1,relative; metadata:created_at 2019_12_12; reference:url, urlhaus.abuse.ch/url/267913/; classtype:trojan-activity;sid:81131013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (254738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvd/dist/fileupload/1571723382710/9.915787746614242.jpg"; depth:56; endswith; nocase; http.host; content:"cdn.xiaoduoai.com"; depth:17; isdataat:!1,relative; metadata:created_at 2019_11_18; reference:url, urlhaus.abuse.ch/url/254738/; classtype:trojan-activity;sid:81117838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (254737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvd/dist/fileupload/1571723350789/0.25579108623802416.jpg"; depth:58; endswith; nocase; http.host; content:"cdn.xiaoduoai.com"; depth:17; isdataat:!1,relative; metadata:created_at 2019_11_18; reference:url, urlhaus.abuse.ch/url/254737/; classtype:trojan-activity;sid:81117837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (242568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.4.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/242568/; classtype:trojan-activity;sid:81105668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (240568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.244.113.217"; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_07; reference:url, urlhaus.abuse.ch/url/240568/; classtype:trojan-activity;sid:81103668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (240550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"71.42.105.34"; depth:12; isdataat:!1,relative; metadata:created_at 2019_10_07; reference:url, urlhaus.abuse.ch/url/240550/; classtype:trojan-activity;sid:81103650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (240403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"92.114.191.82"; depth:13; isdataat:!1,relative; metadata:created_at 2019_10_07; reference:url, urlhaus.abuse.ch/url/240403/; classtype:trojan-activity;sid:81103503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (240036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.151.143.2"; depth:13; isdataat:!1,relative; metadata:created_at 2019_10_07; reference:url, urlhaus.abuse.ch/url/240036/; classtype:trojan-activity;sid:81103136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (239019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.66.139.36"; depth:12; isdataat:!1,relative; metadata:created_at 2019_10_06; reference:url, urlhaus.abuse.ch/url/239019/; classtype:trojan-activity;sid:81102119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (237890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2019_10_05; reference:url, urlhaus.abuse.ch/url/237890/; classtype:trojan-activity;sid:81100990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (222263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen.exe"; depth:11; endswith; nocase; http.host; content:"www.konsor.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2019_08_04; reference:url, urlhaus.abuse.ch/url/222263/; classtype:trojan-activity;sid:81085363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (222259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen.exe"; depth:11; endswith; nocase; http.host; content:"konsor.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2019_08_04; reference:url, urlhaus.abuse.ch/url/222259/; classtype:trojan-activity;sid:81085359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (222056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaobeitu/news/v1.0.7.31/news_01.exe"; depth:36; endswith; nocase; http.host; content:"download.kaobeitu.com"; depth:21; isdataat:!1,relative; metadata:created_at 2019_08_04; reference:url, urlhaus.abuse.ch/url/222056/; classtype:trojan-activity;sid:81085156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (222026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaobeitu/mini/v1.0.7.16/mini_04.exe"; depth:36; endswith; nocase; http.host; content:"download.kaobeitu.com"; depth:21; isdataat:!1,relative; metadata:created_at 2019_08_03; reference:url, urlhaus.abuse.ch/url/222026/; classtype:trojan-activity;sid:81085126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (221598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kszip/mini/v1.0.7.31/mini_04.exe"; depth:33; endswith; nocase; http.host; content:"download.pdf00.cn"; depth:17; isdataat:!1,relative; metadata:created_at 2019_08_01; reference:url, urlhaus.abuse.ch/url/221598/; classtype:trojan-activity;sid:81084698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (221595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kszip/news2/v1.0.7.31/news2_02.exe"; depth:35; endswith; nocase; http.host; content:"download.pdf00.cn"; depth:17; isdataat:!1,relative; metadata:created_at 2019_08_01; reference:url, urlhaus.abuse.ch/url/221595/; classtype:trojan-activity;sid:81084695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (220541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25072019_0963.xls"; depth:18; endswith; nocase; http.host; content:"fakers.co.jp"; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_29; reference:url, urlhaus.abuse.ch/url/220541/; classtype:trojan-activity;sid:81083641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (219275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0996938c001/6e8a2a4f-40ac-464f-9a70-7c67f0a0da19.pdf"; depth:53; endswith; nocase; http.host; content:"files.constantcontact.com"; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_24; reference:url, urlhaus.abuse.ch/url/219275/; classtype:trojan-activity;sid:81082375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (217486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meteoradminz/hidden-tear/zip/master"; depth:36; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217486/; classtype:trojan-activity;sid:81080586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (210525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20.06.2019_130.22.doc"; depth:22; endswith; nocase; http.host; content:"fakers.co.jp"; depth:12; isdataat:!1,relative; metadata:created_at 2019_06_20; reference:url, urlhaus.abuse.ch/url/210525/; classtype:trojan-activity;sid:81073625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (208009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/domains/updateagent/application%20files/upagent.exe"; depth:52; endswith; nocase; http.host; content:"old.bullydog.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_06_12; reference:url, urlhaus.abuse.ch/url/208009/; classtype:trojan-activity;sid:81071109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (206183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~golgo13ex/c964732.xls"; depth:23; endswith; nocase; http.host; content:"www.cc9.ne.jp"; depth:13; isdataat:!1,relative; metadata:created_at 2019_06_05; reference:url, urlhaus.abuse.ch/url/206183/; classtype:trojan-activity;sid:81069283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (203280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/qt51crk.exe"; depth:21; endswith; nocase; http.host; content:"www.hseda.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_05_29; reference:url, urlhaus.abuse.ch/url/203280/; classtype:trojan-activity;sid:81066380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (203157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/qt51crk.exe"; depth:21; endswith; nocase; http.host; content:"hseda.com"; depth:9; isdataat:!1,relative; metadata:created_at 2019_05_28; reference:url, urlhaus.abuse.ch/url/203157/; classtype:trojan-activity;sid:81066257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (202114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/screenmate/cute/sm1302.zip"; depth:27; endswith; nocase; http.host; content:"www.starcountry.net"; depth:19; isdataat:!1,relative; metadata:created_at 2019_05_26; reference:url, urlhaus.abuse.ch/url/202114/; classtype:trojan-activity;sid:81065214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (201513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wj1bsetup.exe"; depth:14; endswith; nocase; http.host; content:"dl.dzqzd.com"; depth:12; isdataat:!1,relative; metadata:created_at 2019_05_24; reference:url, urlhaus.abuse.ch/url/201513/; classtype:trojan-activity;sid:81064613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/releases/zorke_release/zorke_asciiverter_v1.00/zke-ascv.exe"; depth:60; endswith; nocase; http.host; content:"nerve.untergrund.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200800/; classtype:trojan-activity;sid:81063900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/releases/12.2013/nrv-ppwr.zip"; depth:30; endswith; nocase; http.host; content:"nerve.untergrund.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200798/; classtype:trojan-activity;sid:81063898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/razor/rzr-winner_intro.zip"; depth:27; endswith; nocase; http.host; content:"chiptune.com"; depth:12; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200771/; classtype:trojan-activity;sid:81063871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/releases/zorke_release/zorke_nfo_file_viewer_v1.00/zke-nfoview.exe"; depth:67; endswith; nocase; http.host; content:"nerve.untergrund.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200770/; classtype:trojan-activity;sid:81063870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/qxuserctrlsetup_1010.exe"; depth:29; endswith; nocase; http.host; content:"sta.qinxue.com"; depth:14; isdataat:!1,relative; metadata:created_at 2019_05_22; reference:url, urlhaus.abuse.ch/url/200129/; classtype:trojan-activity;sid:81063229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (195172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eypipe/pipefile/adpopup/adpopup_1382523956.exe"; depth:47; endswith; nocase; http.host; content:"goto.stnts.com"; depth:14; isdataat:!1,relative; metadata:created_at 2019_05_13; reference:url, urlhaus.abuse.ch/url/195172/; classtype:trojan-activity;sid:81058272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (186282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pub/1003b/patch/patch_data/patch_0.3300/1003b.exe"; depth:50; endswith; nocase; http.host; content:"dl.1003b.56a.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_04_27; reference:url, urlhaus.abuse.ch/url/186282/; classtype:trojan-activity;sid:81049382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (185713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qrtb.exe"; depth:9; endswith; nocase; http.host; content:"xiaoma-10021647.file.myqcloud.com"; depth:33; isdataat:!1,relative; metadata:created_at 2019_04_26; reference:url, urlhaus.abuse.ch/url/185713/; classtype:trojan-activity;sid:81048813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (184801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqpjo/scan/uftruaemi2h/"; depth:24; endswith; nocase; http.host; content:"redlk.com"; depth:9; isdataat:!1,relative; metadata:created_at 2019_04_25; reference:url, urlhaus.abuse.ch/url/184801/; classtype:trojan-activity;sid:81047901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (176091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/templates/theme261/css/msg.jpg"; depth:31; endswith; nocase; http.host; content:"sk-comtel.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_04_12; reference:url, urlhaus.abuse.ch/url/176091/; classtype:trojan-activity;sid:81039191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (175833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/templates/theme261/html/com_contact/category/hp.gf"; depth:51; endswith; nocase; http.host; content:"sk-comtel.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_04_11; reference:url, urlhaus.abuse.ch/url/175833/; classtype:trojan-activity;sid:81038933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (173971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/support/trust/en/042019/"; depth:30; endswith; nocase; http.host; content:"brightworks.cz"; depth:14; isdataat:!1,relative; metadata:created_at 2019_04_09; reference:url, urlhaus.abuse.ch/url/173971/; classtype:trojan-activity;sid:81037071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (168634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/sec.myaccount.docs.biz/"; depth:36; endswith; nocase; http.host; content:"allister.ee"; depth:11; isdataat:!1,relative; metadata:created_at 2019_03_29; reference:url, urlhaus.abuse.ch/url/168634/; classtype:trojan-activity;sid:81031734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (165554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure.myacc.resourses.com/"; depth:28; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_03_25; reference:url, urlhaus.abuse.ch/url/165554/; classtype:trojan-activity;sid:81028654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (165504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i203611254b019514581.zip"; depth:25; endswith; nocase; http.host; content:"programandojuntos.us.tempcloudsite.com"; depth:38; isdataat:!1,relative; metadata:created_at 2019_03_25; reference:url, urlhaus.abuse.ch/url/165504/; classtype:trojan-activity;sid:81028604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (164277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/corporation/new_invoice/1033530/hijmq-jo_uqgwdlyf-8e/"; depth:54; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_03_22; reference:url, urlhaus.abuse.ch/url/164277/; classtype:trojan-activity;sid:81027377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (162770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artluz/produtos/sendincsec/support/sec/en_en/03-2019/"; depth:54; endswith; nocase; http.host; content:"alarmline.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2019_03_20; reference:url, urlhaus.abuse.ch/url/162770/; classtype:trojan-activity;sid:81025870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (161757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomatoleizhutizy/tomatoleizhutizy.exe"; depth:38; endswith; nocase; http.host; content:"softdl2.360tpcdn.com"; depth:20; isdataat:!1,relative; metadata:created_at 2019_03_19; reference:url, urlhaus.abuse.ch/url/161757/; classtype:trojan-activity;sid:81024857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (157610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stats/f06bn-kgh24-ncoviajp/"; depth:28; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_03_12; reference:url, urlhaus.abuse.ch/url/157610/; classtype:trojan-activity;sid:81020710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (155567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rawabijob.hta"; depth:14; endswith; nocase; http.host; content:"local-update.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_03_10; reference:url, urlhaus.abuse.ch/url/155567/; classtype:trojan-activity;sid:81018667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (154627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/za.ebali"; depth:9; endswith; nocase; http.host; content:"mitreart.com"; depth:12; isdataat:!1,relative; metadata:created_at 2019_03_07; reference:url, urlhaus.abuse.ch/url/154627/; classtype:trojan-activity;sid:81017727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (143834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hl2dm/hl2dm_updater.exe"; depth:24; endswith; nocase; http.host; content:"update.bruss.org.ru"; depth:19; isdataat:!1,relative; metadata:created_at 2019_02_23; reference:url, urlhaus.abuse.ch/url/143834/; classtype:trojan-activity;sid:81006934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (143833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hl2dm/hl2dm%5fupdater.exe"; depth:26; endswith; nocase; http.host; content:"update.bruss.org.ru"; depth:19; isdataat:!1,relative; metadata:created_at 2019_02_23; reference:url, urlhaus.abuse.ch/url/143833/; classtype:trojan-activity;sid:81006933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (143301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pistacchietto/win-python-backdoor/raw/master/win.bat"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2019_02_23; reference:url, urlhaus.abuse.ch/url/143301/; classtype:trojan-activity;sid:81006401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (142841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/company/account/open/file/jnpvoliu3gcmmwttlpocikgwpnx/"; depth:55; endswith; nocase; http.host; content:"energy63.ru"; depth:11; isdataat:!1,relative; metadata:created_at 2019_02_22; reference:url, urlhaus.abuse.ch/url/142841/; classtype:trojan-activity;sid:81005941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (140791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bv5eh1ierp/"; depth:12; endswith; nocase; http.host; content:"augsburg-auto.com"; depth:17; isdataat:!1,relative; metadata:created_at 2019_02_20; reference:url, urlhaus.abuse.ch/url/140791/; classtype:trojan-activity;sid:81003891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (140721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/llc/pymn-4tz_mul-r1/"; depth:21; endswith; nocase; http.host; content:"energy63.ru"; depth:11; isdataat:!1,relative; metadata:created_at 2019_02_20; reference:url, urlhaus.abuse.ch/url/140721/; classtype:trojan-activity;sid:81003821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (140156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1465810408079_502.exe"; depth:22; endswith; nocase; http.host; content:"static.topxgun.com"; depth:18; isdataat:!1,relative; metadata:created_at 2019_02_19; reference:url, urlhaus.abuse.ch/url/140156/; classtype:trojan-activity;sid:81003256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (125058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/radiance.png"; depth:13; endswith; nocase; http.host; content:"5.45.74.250"; depth:11; isdataat:!1,relative; metadata:created_at 2019_02_15; reference:url, urlhaus.abuse.ch/url/125058/; classtype:trojan-activity;sid:80988158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (125059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/table.png"; depth:10; endswith; nocase; http.host; content:"5.45.74.250"; depth:11; isdataat:!1,relative; metadata:created_at 2019_02_15; reference:url, urlhaus.abuse.ch/url/125059/; classtype:trojan-activity;sid:80988159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (125060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/worming.png"; depth:12; endswith; nocase; http.host; content:"5.45.74.250"; depth:11; isdataat:!1,relative; metadata:created_at 2019_02_15; reference:url, urlhaus.abuse.ch/url/125060/; classtype:trojan-activity;sid:80988160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (125061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toler.png"; depth:10; endswith; nocase; http.host; content:"5.45.74.250"; depth:11; isdataat:!1,relative; metadata:created_at 2019_02_15; reference:url, urlhaus.abuse.ch/url/125061/; classtype:trojan-activity;sid:80988161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (122975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/box.bin"; depth:13; endswith; nocase; http.host; content:"dusttv.com"; depth:10; isdataat:!1,relative; metadata:created_at 2019_02_13; reference:url, urlhaus.abuse.ch/url/122975/; classtype:trojan-activity;sid:80986075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (121258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28758658/2018/04/28/c4284a2a6c1b60247944a03cbaf930c5.exe"; depth:57; endswith; nocase; http.host; content:"cdn.file6.goodid.com"; depth:20; isdataat:!1,relative; metadata:created_at 2019_02_11; reference:url, urlhaus.abuse.ch/url/121258/; classtype:trojan-activity;sid:80984358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (121029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/active/pcclear_eng_mini.exe"; depth:28; endswith; nocase; http.host; content:"down.pcclear.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_02_10; reference:url, urlhaus.abuse.ch/url/121029/; classtype:trojan-activity;sid:80984129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (116990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ltbx_h3dtc-obppcj/maj/messages/2019-02/"; depth:40; endswith; nocase; http.host; content:"airlife.bget.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2019_02_04; reference:url, urlhaus.abuse.ch/url/116990/; classtype:trojan-activity;sid:80980090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (115233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/sanghyun-guest.exe"; depth:25; endswith; nocase; http.host; content:"sanghyun.nfile.net"; depth:18; isdataat:!1,relative; metadata:created_at 2019_02_01; reference:url, urlhaus.abuse.ch/url/115233/; classtype:trojan-activity;sid:80978333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (115231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/sanghyun.exe"; depth:19; endswith; nocase; http.host; content:"sanghyun.nfile.net"; depth:18; isdataat:!1,relative; metadata:created_at 2019_02_01; reference:url, urlhaus.abuse.ch/url/115231/; classtype:trojan-activity;sid:80978331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (114988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6iywkl5i_mg/"; depth:13; endswith; nocase; http.host; content:"pobedastaff.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_31; reference:url, urlhaus.abuse.ch/url/114988/; classtype:trojan-activity;sid:80978088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/update.exe"; depth:17; endswith; nocase; http.host; content:"sg123.net"; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112779/; classtype:trojan-activity;sid:80975879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/install.exe"; depth:18; endswith; nocase; http.host; content:"sg123.net"; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112648/; classtype:trojan-activity;sid:80975748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/install.exe"; depth:18; endswith; nocase; http.host; content:"igra123.com"; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112647/; classtype:trojan-activity;sid:80975747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/update.exe"; depth:17; endswith; nocase; http.host; content:"igra123.com"; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112642/; classtype:trojan-activity;sid:80975742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (111691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/haeum.exe"; depth:16; endswith; nocase; http.host; content:"haeum.nfile.net"; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_28; reference:url, urlhaus.abuse.ch/url/111691/; classtype:trojan-activity;sid:80974791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (110142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d3%b2%bc%fe%d0%c5%cf%a2%b2%e9%bf%b4%c6%f7.exe"; depth:47; endswith; nocase; http.host; content:"down.54nb.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_25; reference:url, urlhaus.abuse.ch/url/110142/; classtype:trojan-activity;sid:80973242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (110132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gcld/updates_tw/gcmgr_tw.exe"; depth:29; endswith; nocase; http.host; content:"static.ilclock.com"; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_25; reference:url, urlhaus.abuse.ch/url/110132/; classtype:trojan-activity;sid:80973232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (109220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de_de/tejqsyf3366492/ger/rechnungszahlung/"; depth:43; endswith; nocase; http.host; content:"blogs.sokun.jp"; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_24; reference:url, urlhaus.abuse.ch/url/109220/; classtype:trojan-activity;sid:80972320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (108283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigfile/v1/urls/d/4qnwtdd-4xsuuy1xlrmzcibqjfu/ihdzyo55cus7ds4lmmkxpa"; depth:69; endswith; nocase; http.host; content:"attach.mail.daum.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_23; reference:url, urlhaus.abuse.ch/url/108283/; classtype:trojan-activity;sid:80971383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin128.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106006/; classtype:trojan-activity;sid:80969106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin133.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106003/; classtype:trojan-activity;sid:80969103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd156.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106002/; classtype:trojan-activity;sid:80969102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin130.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106000/; classtype:trojan-activity;sid:80969100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin142.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105999/; classtype:trojan-activity;sid:80969099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd124.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105998/; classtype:trojan-activity;sid:80969098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin141.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105997/; classtype:trojan-activity;sid:80969097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd127.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105996/; classtype:trojan-activity;sid:80969096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd145.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105992/; classtype:trojan-activity;sid:80969092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin140.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105991/; classtype:trojan-activity;sid:80969091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd144.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105988/; classtype:trojan-activity;sid:80969088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd136.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105985/; classtype:trojan-activity;sid:80969085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin139.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105976/; classtype:trojan-activity;sid:80969076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd137.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105975/; classtype:trojan-activity;sid:80969075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n/tui/ciqinmishi/6/cqms.exe"; depth:28; endswith; nocase; http.host; content:"bundle.kpzip.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105558/; classtype:trojan-activity;sid:80968658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkhe3fktc/"; depth:11; endswith; nocase; http.host; content:"atkcgnew.evgeni7e.beget.tech"; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105407/; classtype:trojan-activity;sid:80968507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (104016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drop/css/obr.hta"; depth:17; endswith; nocase; http.host; content:"www.myvcart.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104016/; classtype:trojan-activity;sid:80967116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (103702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/pridmag/ttt/161485502.doc"; depth:44; endswith; nocase; http.host; content:"sdvgpro.ru"; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103702/; classtype:trojan-activity;sid:80966802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (103393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vp1bgrvz9v/"; depth:12; endswith; nocase; http.host; content:"www.mixturro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103393/; classtype:trojan-activity;sid:80966493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (102706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autoguarder/autoguarder_2.3.7.350.exe"; depth:38; endswith; nocase; http.host; content:"softdl4.360.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_12; reference:url, urlhaus.abuse.ch/url/102706/; classtype:trojan-activity;sid:80965806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (102548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doumai/tips/v1.0.1.11/tips_01.exe"; depth:34; endswith; nocase; http.host; content:"download.doumaibiji.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_11; reference:url, urlhaus.abuse.ch/url/102548/; classtype:trojan-activity;sid:80965648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (102545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doumai/fmt/v1.0.1.11/fmt_01.exe"; depth:32; endswith; nocase; http.host; content:"download.doumaibiji.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_11; reference:url, urlhaus.abuse.ch/url/102545/; classtype:trojan-activity;sid:80965645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (98628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6nqq.js"; depth:8; endswith; nocase; http.host; content:"www.hostingcloud.science"; depth:24; isdataat:!1,relative; metadata:created_at 2018_12_21; reference:url, urlhaus.abuse.ch/url/98628/; classtype:trojan-activity;sid:80961728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (96625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuia-qgkdtq2rfbxd7z_ljiaengvq-4cy/"; depth:35; endswith; nocase; http.host; content:"www.ardguisser.com"; depth:18; isdataat:!1,relative; metadata:created_at 2018_12_17; reference:url, urlhaus.abuse.ch/url/96625/; classtype:trojan-activity;sid:80959725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/download/zip/waigua/shiqi/2003/06/20030620.exe"; depth:52; endswith; nocase; http.host; content:"veryboys.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95728/; classtype:trojan-activity;sid:80958828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/download/zip/waigua/mir2/2003/05/200305252.exe"; depth:52; endswith; nocase; http.host; content:"veryboys.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95727/; classtype:trojan-activity;sid:80958827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/download/zip/waigua/mu/2003/07/20030721.exe"; depth:49; endswith; nocase; http.host; content:"veryboys.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95726/; classtype:trojan-activity;sid:80958826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/guochang/setup_tvplayer.zip"; depth:44; endswith; nocase; http.host; content:"www.okhan.net"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95634/; classtype:trojan-activity;sid:80958734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/youxi/okhan.net-2wn.rar"; depth:40; endswith; nocase; http.host; content:"www.okhan.net"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95633/; classtype:trojan-activity;sid:80958733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/download/zip/waigua/mir2/2003/05/20030520.exe"; depth:51; endswith; nocase; http.host; content:"veryboys.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95550/; classtype:trojan-activity;sid:80958650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/anquan/pjbingdianhuanyuan.rar"; depth:46; endswith; nocase; http.host; content:"www.okhan.net"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95509/; classtype:trojan-activity;sid:80958609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us/information/122018/"; depth:23; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_12_14; reference:url, urlhaus.abuse.ch/url/95209/; classtype:trojan-activity;sid:80958309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us/information/122018"; depth:22; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_12_14; reference:url, urlhaus.abuse.ch/url/95078/; classtype:trojan-activity;sid:80958178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (94279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/20140812/14078161556897.rar"; depth:35; endswith; nocase; http.host; content:"static.3001.net"; depth:15; isdataat:!1,relative; metadata:created_at 2018_12_13; reference:url, urlhaus.abuse.ch/url/94279/; classtype:trojan-activity;sid:80957379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (94199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/youxi/okhan.net-2wn.rar"; depth:40; endswith; nocase; http.host; content:"okhan.net"; depth:9; isdataat:!1,relative; metadata:created_at 2018_12_13; reference:url, urlhaus.abuse.ch/url/94199/; classtype:trojan-activity;sid:80957299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (92354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/3"; depth:14; endswith; nocase; http.host; content:"itssprout.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_10; reference:url, urlhaus.abuse.ch/url/92354/; classtype:trojan-activity;sid:80955454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (92351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/2"; depth:14; endswith; nocase; http.host; content:"itssprout.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_10; reference:url, urlhaus.abuse.ch/url/92351/; classtype:trojan-activity;sid:80955451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (92344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/1"; depth:14; endswith; nocase; http.host; content:"itssprout.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_10; reference:url, urlhaus.abuse.ch/url/92344/; classtype:trojan-activity;sid:80955444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (86730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/076360tad/oamo/business/"; depth:25; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_11_29; reference:url, urlhaus.abuse.ch/url/86730/; classtype:trojan-activity;sid:80949830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (86203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/076360tad/oamo/business"; depth:24; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_11_28; reference:url, urlhaus.abuse.ch/url/86203/; classtype:trojan-activity;sid:80949303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/rc1veeex.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_28; reference:url, urlhaus.abuse.ch/url/85967/; classtype:trojan-activity;sid:80949067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekiwanatain/installer.rar"; depth:27; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_11_28; reference:url, urlhaus.abuse.ch/url/85901/; classtype:trojan-activity;sid:80949001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/5fg9yjwr.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85881/; classtype:trojan-activity;sid:80948981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/a9to40e7.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85879/; classtype:trojan-activity;sid:80948979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/e6i8pdc0.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85878/; classtype:trojan-activity;sid:80948978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-07/28/117228/4wtjdjio.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85877/; classtype:trojan-activity;sid:80948977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/zwy1q6k0.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85876/; classtype:trojan-activity;sid:80948976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/06/98428/07c9mfhe.zip"; depth:35; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85874/; classtype:trojan-activity;sid:80948974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (84160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/709rru/ach/business"; depth:20; endswith; nocase; http.host; content:"www.uralmetalloprokat.ru"; depth:24; isdataat:!1,relative; metadata:created_at 2018_11_23; reference:url, urlhaus.abuse.ch/url/84160/; classtype:trojan-activity;sid:80947260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (84040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0415jbrob/sep/smallbusiness"; depth:28; endswith; nocase; http.host; content:"www.udobrit.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2018_11_23; reference:url, urlhaus.abuse.ch/url/84040/; classtype:trojan-activity;sid:80947140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (82382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/%e8%99%9a%e6%8b%9f%e5%85%89%e9%a9%b1_11@10349.exe"; depth:59; endswith; nocase; http.host; content:"cl.ssouy.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_11_19; reference:url, urlhaus.abuse.ch/url/82382/; classtype:trojan-activity;sid:80945482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (79623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/urzfhrbbg"; depth:10; endswith; nocase; http.host; content:"vagler.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2018_11_13; reference:url, urlhaus.abuse.ch/url/79623/; classtype:trojan-activity;sid:80942723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (79342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigfile/v1/urls/d/1gpusd8uwnakepjjehixnayfekq/kbdjubux_j-nvjot1z-mdw"; depth:69; endswith; nocase; http.host; content:"attach.mail.daum.net"; depth:20; isdataat:!1,relative; metadata:created_at 2018_11_13; reference:url, urlhaus.abuse.ch/url/79342/; classtype:trojan-activity;sid:80942442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (73301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/table.png"; depth:10; endswith; nocase; http.host; content:"51.68.170.59"; depth:12; isdataat:!1,relative; metadata:created_at 2018_11_02; reference:url, urlhaus.abuse.ch/url/73301/; classtype:trojan-activity;sid:80936401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (73302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/worming.png"; depth:12; endswith; nocase; http.host; content:"51.68.170.59"; depth:12; isdataat:!1,relative; metadata:created_at 2018_11_02; reference:url, urlhaus.abuse.ch/url/73302/; classtype:trojan-activity;sid:80936402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (73287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/radiance.png"; depth:13; endswith; nocase; http.host; content:"51.68.170.59"; depth:12; isdataat:!1,relative; metadata:created_at 2018_11_02; reference:url, urlhaus.abuse.ch/url/73287/; classtype:trojan-activity;sid:80936387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (71185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nykol16/kepek.exe"; depth:18; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_26; reference:url, urlhaus.abuse.ch/url/71185/; classtype:trojan-activity;sid:80934285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (67439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoolatogato/xruhbmzvlaghfnqcerrv.exe"; depth:37; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_12; reference:url, urlhaus.abuse.ch/url/67439/; classtype:trojan-activity;sid:80930539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (66694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autoup/client/aqclient.exe"; depth:27; endswith; nocase; http.host; content:"pay.aqiu6.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_10_11; reference:url, urlhaus.abuse.ch/url/66694/; classtype:trojan-activity;sid:80929794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (66274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toneraruhaz/wp-admin/network/installer.rar"; depth:43; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_09; reference:url, urlhaus.abuse.ch/url/66274/; classtype:trojan-activity;sid:80929374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (66164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvlmodell/letoltes/files/scalecalc.exe"; depth:39; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_09; reference:url, urlhaus.abuse.ch/url/66164/; classtype:trojan-activity;sid:80929264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (64681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/85nojvodyz/biz/business"; depth:24; endswith; nocase; http.host; content:"kamin-premium.ru"; depth:16; isdataat:!1,relative; metadata:created_at 2018_10_04; reference:url, urlhaus.abuse.ch/url/64681/; classtype:trojan-activity;sid:80927781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (59247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vqd0d5/"; depth:8; endswith; nocase; http.host; content:"robertrowe.com"; depth:14; isdataat:!1,relative; metadata:created_at 2018_09_23; reference:url, urlhaus.abuse.ch/url/59247/; classtype:trojan-activity;sid:80922347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (57935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/factures-09-2018/"; depth:18; endswith; nocase; http.host; content:"hasalltalent.com"; depth:16; isdataat:!1,relative; metadata:created_at 2018_09_19; reference:url, urlhaus.abuse.ch/url/57935/; classtype:trojan-activity;sid:80921035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (57059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/en/need-to-send-the-attachment"; depth:40; endswith; nocase; http.host; content:"vgd.vg"; depth:6; isdataat:!1,relative; metadata:created_at 2018_09_17; reference:url, urlhaus.abuse.ch/url/57059/; classtype:trojan-activity;sid:80920159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (56449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7mn5zo8d/"; depth:10; endswith; nocase; http.host; content:"vgd.vg"; depth:6; isdataat:!1,relative; metadata:created_at 2018_09_14; reference:url, urlhaus.abuse.ch/url/56449/; classtype:trojan-activity;sid:80919549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (44461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5805773c/payment/personal"; depth:26; endswith; nocase; http.host; content:"ct3-24.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2018_08_20; reference:url, urlhaus.abuse.ch/url/44461/; classtype:trojan-activity;sid:80907561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (44113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/663752sludgz/oamo/us/"; depth:22; endswith; nocase; http.host; content:"ct3-24.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2018_08_17; reference:url, urlhaus.abuse.ch/url/44113/; classtype:trojan-activity;sid:80907213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (38013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/gxfqfem5m813nva/firefox_67.3.39.js"; depth:40; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_08_02; reference:url, urlhaus.abuse.ch/url/38013/; classtype:trojan-activity;sid:80901113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (38011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/dqrsgzlf8jeefw0/firefox_67.3.45.js"; depth:40; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_08_02; reference:url, urlhaus.abuse.ch/url/38011/; classtype:trojan-activity;sid:80901111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (38009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/g4is5u674v6l2yy/firefox_67.3.16.js"; depth:40; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_08_02; reference:url, urlhaus.abuse.ch/url/38009/; classtype:trojan-activity;sid:80901109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (37232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tpkmgecq"; depth:9; endswith; nocase; http.host; content:"xn--90abegbttpjb3bzb2j.xn--p1ai"; depth:31; isdataat:!1,relative; metadata:created_at 2018_07_31; reference:url, urlhaus.abuse.ch/url/37232/; classtype:trojan-activity;sid:80900332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (36522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/en/statement/invoice/"; depth:28; endswith; nocase; http.host; content:"xn--90abegbttpjb3bzb2j.xn--p1ai"; depth:31; isdataat:!1,relative; metadata:created_at 2018_07_28; reference:url, urlhaus.abuse.ch/url/36522/; classtype:trojan-activity;sid:80899622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (36154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc/en_us/invoice-for-sent/invoice/"; depth:36; endswith; nocase; http.host; content:"xn--90abegbttpjb3bzb2j.xn--p1ai"; depth:31; isdataat:!1,relative; metadata:created_at 2018_07_26; reference:url, urlhaus.abuse.ch/url/36154/; classtype:trojan-activity;sid:80899254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (34267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc/en/account/auditor-of-state-notification-of-eft-deposit/"; depth:61; endswith; nocase; http.host; content:"xn--90abegbttpjb3bzb2j.xn--p1ai"; depth:31; isdataat:!1,relative; metadata:created_at 2018_07_18; reference:url, urlhaus.abuse.ch/url/34267/; classtype:trojan-activity;sid:80897367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (34227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notification-de-facture-07/"; depth:28; endswith; nocase; http.host; content:"xn--90abegbttpjb3bzb2j.xn--p1ai"; depth:31; isdataat:!1,relative; metadata:created_at 2018_07_18; reference:url, urlhaus.abuse.ch/url/34227/; classtype:trojan-activity;sid:80897327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (34178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notification-de-facture-07-2018/"; depth:33; endswith; nocase; http.host; content:"asl-company.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2018_07_18; reference:url, urlhaus.abuse.ch/url/34178/; classtype:trojan-activity;sid:80897278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (34102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc/en/account/auditor-of-state-notification-of-eft-deposit"; depth:60; endswith; nocase; http.host; content:"xn--90abegbttpjb3bzb2j.xn--p1ai"; depth:31; isdataat:!1,relative; metadata:created_at 2018_07_18; reference:url, urlhaus.abuse.ch/url/34102/; classtype:trojan-activity;sid:80897202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (33107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newsletter/us_us/file/invoice-604371/"; depth:38; endswith; nocase; http.host; content:"kuzina-teatr.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2018_07_16; reference:url, urlhaus.abuse.ch/url/33107/; classtype:trojan-activity;sid:80896207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (28277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mc_setup.exe"; depth:13; endswith; nocase; http.host; content:"crimefreesoftware.com"; depth:21; isdataat:!1,relative; metadata:created_at 2018_07_04; reference:url, urlhaus.abuse.ch/url/28277/; classtype:trojan-activity;sid:80891377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (16630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc/past-due-invoice/"; depth:22; endswith; nocase; http.host; content:"robertrowe.com"; depth:14; isdataat:!1,relative; metadata:created_at 2018_06_07; reference:url, urlhaus.abuse.ch/url/16630/; classtype:trojan-activity;sid:80879730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (15711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/status/auditor-of-state-notification-of-eft-deposit/"; depth:53; endswith; nocase; http.host; content:"robertrowe.com"; depth:14; isdataat:!1,relative; metadata:created_at 2018_06_05; reference:url, urlhaus.abuse.ch/url/15711/; classtype:trojan-activity;sid:80878811; rev:1;)
# Number of entries: 36929